[SECURITY] Fedora 11 Update: cups-1.4.4-4.fc11

updates at fedoraproject.org updates at fedoraproject.org
Fri Jun 25 18:10:49 UTC 2010


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-10066
2010-06-21 11:49:15
--------------------------------------------------------------------------------

Name        : cups
Product     : Fedora 11
Version     : 1.4.4
Release     : 4.fc11
URL         : http://www.cups.org/
Summary     : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX® operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.

--------------------------------------------------------------------------------
Update Information:

New upstream release fixing several security issues: CVE-2010-0540,
CVE-2010-0542, CVE-2010-1748.
--------------------------------------------------------------------------------
ChangeLog:

* Thu Jun 24 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-4
- Use gnutls again but disable threading (bug #607159).
* Tue Jun 22 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-3
- Removed dependency on ghostscript-cups package.  The pstoraster
  filter is not in that package until Fedora 13.
* Fri Jun 18 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-2
- Re-enabled SSL support by using OpenSSL instead of gnutls.
* Fri Jun 18 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-1
- 1.4.4.  Fixes several security vulnerabilities (bug #605399):
  CVE-2010-0540, CVE-2010-0542, CVE-2010-1748.  No longer need str3503,
  str3399, str3505, str3541, str3425p2 or CVE-2010-0302 patches.
- Fix lpd provides.
- Added comments for all sources and patches.
- Reset status after successful ipp job (bug #548219, STR #3460).
- Install udev rules in correct place (bug #530378).
- Removed unapplied gnutls-gcrypt-threads patch.  Fixed typos in
  descriptions for lpd and php sub-packages.
- Add an SNMP query for Ricoh's device ID OID (STR #3552).
- Mark DNS-SD Device IDs that have been guessed at with "FZY:1;".
- Add an SNMP query for HP's device ID OID (STR #3552).
- Don't mark initscript as config file.
- Use %{_initddir}, %{_sysconfdir} and SMP make flags.
- Use mode 0755 for binaries and libraries where appropriate.
- Removed use of prereq and buildprereq.
- Fixed use of '%' in changelog.
- Versioned explicit obsoletes/provides.
- Use tabs throughout.
- Install udev rules in correct place (bug #530378).
- Fix locale code for Norwegian (bug #520379).
- Fixed cups.init to be LSB compliant (bug #521641)
- Changed cups.init to be LSB compliant (bug #521641), i.e.
  return code "2" (instead of "3") if invalid arguments
  return code "4" if restarting service under nonprivileged user
  return code "5" if cupsd not exist or is not executable
  return code "6" if cupsd.conf not exist
- Use password-auth common PAM configuration instead of system-auth
  when available.
- Fixed 'service cups status' to check for correct subsys name
  (bug #521641).
- Renumbered patches and sources.
- Use upstream method of handling SNMP quirks in PPDs (STR #3551,
  bug #581825).
- Added back still useful str3425.patch.
  Second part of STR #3425 is still not fixed in 1.4.3
- Use numeric addresses for interfaces unless HostNameLookups are
  turned on (bug #583054).
- Handle SNMP supply level quirks (bug #581825).
- No longer need CVE-2009-3553, str3381, str3390, str3391,
  str3403, str3407, str3413, str3418, str3422, str3425,
  str3428, str3431, str3435, str3436, str3439, str3440,
  str3442, str3448, str3458, str3460, cups-sidechannel-intrs,
  negative-snmp-string-length, cups-media-empty-warning patches.
* Tue May 18 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.2-31
- Adjust texttops output to be in natural orientation (STR #3563).
  This fixes page-label orientation when texttops is used in the
  filter chain (bug #572338).
* Fri Apr 16 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-30
- Fixed str3541.patch
- Added Require: ghostscript (bug #572701)
* Wed Mar 31 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.2-29
- Another BrowsePoll fix: handle EAI_NODATA as well (bug #567353).
* Tue Mar 30 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-28
- Fixed lpstat to adhere to -o option (bug #577901, STR #3541).
* Wed Mar 10 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-27
- Fixed (for the third time) patch for STR #3425 to correctly
  remove job info files in /var/spool/cups (bug #571830).
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #591983 - CVE-2010-1748 cups: web interface memory disclosure
        https://bugzilla.redhat.com/show_bug.cgi?id=591983
  [ 2 ] Bug #605397 - cups: latent privilege escalation vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=605397
  [ 3 ] Bug #587746 - CVE-2010-0542 CUPS: texttops unchecked memory allocation failure leading to NULL pointer dereference
        https://bugzilla.redhat.com/show_bug.cgi?id=587746
  [ 4 ] Bug #588805 - CVE-2010-0540 CUPS administrator web interface CSRF
        https://bugzilla.redhat.com/show_bug.cgi?id=588805
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update cups' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list