[SECURITY] Fedora 12 Update: cups-1.4.4-5.fc12

updates at fedoraproject.org updates at fedoraproject.org
Tue Jul 27 02:46:22 UTC 2010 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-10101
2010-06-21 11:50:23
--------------------------------------------------------------------------------

Name        : cups
Product     : Fedora 12
Version     : 1.4.4
Release     : 5.fc12
URL         : http://www.cups.org/
Summary     : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX® operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.

--------------------------------------------------------------------------------
Update Information:

New upstream release fixing several security issues: CVE-2010-0540,
CVE-2010-0542, CVE-2010-1748.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Jun 28 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-5
- Avoid empty notify-subscribed-event attributes (bug #606909,
  STR #3608).
* Thu Jun 24 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-4
- Use gnutls again but disable threading (bug #607159).
* Tue Jun 22 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-3
- Removed dependency on ghostscript-cups package.  The pstoraster
  filter is not in that package until Fedora 13.
* Fri Jun 18 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-2
- Re-enabled SSL support by using OpenSSL instead of gnutls.
* Fri Jun 18 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.4-1
- 1.4.4.  Fixes several security vulnerabilities (bug #605399):
  CVE-2010-0540, CVE-2010-0542, CVE-2010-1748.  No longer need str3503,
  str3399, str3505, str3541, str3425p2 or CVE-2010-0302 patches.
- Fix lpd provides.
- Added comments for all sources and patches.
- Reset status after successful ipp job (bug #548219, STR #3460).
- Install udev rules in correct place (bug #530378).
- Removed unapplied gnutls-gcrypt-threads patch.  Fixed typos in
  descriptions for lpd and php sub-packages.
- Add an SNMP query for Ricoh's device ID OID (STR #3552).
- Mark DNS-SD Device IDs that have been guessed at with "FZY:1;".
- Add an SNMP query for HP's device ID OID (STR #3552).
* Wed Jun  9 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.3-8
- Use upstream method of handling SNMP quirks in PPDs (STR #3551,
  bug #581825).
* Tue Jun  1 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.3-7
- Added back still useful str3425.patch.
  Second part of STR #3425 is still not fixed in 1.4.3
* Tue May 18 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.3-6
- Adjust texttops output to be in natural orientation (STR #3563).
  This fixes page-label orientation when texttops is used in the
  filter chain (bug #572338).
* Thu May  6 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.3-5
- Use numeric addresses for interfaces unless HostNameLookups are
  turned on (bug #583054).
* Fri Apr 16 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.3-4
- Fixed str3541.patch
- Added Require: ghostscript (bug #572701)
* Tue Apr 13 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.3-3
- Handle SNMP supply level quirks (bug #581825).
* Wed Mar 31 2010 Tim Waugh <twaugh at redhat.com> 1:1.4.3-2
- Another BrowsePoll fix: handle EAI_NODATA as well (bug #567353).
* Wed Mar 31 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.3-1
- 1.4.3.
- No longer need CVE-2009-3553, str3381, str3390, str3391,
  str3403, str3407, str3413, str3418, str3422, str3425,
  str3428, str3431, str3435, str3436, str3439, str3440,
  str3442, str3448, str3458, str3460, cups-sidechannel-intrs,
  negative-snmp-string-length, cups-media-empty-warning patches.
* Tue Mar 30 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-30
- Fixed lpstat to adhere to -o option (bug #577901, STR #3541).
* Wed Mar 10 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-29
- Fixed (for the third time) patch for STR #3425 to correctly
  remove job info files in /var/spool/cups (bug #571830).
* Fri Mar  5 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-28
- Applied patch for CVE-2010-0302 (incomplete fix for CVE-2009-3553,
  bug #557775).
* Tue Mar  2 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-27
- Don't own filesystem locale directories (bug #569403).
- Don't apply gcrypt threading patch (bug #553834).
- Don't treat SIGPIPE as an error (bug #569770).
* Wed Feb 24 2010 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-26
- Fixed cupsGetNamedDest() so it falls back to the real default
  printer when a default from configuration file does not exist (bug #565569, STR #3503).
* Tue Feb 23 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-25
- Update classes.conf when a class member printer is deleted
  (bug #565878, STR #3505).
* Tue Feb 23 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-24
- Re-initialize the resolver if getnameinfo() returns EAI_AGAIN
  (bug #567353).
* Fri Jan 15 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-23
- Don't mark initscript as config file.
- Use %{_initddir}, %{_sysconfdir} and SMP make flags.
- Use mode 0755 for binaries and libraries where appropriate.
- Removed use of prereq and buildprereq.
- Fixed use of '%' in changelog.
