Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1188 A vulnerability was discovered and corrected in cups 14 December 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: cups Publisher: Mandriva Operating System: Mandriva Linux UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Existing Account Modify Arbitrary Files -- Existing Account Create Arbitrary Files -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-5519 Comment: This advisory references vulnerabilities in products which run on platforms other than Mandriva. It is recommended that administrators running cups check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2012:179 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cups Date : December 12, 2012 Affected: 2011., Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in cups: CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface (CVE-2012-5519). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5519 http://www.cups.org/str.php?L4223 _______________________________________________________________________ Updated Packages: Mandriva Linux 2011: 621faa1bcabbfe6c820f34d323b15ed6 2011/i586/cups-1.4.8-2.2-mdv2011.0.i586.rpm 67c994f6deab1ec43abfc03bc469fde3 2011/i586/cups-common-1.4.8-2.2-mdv2011.0.i586.rpm 0eb1e071e924b8fbcba7782c861d0faa 2011/i586/cups-serial-1.4.8-2.2-mdv2011.0.i586.rpm d82bafdbffa2843e8c87f44ff38f09bd 2011/i586/libcups2-1.4.8-2.2-mdv2011.0.i586.rpm b91e9da16dc9d1dbc69ad8a32c591609 2011/i586/libcups2-devel-1.4.8-2.2-mdv2011.0.i586.rpm 76d0886860017257283b49f07948c8a2 2011/i586/php-cups-1.4.8-2.2-mdv2011.0.i586.rpm 15055e0d0e17ea5189cf29590e535c95 2011/SRPMS/cups-1.4.8-2.2.src.rpm Mandriva Linux 2011/X86_64: 63a3439642483ba8b58964b050440eb7 2011/x86_64/cups-1.4.8-2.2-mdv2011.0.x86_64.rpm 667e8c1b429aa470a25cce5bcaa58a81 2011/x86_64/cups-common-1.4.8-2.2-mdv2011.0.x86_64.rpm 2acfd14c74298e32bca2c2d63f50078b 2011/x86_64/cups-serial-1.4.8-2.2-mdv2011.0.x86_64.rpm 124d5cba345b9f712b123a9e426629a2 2011/x86_64/lib64cups2-1.4.8-2.2-mdv2011.0.x86_64.rpm 4c427f6d8051690096192651701d63cc 2011/x86_64/lib64cups2-devel-1.4.8-2.2-mdv2011.0.x86_64.rpm cf9ef4e6d1e4c5902915e51ab6443778 2011/x86_64/php-cups-1.4.8-2.2-mdv2011.0.x86_64.rpm 15055e0d0e17ea5189cf29590e535c95 2011/SRPMS/cups-1.4.8-2.2.src.rpm Mandriva Enterprise Server 5: 7a7947b4348b46d88771c86d71bf93a8 mes5/i586/cups-1.3.10-0.6mdvmes5.2.i586.rpm 6be2cef2bb36f325fd2f39c382c691b5 mes5/i586/cups-common-1.3.10-0.6mdvmes5.2.i586.rpm 7797b6be2eda38cbe9b02aafdcf4382d mes5/i586/cups-serial-1.3.10-0.6mdvmes5.2.i586.rpm 341ec5bea5633ff702737e0bc41e866a mes5/i586/libcups2-1.3.10-0.6mdvmes5.2.i586.rpm 73c5dedc648f96b4cc596aae5a91d888 mes5/i586/libcups2-devel-1.3.10-0.6mdvmes5.2.i586.rpm f4f93fb5602887b9d89d6f9824170d96 mes5/i586/php-cups-1.3.10-0.6mdvmes5.2.i586.rpm 25d5330e8744ddd498da35eb63d9c423 mes5/SRPMS/cups-1.3.10-0.6mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 4245234df94e9a8b3b2b5cea86c84b9f mes5/x86_64/cups-1.3.10-0.6mdvmes5.2.x86_64.rpm ba51ee8a0d66e4241da0728aaabd9ec2 mes5/x86_64/cups-common-1.3.10-0.6mdvmes5.2.x86_64.rpm 5e0b48292098166e884cd4e39b68211e mes5/x86_64/cups-serial-1.3.10-0.6mdvmes5.2.x86_64.rpm b6259d9d194e3f2944ccb691d331109e mes5/x86_64/lib64cups2-1.3.10-0.6mdvmes5.2.x86_64.rpm 9a631b030200ffad1f6765d07b63faad mes5/x86_64/lib64cups2-devel-1.3.10-0.6mdvmes5.2.x86_64.rpm b575b13ff39b05c14922702bec3acfcc mes5/x86_64/php-cups-1.3.10-0.6mdvmes5.2.x86_64.rpm 25d5330e8744ddd498da35eb63d9c423 mes5/SRPMS/cups-1.3.10-0.6mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFQyI3wmqjQ0CJFipgRAvI+AJwLllv72jGuBMfZvcrwmtUdioHA3QCdHKOK xlTaJDfD2DO3j2YqWIOaX0Y= =lwFY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUMqgV+4yVqjM2NGpAQInpQ//WkU/w7cKayTuQy60zvilVcAX9j8l1+RC RBCyrd6A2FRYEb++zzKueBVdNQZJe6+CHFQzi45grO9uapauWnn0lifF3TYhDl0c qvoCqL0S99SRQ0Clf4hNbdwpb2GjaR/Fl8xSevd5ZkfId5ibQQ7/pbmmXTaMKQU2 E3iQAGRWn/iqt8H+TkK8WL7zbhK/YKRjjtG+kVuRhOpeDklpkOz6Vh61wxYN7s74 +wa9KRDSiJpXeRxoswQU6cQ5jM9HLHyamSEihVSjS295T2S/a6b/PLZEJEIriuF5 HhCFaqv8a0cwzQuInyaFtXeC+qJXcEMM2Uil/VOIjiAkXVOId+gnUpPC8bhGVF4I GDvs94LH4g3A+OtUP8VcDutMkuz5WqWj1iCGyhFMv0/5jNPbnhVwjraoyjGmI1zg kyiQNqAeI8R0/gxsUVcNfEDD5OPjqKbLle4iz8ceHZ0QruJg/tN5TFJcn+phV9IV ukN6SVNxQWwxYIcb9gIZR5lpkKd9qSsliAIw7wTewEB883EnnJr3/Mha45KHrrEw l/IrDKWTgqqCFcFF52BYkOSw02c2LxQyZrJKa4BfJOVVHyfVKsJQMRWhWo3hKixU zEusVzK6vRt00grgs7opPXb5CB4DNz1mRoTxql3iKkO2vJg1DGgeJV968SbJbeRJ iwX0TPDR8tY= =zOz6 -----END PGP SIGNATURE-----