MGASA-2013-0004
| Date: | January 6th, 2013 |
| Affected releases: | 2 |
Description:
During the process of CUPS socket activation code refactoring in
favour of systemd capability a security flaw was found in the way
CUPS service honoured Listen localhost:631 cupsd.conf configuration
option. The setting was recognized properly for IPv4-enabled systems,
but failed to be correctly applied for IPv6-enabled systems. As a
result, a remote attacker could use this flaw to obtain (unauthorized)
access to the CUPS web-based administration interface. (CVE-2012-6094)
The fix for now is to not enable IP-based systemd socket activation
by default.
Further, this update should correct possible printing problems with the
following printers since the update to cups 1.5.4 as part of security
fix MGASA-2012-0359:
Canon, Inc. PIXMA iP4200
Canon, Inc. PIXMA iP4300
Canon, Inc. MP500
Canon, Inc. MP510
Canon, Inc. MP550
Canon, Inc. MP560
Brother Industries, Ltd, HL-1430 Laser Printer
Brother Industries, Ltd, HL-1440 Laser Printer
Oki Data Corp. Okipage 14ex Printer
Oki Data Corp. B410d
Xerox Phaser 3124
All Zebra devices
Additionally, patches have been added to fix printing from newer apple
devices and to correct an error in the %post script which prevented the
cups service from starting when freshly installed.
Updated Packages:
cups-1.5.4-1.3.mga2
cups-common-1.5.4-1.3.mga2
cups-serial-1.5.4-1.3.mga2
lib(64)cups2-1.5.4-1.3.mga2
lib(64)cups2-devel-1.5.4-1.3.mga2
php-cups-1.5.4-1.3.mga2
References:
http://seclists.org/oss-sec/2013/q1/16
https://bugzilla.novell.com/show_bug.cgi?id=795624
https://bugzilla.redhat.com/show_bug.cgi?id=891942
http://www.cups.org/str.php?L4155
http://www.cups.org/str.php?L4191
http://www.cups.org/str.php?L4217
https://bugs.launchpad.net/bugs/711779
https://bugs.mageia.org/show_bug.cgi?id=8318
https://bugs.mageia.org/show_bug.cgi?id=8507
