ESB-2018.1932 - [Debian] cups: Multiple vulnerabilities 2018-07-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1932
                     [DLA 1412-1] cups security update
                                4 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           cups
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-18248 CVE-2017-18190 

Reference:         ESB-2018.1603
                   ESB-2018.0640
                   ESB-2018.0516

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2018/07/msg00003.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Package        : cups
Version        : 1.7.5-11+deb8u3
CVE ID         : CVE-2017-18190 CVE-2017-18248

Two vulnerabilities affecting the cups printing server were found
which can lead to arbitrary IPP command execution and denial of
service.

CVE-2017-18190

    A localhost.localdomain whitelist entry in valid_host() in
    scheduler/client.c in CUPS before 2.2.2 allows remote attackers to
    execute arbitrary IPP commands by sending POST requests to the
    CUPS daemon in conjunction with DNS rebinding. The
    localhost.localdomain name is often resolved via a DNS server
    (neither the OS nor the web browser is responsible for ensuring
    that localhost.localdomain is 127.0.0.1).

CVE-2017-18248

    The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when
    D-Bus support is enabled, can be crashed by remote attackers by
    sending print jobs with an invalid username, related to a D-Bus
    notification.

For Debian 8 "Jessie", these problems have been fixed in version
1.7.5-11+deb8u3.

We recommend that you upgrade your cups packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzwTxWaOgq3Tt24GAQimZA/9HsXhD5EI5N2cAcVOEELtOluzZBcJVlGE
fbdYlFJUgc10o4yBr25FZ2kYL6PfLnv01Z6ERZTFhBhDoKaEsVVn4jyXm025DXk6
egkPk7cOFEoaQw2wwQpjjUuEEulStp0WaFZ7UWSf5GGM/N6oXfkfpecBe/znsCS3
Yub5TQ8c7COepzVTOOU8/JO/c44irTeukeGbMat5PfLh9fc+ckCwWNGiSXHR1Jkt
4ecVIi0Nq7lgb+AODq7SF6FFELdcdWVTYJYy+4zuR401yIse0iGOOXKACrwTLs2a
1AF6Q13d2IHpPqvQW4KMhvoS7aD7J8SwodqE0SaFxr8PMMghJwXg0MQkVAx1a31E
k5vc8oYW3q9bJWAF1a9LiXYmMGbNPfAW8MbpbFRU1wWqslD2RYpki2T2/LOQPhUJ
86VLsdLrB8o1ObHpRqU4m5uKdu+1Z87a9l3P5A14YKL/dQ2PeKtG6iHzIzKsYCg1
6wzTMZLbvCGma/dtv3knLB3DLGPvJMPjqiNg5DLsW3gR+n3SDTyaQsDN3/4/xSFP
TtROfK892Lmfgvvdy/f6RlQ+ijaw75KimkZmTablFjl+rqlByQfjpO4t0WRc71aK
IvjfMfFy63SVQZK8gH1UvW8zMALR0EWvrKAs6NrM6ksMDzYLk0O05a606pONtvoJ
euQmjP248fQ=
=uH4c
-----END PGP SIGNATURE-----

« Back to bulletins