Skip to navigation

Security Advisory Moderate: cups security update

Advisory: RHSA-2009:1595-2
Type: Security Advisory
Severity: Moderate
Issued on: 2009-11-18
Last updated on: 2010-01-12
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)
CVEs (cve.mitre.org): CVE-2009-2820
CVE-2009-3553

Details

Updated cups packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

[Updated 12th January 2010]
The packages list in this erratum has been updated to include missing i386
packages for Red Hat Enterprise Linux Desktop and RHEL Desktop Workstation.

The Common UNIX Printing System (CUPS) provides a portable printing layer
for UNIX operating systems.

A use-after-free flaw was found in the way CUPS handled references in its
file descriptors-handling interface. A remote attacker could, in a
specially-crafted way, query for the list of current print jobs for a
specific printer, leading to a denial of service (cupsd crash).
(CVE-2009-3553)

Several cross-site scripting (XSS) flaws were found in the way the CUPS web
server interface processed HTML form content. If a remote attacker could
trick a local user who is logged into the CUPS web interface into visiting
a specially-crafted HTML page, the attacker could retrieve and potentially
modify confidential CUPS administration data. (CVE-2009-2820)

Red Hat would like to thank Aaron Sigel of Apple Product Security for
responsibly reporting the CVE-2009-2820 issue.

Users of cups are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
update, the cupsd daemon will be restarted automatically.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
cups-1.3.7-11.el5_4.4.src.rpm
File outdated by:  RHSA-2013:0580
    MD5: 335f168720bb0aa448e5704a24e784de
 
IA-32:
cups-devel-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 27e038a2e2580cfcc56bf9f026a4ca4c
 
x86_64:
cups-devel-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 27e038a2e2580cfcc56bf9f026a4ca4c
cups-devel-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: a95f973b13c772c5b9df50630ca267de
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
cups-1.3.7-11.el5_4.4.src.rpm
File outdated by:  RHSA-2013:0580
    MD5: 335f168720bb0aa448e5704a24e784de
 
IA-32:
cups-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 64c5483301aa3a63f941db85b7c981de
cups-devel-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 27e038a2e2580cfcc56bf9f026a4ca4c
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 784d13d0e284652af5060bf743469fa0
cups-lpd-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: a5db089a3595172f4cb973e227f10b2a
 
IA-64:
cups-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 481ec2f8fe1736d50db2e0b1b85fe67b
cups-devel-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 9789ad80ce5fd2504caa249bc2b5c57f
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 784d13d0e284652af5060bf743469fa0
cups-libs-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 00feac06366a36bfaf2f5f594329ed84
cups-lpd-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 477eaee9e27de37c97df7d45dc206985
 
PPC:
cups-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: d43d2c81a24624778279cbc14e42361c
cups-devel-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: 3c0c001ce9b9a7fd65ed67b9914a9963
cups-devel-1.3.7-11.el5_4.4.ppc64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 480deed9460a3223556b34139bea3117
cups-libs-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: aa5ff3380575fd2628f8c2b30fefea16
cups-libs-1.3.7-11.el5_4.4.ppc64.rpm
File outdated by:  RHSA-2013:0580
    MD5: f8c3db33ef8b138d6eff6ff5439240b1
cups-lpd-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2013:0580
    MD5: 902c8e36219667d8f0141a281e602cf3
 
s390x:
cups-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: 9588ffff77a9dd1f66268f71b26816e1
cups-devel-1.3.7-11.el5_4.4.s390.rpm
File outdated by:  RHSA-2013:0580
    MD5: 5e4e656505a3df98b62940712885a608
cups-devel-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: ef477c47249fa9e7658b8009675e8b7f
cups-libs-1.3.7-11.el5_4.4.s390.rpm
File outdated by:  RHSA-2013:0580
    MD5: 4fa5f8194e51628ebf9cfc27bf97d47f
cups-libs-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: c7b127eccc7271f079e818e54bec5e31
cups-lpd-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2013:0580
    MD5: e5aea07497aeca8a72eaba8dbc6dd41a
 
x86_64:
cups-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 8a208275abeb91cb11bf1df566011fd2
cups-devel-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 27e038a2e2580cfcc56bf9f026a4ca4c
cups-devel-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: a95f973b13c772c5b9df50630ca267de
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 784d13d0e284652af5060bf743469fa0
cups-libs-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 2f37e016361e176873b02b50bd4ede40
cups-lpd-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 367c2af298107fdf93f95544a133542e
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
cups-1.3.7-11.el5_4.4.src.rpm
File outdated by:  RHSA-2013:0580
    MD5: 335f168720bb0aa448e5704a24e784de
 
