[SECURITY] Fedora 11 Update: cups-1.4.2-26.fc11

updates at fedoraproject.org updates at fedoraproject.org
Sat Mar 13 02:30:06 UTC 2010


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-2743
2010-02-24 04:56:45
--------------------------------------------------------------------------------

Name        : cups
Product     : Fedora 11
Version     : 1.4.2
Release     : 26.fc11
URL         : http://www.cups.org/
Summary     : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX® operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.

--------------------------------------------------------------------------------
Update Information:

This update addresses a denial of service security issue (CVE-2010-0302) as well
as fixing several other small problems:    * classes.conf is now updated when a
class member is deleted.    * the usermode dependency has been removed.    * the
udev rules are now installed in the correct location.    * cups-config now has
no multilib conflict.    * the ipp backend now clears the printer status on
completion.    * cupsGetNamedDest() is no longer confused by old configuration
files.    * the scheduler no longer treats SIGPIPE as a filter error.    * the
gcrypt threading patch has been reverted.    * the package no longer owns
filesystem-owned directories.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Mar  5 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-26
- Applied patch for CVE-2010-0302 (incomplete fix for CVE-2009-3553,
  bug #557775).
* Tue Mar  2 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-25
- Don't own filesystem locale directories (bug #569403).
- Don't apply gcrypt threading patch (bug #553834).
- Don't treat SIGPIPE as an error (bug #569770).
* Wed Feb 24 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-24
- Fixed cupsGetNamedDest() so it falls back to the real default
  printer when a default from configuration file does not exist (bug #565569, STR #3503).
* Tue Feb 23 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-23
- Update classes.conf when a class member printer is deleted
  (bug #565878, STR #3505).
* Tue Feb 23 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-22
- Re-initialize the resolver if getnameinfo() returns EAI_AGAIN
  (bug #567353).
* Fri Jan 15 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-21
- Reset status after successful ipp job (bug #548219, STR #3460).
* Wed Dec 23 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-20
- Fixed patch for STR #3425 again by adding in back-ported change from
  svn revision 8929 (bug #549899).  No longer need
  delete-active-printer patch.
* Tue Dec 22 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-19
- Fixed ipp authentication for servers requiring authentication for
  IPP-Get-Printer-Attributes (bug #548873, STR #3458).
* Mon Dec 21 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-18
- Ensure proper thread-safety in gnutls's use of libgcrypt
  (bug #544619).
* Sat Dec 19 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-17
- Fixed patch for STR #3425 by adding in back-ported change from svn
  revision 8936 (bug #548904).
* Thu Dec 10 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-16
- Fixed invalid read in cupsAddDest (bug #537460).
* Wed Dec  9 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-15
- Use upstream patch to fix scheduler crash when an active printer was
  deleted (rev 8914).
* Tue Dec  8 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-14
- The scheduler did not use the Get-Job-Attributes policy for a
  printer (STR #3431).
- The scheduler added two job-name attributes to each job object
  (STR #3428).
- The scheduler did not clean out completed jobs when
  PreserveJobHistory was turned off (STR #3425).
- The web interface did not show completed jobs (STR #3436).
- Authenticated printing did not always work when printing directly to
  a remote server (STR #3435).
- Use upstream patch to stop the network backends incorrectly clearing
  the media-empty-warning state (rev 8896).
- Use upstream patch to fix interrupt handling in the side-channel
  APIs (rev 8896).
- Use upstream patch to handle negative SNMP string lengths (rev 8896).
- Use upstream fix for SNMP detection (bug #542857, STR #3413).
- Use the text filter for text/css files (bug #545026, STR #3442).
- Show conflicting option values in web UI (bug #544326, STR #3440).
- Use upstream fix for adjustment of conflicting options
  (bug #533426, STR #3439).
* Tue Dec  8 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-13
- Moved %{_datadir}/cups/ppdc/*.h to the main package (bug #545348).
* Fri Dec  4 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-12
- The web interface prevented conflicting options from being adjusted
  (bug #533426, STR #3439).
* Thu Dec  3 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-11
- Fixes for SNMP scanning with Lexmark printers (bug #542857, STR #3413).
* Mon Nov 23 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-10
- Undo last change as it was incorrect.
* Mon Nov 23 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-9
- Fixed small typos introduced in fix for bug #536741.
* Fri Nov 20 2009 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-8
- Do not translate russian links showing completed jobs
  (bug #539354, STR #3422).
* Thu Nov 19 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-7
- Applied patch to fix CVE-2009-3553 (bug #530111, STR #3200).
* Tue Nov 17 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-6
- Fixed display of current driver (bug #537182, STR #3418).
- Fixed out-of-memory handling when loading jobs (bug #538054,
  STR #3407).
* Mon Nov 16 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-5
- Fixed typo in admin web template (bug #537884, STR #3403).
- Reset SIGPIPE handler for child processes (bug #537886, STR #3399).
* Mon Nov 16 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-4
- Upstream fix for GNU TLS error handling bug (bug #537883, STR #3381).
* Wed Nov 11 2009 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-3
- Fixed lspp-patch to avoid memory leak (bug #536741).
* Tue Nov 10 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-2
- Added explicit version dependency on cups-libs to cups-lpd
  (bug #502205).
* Tue Nov 10 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-1
- 1.4.2.  No longer need str3380, str3332, str3356, str3396 patches.
- Removed postscript.ppd.gz (bug #533371).
