Описание
Security update for cups
This update for cups fixes the following issues:
Update to version 2.4.16.
Security issues fixed:
- CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).
- CVE-2025-58436: slow client communication leads to a possible DoS attack (bsc#1244057).
- CVE-2025-58364: unsafe deserialization and validation of printer attributes can cause a null dereference (bsc#1249128).
- CVE-2025-58060: authentication bypass with AuthType Negotiate (bsc#1249049).
Other updates and bugfixes:
-
Version upgrade to 2.4.16:
- 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences, potentially reading past the end of the source string (Issue #1438)
- The web interface did not support domain usernames fully (Issue #1441)
- Fixed an infinite loop issue in the GTK+ print dialog (Issue #1439 boo#1254353)
- Fixed stopping scheduler on unknown directive in configuration (Issue #1443)
- Fixed packages for Immutable Mode (jsc#PED-14775 from epic jsc#PED-14688)
-
Version upgrade to 2.4.15:
- Fixed potential crash in 'cups-driverd' when there are duplicate PPDs (Issue #1355)
- Fixed error recovery when scanning for PPDs in 'cups-driverd' (Issue #1416)
-
Version upgrade to 2.4.14.
-
Version upgrade to 2.4.13:
- Added 'print-as-raster' printer and job attributes for forcing rasterization (Issue #1282)
- Updated documentation (Issue #1086)
- Updated IPP backend to try a sanitized user name if the printer/server does not like the value (Issue #1145)
- Updated the scheduler to send the "printer-added" or "printer-modified" events whenever an IPP Everywhere PPD is installed (Issue #1244)
- Updated the scheduler to send the "printer-modified" event whenever the system default printer is changed (Issue #1246)
- Fixed a memory leak in 'httpClose' (Issue #1223)
- Fixed missing commas in 'ippCreateRequestedArray' (Issue #1234)
- Fixed subscription issues in the scheduler and D-Bus notifier (Issue #1235)
- Fixed media-default reporting for custom sizes (Issue #1238)
- Fixed support for IPP/PPD options with periods or underscores (Issue #1249)
- Fixed parsing of real numbers in PPD compiler source files (Issue #1263)
- Fixed scheduler freezing with zombie clients (Issue #1264)
- Fixed support for the server name in the ErrorLog filename (Issue #1277)
- Fixed job cleanup after daemon restart (Issue #1315)
- Fixed handling of buggy DYMO USB printer serial numbers (Issue #1338)
- Fixed unreachable block in IPP backend (Issue #1351)
- Fixed memory leak in _cupsConvertOptions (Issue #1354)
-
Version upgrade to 2.4.12:
- GnuTLS follows system crypto policies now (Issue #1105)
- Added
NoSystemSSLOptions value (Issue #1130) - Now we raise alert for certificate issues (Issue #1194)
- Added Kyocera USB quirk (Issue #1198)
- The scheduler now logs a job's debugging history if the backend fails (Issue #1205)
- Fixed a potential timing issue with
cupsEnumDests(Issue #1084) - Fixed a potential "lost PPD" condition in the scheduler (Issue #1109)
- Fixed a compressed file error handling bug (Issue #1070)
- Fixed a bug in the make-and-model whitespace trimming code (Issue #1096)
- Fixed a removal of IPP Everywhere permanent queue if installation failed (Issue #1102)
- Fixed
ServerToken Nonein scheduler (Issue #1111) - Fixed invalid IPP keyword values created from PPD option names (Issue #1118)
- Fixed handling of "media" and "PageSize" in the same print request (Issue #1125)
- Fixed client raster printing from macOS (Issue #1143)
- Fixed the default User-Agent string.
- Fixed a recursion issue in
ippReadIO. - Fixed handling incorrect radix in
scan_ps()(Issue #1188) - Fixed validation of dateTime values with time zones more than UTC+11 (Issue #1201)
- Fixed attributes returned by the Create-Xxx-Subscriptions requests (Issue #1204)
- Fixed
ippDateToTimewhen using a non GMT/UTC timezone (Issue #1208) - Fixed
job-completedevent notifications for jobs that are cancelled before started (Issue #1209) - Fixed DNS-SD discovery with
ippfind(Issue #1211)
Список пакетов
openSUSE Leap 16.0
Ссылки
- SUSE Security Ratings
- SUSE Bug 1244057
- SUSE Bug 1249049
- SUSE Bug 1249128
- SUSE Bug 1253783
- SUSE Bug 1254353
- SUSE CVE CVE-2025-58060 page
- SUSE CVE CVE-2025-58364 page
- SUSE CVE CVE-2025-58436 page
- SUSE CVE CVE-2025-61915 page
Описание
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the `AuthType` is set to anything but `Basic`, if the request contains an `Authorization: Basic ...` header, the password is not checked. This results in authentication bypass. Any configuration that allows an `AuthType` that is not `Basic` is affected. Version 2.4.13 fixes the issue.
Затронутые продукты
Ссылки
- CVE-2025-58060
- SUSE Bug 1249049
Описание
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, an unsafe deserialization and validation of printer attributes causes null dereference in the libcups library. This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines). On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations. Version 2.4.13 contains a patch for CVE-2025-58364.
Затронутые продукты
Ссылки
- CVE-2025-58364
- SUSE Bug 1249128
Описание
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue has been patched in version 2.4.15.
Затронутые продукты
Ссылки
- CVE-2025-58436
- SUSE Bug 1244057
Описание
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. This issue has been patched in version 2.4.15.
Затронутые продукты
Ссылки
- CVE-2025-61915
- SUSE Bug 1253783