—–BEGIN PGP SIGNED MESSAGE—–
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
CVE-2008-5183 – Denial of Service via RSS Feeds in CUPS
Der CUPS-Daemon (cupsd) kann dazu gebracht werden, einen Null-Pointer zu
dereferenzieren, wenn ueber das Web Interface zuviele RSS Subscriptions
eingetragen werden. Dies fuehrt zum Absturz des Daemons (Denial of
Service). Die Schwachstelle setzt die erfolgreiche Authentifizierung als
ein Benutzer voraus (siehe jedoch CVE-2008-5184).
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket cups
Fedora 8
Fedora 9
Fedora 10
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00595.html
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00581.html
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00562.html
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
– —
Andreas Bunten (Incident Response Team), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
– ——————————————————————————–
Fedora Update Notification
FEDORA-2008-10895
None
– ——————————————————————————–
Name : cups
Product : Fedora 10
Version : 1.3.9
Release : 4.fc10
URL : http://www.cups.org/
Summary : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX? operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.
– ——————————————————————————–
Update Information:
Security update to fix CVE-2008-5183. Also changed in this update: * a bug
that caused cups-polld to fail to resolve hostnames has been fixed * a bug that
could cause libcups to get stuck in a loop has been fixed * the dnssd backend
has been removed as it is not working correctly and can prevent printers being
added
– ——————————————————————————–
ChangeLog:
* Wed Dec 3 2008 Tim Waugh
– – Applied patch to fix STR #2974 (bug #473905, CVE-2008-5286,
CVE-2008-1722).
– – Applied patch to fix RSS subscription limiting (bug #473901,
CVE-2008-5183).
– – Fixed cups-polld again for res_init (STR #3023, bug #354071).
– – Added patch to avoid polling busy loop (STR #2988).
* Thu Oct 30 2008 Tim Waugh
– – Fixed LSPP labels (bug #468442).
– ——————————————————————————–
References:
[ 1 ] Bug #473901 – CVE-2008-5183 cups: DoS (daemon crash) by adding a large number of RSS subscriptions
https://bugzilla.redhat.com/show_bug.cgi?id=473901
– ——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update cups’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
– ——————————————————————————–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBST/cRUhXCWfrVVdXAQGGlQgApvhmWzIPPMJQgrz5TpfEap618vpYJDgl
9LNgSqRTG5xwAiyB4yMrBOKcl0lghIDVspgFvQb0ZF7pONdrVKp0o8orA4fWdPsU
9AzkWKaeVXjdimSOSuTRoiJCnP9KNV8KSMuCtN9CaUAARLQ4pTmL3HHGuoczbd1B
D/HhccMaR94RrrjBErO3li9boxJgGw4rKWswPHxghpyY0VmN217rDxl6lP0phtLT
oaam/2CacY7TzL5Ozlh+ooBoZbs4MoE+xvfQFE6lCF8SZSl3c/XMVQ/oNVwXa2/V
6d8GsDFhslBBymy/HqL16L7NRSnFDJUL2YANVlPIerP8JO/lOMPpJw==
=ESz+
—–END PGP SIGNATURE—–
