Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0493 Updated cups packages fixes bugs and security vulnerabilities 9 April 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: cups Publisher: Mandriva Operating System: Mandriva Linux UNIX variants (UNIX, Linux, OSX) Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-6094 Original Bulletin: http://www.mandriva.com/en/support/security/advisories/ Comment: This advisory references vulnerabilities in products which run on platforms other than Mandriva. It is recommended that administrators running cups check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2013:034 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : cups Date : April 5, 2013 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated cups packages fixes bugs and security vulnerabilities: During the process of CUPS socket activation code refactoring in favour of systemd capability a security flaw was found in the way CUPS service honoured Listen localhost:631 cupsd.conf configuration option. The setting was recognized properly for IPv4-enabled systems, but failed to be correctly applied for IPv6-enabled systems. As a result, a remote attacker could use this flaw to obtain (unauthorized) access to the CUPS web-based administration interface (CVE-2012-6094). The fix for now is to not enable IP-based systemd socket activation by default. This update adds a patch to correct printing problems with some USB connected printers in cups 1.5.4. Further, this update should correct possible printing problems with the following printers since the update to cups 1.5.4. Canon, Inc. PIXMA iP4200 Canon, Inc. PIXMA iP4300 Canon, Inc. MP500 Canon, Inc. MP510 Canon, Inc. MP550 Canon, Inc. MP560 Brother Industries, Ltd, HL-1430 Laser Printer Brother Industries, Ltd, HL-1440 Laser Printer Oki Data Corp. Okipage 14ex Printer Oki Data Corp. B410d Xerox Phaser 3124 All Zebra devices Additionally, patches have been added to fix printing from newer apple devices and to correct an error in the \%post script which prevented the cups service from starting when freshly installed. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6094 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0004 https://wiki.mageia.org/en/Support/Advisories/MGAA-2012-0244 _______________________________________________________________________ Updated Packages: Mandriva Business Server 1/X86_64: 22ad3c19cc176891f254e5790e7e7e46 mbs1/x86_64/cups-1.5.4-1.1.mbs1.x86_64.rpm 5cad70e9e106847daf5388602935be87 mbs1/x86_64/cups-common-1.5.4-1.1.mbs1.x86_64.rpm a1bca7ac4b67c7e772ceb824e1190364 mbs1/x86_64/cups-serial-1.5.4-1.1.mbs1.x86_64.rpm 264190cf1f165dfdb46faa0e7f552ba2 mbs1/x86_64/lib64cups2-1.5.4-1.1.mbs1.x86_64.rpm f49fb184abab1efa7bf9e305535cd5c7 mbs1/x86_64/lib64cups2-devel-1.5.4-1.1.mbs1.x86_64.rpm bba301db543453de3c4866889c90db7c mbs1/x86_64/php-cups-1.5.4-1.1.mbs1.x86_64.rpm c68861ca8c504c902f6b7f2fc30826ef mbs1/SRPMS/cups-1.5.4-1.1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRXqHYmqjQ0CJFipgRAp+dAKD1tEIrhgBKyFkl9RxqU/b/0eL/jwCgmWRu JvVlHKsOtpeF2zU7vMblKXw= =lGWJ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUWNoZO4yVqjM2NGpAQIYMg/+OTyB3tVF0PhaZjcpvOJQpM+5QYqAMziU WNUJTewXGAV2IhkqOYjWoI9esFDwCRj/iqZDTD+StdF5lrFN58BLdmVxq45vgjUF MAerJ2sRi16+aP3VEHybw3lTImOY61c8jgRgk81uCjwBDIRENukfHBI0jfQKrGcp 0hrW0axFcbffPj9Ue0hXiu3IUKfAkPIpV2znIOzttSDPcp4VIi6xeu9mAPJYh59Z LKMu4NUSdZCskvvGsSRVIc5xT8CxcDNvMNowC8//A9FuWPdQyXsSaidovfQu0MSp Z0MTvIjsyviqtHXmwX148lU4Exi7Y/h7f5/MIPk/QDoPVg/ytQZUztRmOKCF/GoG 0EQ2M6BsLxEm0mh9PH9Uf2BZ1A7B8XF9VAc4bKZxfnPmAp8gBLZcLnW40DSKy298 hLkzOkn7NPwguFb2pzgZGyVtlk5qeeaAN0UOCzQgpMtJsC2HwCbdX1yuj1JygVPL 3TIv+leM9u9xoQ30DSU7jIYRBnJg4Fa7BTcE6kuF8vU5kniHxiy3M7lTJGDbA3k7 LkCcerRy5rg2BlOM0+n3Kp69lX03xu0juokTfE/YdnHBd76xWBqS3w8uW0IfipG2 mARmS8GIeMPc9vmLgSoXYqNrGOYaprjLZp0z7h+7WqySgT6j282Ybd4FlXoHtWqB jtyrkVONIvA= =0A3h -----END PGP SIGNATURE-----