IA-32:
cups-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 64c5483301aa3a63f941db85b7c981de
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 784d13d0e284652af5060bf743469fa0
cups-lpd-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: a5db089a3595172f4cb973e227f10b2a
 
x86_64:
cups-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 8a208275abeb91cb11bf1df566011fd2
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2013:0580
    MD5: 784d13d0e284652af5060bf743469fa0
cups-libs-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 2f37e016361e176873b02b50bd4ede40
cups-lpd-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2013:0580
    MD5: 367c2af298107fdf93f95544a133542e
 
Red Hat Enterprise Linux EUS (v. 5.4.z server)

SRPMS:
cups-1.3.7-11.el5_4.4.src.rpm
File outdated by:  RHSA-2013:0580
    MD5: 335f168720bb0aa448e5704a24e784de
 
IA-32:
cups-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2010:0129
    MD5: 64c5483301aa3a63f941db85b7c981de
cups-devel-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2010:0129
    MD5: 27e038a2e2580cfcc56bf9f026a4ca4c
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2010:0129
    MD5: 784d13d0e284652af5060bf743469fa0
cups-lpd-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2010:0129
    MD5: a5db089a3595172f4cb973e227f10b2a
 
IA-64:
cups-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 481ec2f8fe1736d50db2e0b1b85fe67b
cups-devel-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 9789ad80ce5fd2504caa249bc2b5c57f
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2010:0129
    MD5: 784d13d0e284652af5060bf743469fa0
cups-libs-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 00feac06366a36bfaf2f5f594329ed84
cups-lpd-1.3.7-11.el5_4.4.ia64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 477eaee9e27de37c97df7d45dc206985
 
PPC:
cups-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2010:0129
    MD5: d43d2c81a24624778279cbc14e42361c
cups-devel-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2010:0129
    MD5: 3c0c001ce9b9a7fd65ed67b9914a9963
cups-devel-1.3.7-11.el5_4.4.ppc64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 480deed9460a3223556b34139bea3117
cups-libs-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2010:0129
    MD5: aa5ff3380575fd2628f8c2b30fefea16
cups-libs-1.3.7-11.el5_4.4.ppc64.rpm
File outdated by:  RHSA-2010:0129
    MD5: f8c3db33ef8b138d6eff6ff5439240b1
cups-lpd-1.3.7-11.el5_4.4.ppc.rpm
File outdated by:  RHSA-2010:0129
    MD5: 902c8e36219667d8f0141a281e602cf3
 
s390x:
cups-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2010:0129
    MD5: 9588ffff77a9dd1f66268f71b26816e1
cups-devel-1.3.7-11.el5_4.4.s390.rpm
File outdated by:  RHSA-2010:0129
    MD5: 5e4e656505a3df98b62940712885a608
cups-devel-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2010:0129
    MD5: ef477c47249fa9e7658b8009675e8b7f
cups-libs-1.3.7-11.el5_4.4.s390.rpm
File outdated by:  RHSA-2010:0129
    MD5: 4fa5f8194e51628ebf9cfc27bf97d47f
cups-libs-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2010:0129
    MD5: c7b127eccc7271f079e818e54bec5e31
cups-lpd-1.3.7-11.el5_4.4.s390x.rpm
File outdated by:  RHSA-2010:0129
    MD5: e5aea07497aeca8a72eaba8dbc6dd41a
 
x86_64:
cups-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 8a208275abeb91cb11bf1df566011fd2
cups-devel-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2010:0129
    MD5: 27e038a2e2580cfcc56bf9f026a4ca4c
cups-devel-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2010:0129
    MD5: a95f973b13c772c5b9df50630ca267de
cups-libs-1.3.7-11.el5_4.4.i386.rpm
File outdated by:  RHSA-2010:0129
    MD5: 784d13d0e284652af5060bf743469fa0
cups-libs-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 2f37e016361e176873b02b50bd4ede40
cups-lpd-1.3.7-11.el5_4.4.x86_64.rpm
File outdated by:  RHSA-2010:0129
    MD5: 367c2af298107fdf93f95544a133542e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

529833 - CVE-2009-2820 cups: Several XSS flaws in forms processed by CUPS web interface
530111 - CVE-2009-3553 cups: Use-after-free (crash) due improper reference counting in abstract file descriptors handling interface


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/