- Versioned explicit obsoletes/provides.
- Use tabs throughout.
- Reset status after successful ipp job (bug #548219, STR #3460).
* Thu Jan 14 2010 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-21
- Install udev rules in correct place (bug #530378).
* Wed Dec 23 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-20
- Fixed patch for STR #3425 again by adding in back-ported change from
  svn revision 8929 (bug #549899).  No longer need
  delete-active-printer patch.
* Tue Dec 22 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-19
- Fixed ipp authentication for servers requiring authentication for
  IPP-Get-Printer-Attributes (bug #548873, STR #3458).
* Mon Dec 21 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-18
- Ensure proper thread-safety in gnutls's use of libgcrypt
  (bug #544619).
* Sat Dec 19 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-17
- Fixed patch for STR #3425 by adding in back-ported change from svn
  revision 8936 (bug #548904).
* Thu Dec 10 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-16
- Fixed invalid read in cupsAddDest (bug #537460).
* Wed Dec  9 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-15
- Use upstream patch to fix scheduler crash when an active printer was
  deleted (rev 8914).
* Tue Dec  8 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-14
- The scheduler did not use the Get-Job-Attributes policy for a
  printer (STR #3431).
- The scheduler added two job-name attributes to each job object
  (STR #3428).
- The scheduler did not clean out completed jobs when
  PreserveJobHistory was turned off (STR #3425).
- The web interface did not show completed jobs (STR #3436).
- Authenticated printing did not always work when printing directly to
  a remote server (STR #3435).
- Use upstream patch to stop the network backends incorrectly clearing
  the media-empty-warning state (rev 8896).
- Use upstream patch to fix interrupt handling in the side-channel
  APIs (rev 8896).
- Use upstream patch to handle negative SNMP string lengths (rev 8896).
- Use upstream fix for SNMP detection (bug #542857, STR #3413).
- Use the text filter for text/css files (bug #545026, STR #3442).
- Show conflicting option values in web UI (bug #544326, STR #3440).
- Use upstream fix for adjustment of conflicting options
  (bug #533426, STR #3439).
- No longer requires paps.  The texttopaps filter MIME conversion file
  is now provided by the paps package (bug #545036).
* Tue Dec  8 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-13
- Moved %{_datadir}/cups/ppdc/*.h to the main package (bug #545348).
* Fri Dec  4 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-12
- The web interface prevented conflicting options from being adjusted
  (bug #533426, STR #3439).
* Thu Dec  3 2009 Tim Waugh <twaugh at redhat.com> - 1:1.4.2-11
- Fixes for SNMP scanning with Lexmark printers (bug #542857, STR #3413).
* Mon Nov 23 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-10
- Undo last change as it was incorrect.
* Mon Nov 23 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-9
- Fixed small typos introduced in fix for bug #536741.
* Fri Nov 20 2009 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-8
- Do not translate russian links showing completed jobs
  (bug #539354, STR #3422).
* Thu Nov 19 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-7
- Applied patch to fix CVE-2009-3553 (bug #530111, STR #3200).
* Tue Nov 17 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-6
- Fixed display of current driver (bug #537182, STR #3418).
- Fixed out-of-memory handling when loading jobs (bug #538054,
  STR #3407).
* Mon Nov 16 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-5
- Fixed typo in admin web template (bug #537884, STR #3403).
- Reset SIGPIPE handler for child processes (bug #537886, STR #3399).
* Mon Nov 16 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-4
- Upstream fix for GNU TLS error handling bug (bug #537883, STR #3381).
* Wed Nov 11 2009 Jiri Popelka <jpopelka at redhat.com> 1:1.4.2-3
- Fixed lspp-patch to avoid memory leak (bug #536741).
* Tue Nov 10 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-2
- Added explicit version dependency on cups-libs to cups-lpd
  (bug #502205).
* Tue Nov 10 2009 Tim Waugh <twaugh at redhat.com> 1:1.4.2-1
- 1.4.2.  No longer need str3380, str3332, str3356, str3396 patches.
- Removed postscript.ppd.gz (bug #533371).
- Renumbered patches and sources.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #591983 - CVE-2010-1748 cups: web interface memory disclosure
        https://bugzilla.redhat.com/show_bug.cgi?id=591983
  [ 2 ] Bug #587746 - CVE-2010-0542 CUPS: texttops unchecked memory allocation failure leading to NULL pointer dereference
        https://bugzilla.redhat.com/show_bug.cgi?id=587746
  [ 3 ] Bug #605397 - cups: latent privilege escalation vulnerability
        https://bugzilla.redhat.com/show_bug.cgi?id=605397
  [ 4 ] Bug #588805 - CVE-2010-0540 CUPS administrator web interface CSRF
        https://bugzilla.redhat.com/show_bug.cgi?id=588805
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update cups' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list