* Tue Nov  3 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.1-8
- Removed stale patch from STR #2831 which was causing problems with
  number-up (bug #532516).
* Tue Oct 27 2009 Jiri Popelka <jpopelka at redhat.com> 1:1.4.1-7
- Fix incorrectly applied patch from #STR3285 (bug #531108).
- Set the PRINTER_IS_SHARED variable for admin.cgi (bug #529634, #STR3390).
- Pass through serial parameters correctly in web interface (bug #529635, #STR3391).
- Fixed German translation (bug #531144, #STR3396).
* Tue Oct 20 2009 Jiri Popelka <jpopelka at redhat.com> 1:1.4.1-6
- Fix cups-lpd to create unique temporary data files (bug #529838).
* Mon Oct 19 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.1-5
- Fixed German translation (bug #529575, STR #3380).
* Thu Oct  8 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.1-4
- Fixed naming of 'Generic PostScript Printer' entry.
* Wed Oct  7 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.1-3
- Use upstream patch for STR #3356 (bug #526405).
* Fri Oct  2 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.1-2
- Fixed orientation of page labels when printing text in landscape
  mode (bug #520141, STR #3334).
* Wed Sep 30 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.1-1
- 1.4.1.
- Don't use cached PPD for raw queue (bug #526405, STR #3356).
* Fri Sep  4 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.0-2
- Fixed the dnssd backend so that it only reports devices once avahi
  resolution has completed.  This makes it report Device IDs
  (bug #520858).
* Fri Aug 28 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.0-1
- 1.4.0.
* Wed Aug 26 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.20
- Fixed admin.cgi crash when modifying a class (bug #519724,
  STR #3312, patch from Jiri Popelka).
* Wed Aug 26 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.19
- Prevent infinite loop in cupsDoIORequest when processing HTTP
  errors (bug #518065, bug #519663, STR #3311).
- Fixed document-format-supported attribute when
  application/octet-stream is enabled (bug #516507, STR #3308, patch
  from Jiri Popelka).
- Fixed buggy JobKillDelay handling fix (STR #3292).
- Prevent infinite loop in ppdc (STR #3293).
* Fri Aug 21 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.17
- Removed 3-distribution symlink (bug #514244).
* Tue Aug 18 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.16
- Fixed JobKillDelay handling for cancelled jobs (bug #518026,
  STR #3292).
- Use 'exec' to invoke ghostscript in the pstoraster filter.  This
  allows the SIGTERM signal to reach the correct process, as well as
  conserving memory (part of bug #518026).
* Tue Aug 11 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.15
- Avoid empty BrowseLocalProtocols setting (bug #516460, STR #3287).
- Fixed ppds.dat handling of drv files (bug #515027, STR #3279).
- Fixed udev rules file to avoid DEVTYPE warning messages.
- Fixed cupsGetNamedDest() so it does not fall back to the default
  printer when a destination has been named (bug #516439, STR #3285).
- Fixed MIME type rules for image/jpeg and image/x-bitmap
  (bug #516438, STR #3284).
- Clear out cache files on upgrade.
- Require acl.
* Thu Aug  6 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.14
- Ship udev rules to allow libusb to access printer devices.
- Fixed duplex test pages (bug #514898, STR #3277).
- Removed temporary snmp option from socket backend.
* Wed Jul 29 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.12
- Fixed Avahi support in the dnssd backend (bug #513888).
- Fixed incorrect arguments to sigaction() in dnssd backend (STR #3272).
- Cheaply restore compatibility with 1.1.x by having cups_get_sdests()
  perform a CUPS_GET_CLASSES request if it is not sure it is talking
  to CUPS 1.2 or later (bug #512866).
* Tue Jul 28 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.11
- Temporarily added snmp option to socket backend for debugging purposes.
- Prevent ipp backend looping with bad IPP devices (bug #476424,
  STR #3262).
- Fixed Device ID reporting in the usb backend (STR #3266).
* Wed Jul 15 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.10
- Applied patch to prevent bad job control files crashing cupsd on
  start-up (STR #3253, bug #509741).
- Correctly handle CUPS-Get-PPDs requests for models with '+' in their
  names (STR #3254, bug #509586).
- Accept incorrect device URIs in the (non-libusb) usb backend for
  compatibility with Fedora 11 before bug #507244 was fixed.
- Applied patch to fix incorrect device URIs (STR #3259, bug #507244).
- Applied patch to fix job-hold-until for remote queues (STR #3258,
  bug #497376).
* Mon Jul 13 2009 Remi Collet <Fedora at FamilleCollet.com> 1:1.4-0.rc1.9
- add PHP ABI check
- use php_extdir
- add php configuration file (/etc/php.d/cups.ini)
* Fri Jul 10 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.8
- Build does not require aspell-devel (bug #510405).
* Wed Jul  1 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.7
- Fixed template problem preventing current printer option defaults
  from being shown in the web interface (bug #506794, STR #3244).
* Wed Jul  1 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.6
- Fixed lpadmin for remote 1.3.x servers (bug #506977, STR #3231).
* Tue Jun 23 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.5
- Added more debugging output when constructing filter chain.
* Thu Jun 18 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.4
- More complete fix for STR #3229 (bug #506461).
* Wed Jun 17 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.3
- Don't use RPM_SOURCE_DIR macro.
- Fixed add/modify-printer templates which had extra double-quote
  characters, preventing the Continue button from appearing in certain
  browsers (bug #506461, STR #3229).
* Wed Jun 17 2009 Tim Waugh <twaugh at redhat.com> 1:1.4-0.rc1.1
- 1.4rc1.  No longer need str3124, CVE-2009-0163, CVE-2009-0164,
  str3197, missing-devices patches.
- Disabled avahi patch for the time being.  More work is needed to
  port this to rc1.
- Removed wbuffer patch as it is not needed (see STR #1968).
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #557775 - CVE-2010-0302 cups Incomplete fix for CVE-2009-3553
        https://bugzilla.redhat.com/show_bug.cgi?id=557775
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update cups' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------


More information about the package-announce mailing list