-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:034 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : cups Date : April 5, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated cups packages fixes bugs and security vulnerabilities: During the process of CUPS socket activation code refactoring in favour of systemd capability a security flaw was found in the way CUPS service honoured Listen localhost:631 cupsd.conf configuration option. The setting was recognized properly for IPv4-enabled systems, but failed to be correctly applied for IPv6-enabled systems. As a result, a remote attacker could use this flaw to obtain (unauthorized) access to the CUPS web-based administration interface (CVE-2012-6094). The fix for now is to not enable IP-based systemd socket activation by default. This update adds a patch to correct printing problems with some USB connected printers in cups 1.5.4. Further, this update should correct possible printing problems with the following printers since the update to cups 1.5.4. Canon, Inc. PIXMA iP4200 Canon, Inc. PIXMA iP4300 Canon, Inc. MP500 Canon, Inc. MP510 Canon, Inc. MP550 Canon, Inc. MP560 Brother Industries, Ltd, HL-1430 Laser Printer Brother Industries, Ltd, HL-1440 Laser Printer Oki Data Corp. Okipage 14ex Printer Oki Data Corp. B410d Xerox Phaser 3124 All Zebra devices Additionally, patches have been added to fix printing from newer apple devices and to correct an error in the \%post script which prevented the cups service from starting when freshly installed. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6094 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0004 https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0244 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 22ad3c19cc176891f254e5790e7e7e46 mbs1/x86_64/cups-1.5.4-1.1.mbs1.x86_64.rpm 5cad70e9e106847daf5388602935be87 mbs1/x86_64/cups-common-1.5.4-1.1.mbs1.x86_64.rpm a1bca7ac4b67c7e772ceb824e1190364 mbs1/x86_64/cups-serial-1.5.4-1.1.mbs1.x86_64.rpm 264190cf1f165dfdb46faa0e7f552ba2 mbs1/x86_64/lib64cups2-1.5.4-1.1.mbs1.x86_64.rpm f49fb184abab1efa7bf9e305535cd5c7 mbs1/x86_64/lib64cups2-devel-1.5.4-1.1.mbs1.x86_64.rpm bba301db543453de3c4866889c90db7c mbs1/x86_64/php-cups-1.5.4-1.1.mbs1.x86_64.rpm c68861ca8c504c902f6b7f2fc30826ef mbs1/SRPMS/cups-1.5.4-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRXqHYmqjQ0CJFipgRAp+dAKD1tEIrhgBKyFkl9RxqU/b/0eL/jwCgmWRu JvVlHKsOtpeF2zU7vMblKXw= =lGWJ -----END PGP SIGNATURE-----