From debian-security-announce@lists.debian.org Thu Oct 14 17:13:03 2004 From: debian-security-announce@lists.debian.org Resent-From: list@murphy.debian.org (SmartList) To: full-disclosure@lists.netsys.com Date: Thu, 14 Oct 2004 17:27:26 +0200 (CEST) Reply-To: full-disclosure@lists.netsys.com Subject: [Full-Disclosure] [SECURITY] [DSA 566-1] New CUPS packages fix information leak -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 566-1 security@debian.org http://www.debian.org/security/ Martin Schulze October 14th, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : cupsys Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0923 CERT advisory : VU#557062 An information leak has been detected in CUPS, the Common UNIX Printing System, which may lead to the disclosure of sensitive information, such as user names and passwords which are written into log files. The used patch only eliminates the authentication information in the device URI which is logged in the error_log file. It does not eliminate the URI from the environment and process table, which is why the CUPS developers recommend that system administrators do not code authentication information in device URIs in the first place. For the stable distribution (woody) this problem has been fixed in version 1.1.14-5woody7. For the unstable distribution (sid) this problem has been fixed in version 1.1.20final+rc1-9. We recommend that you upgrade your CUPS package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7.dsc Size/MD5 checksum: 710 cc64cacbd7546a5609d78f47dbcd0e78 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7.diff.gz Size/MD5 checksum: 39147 90020c9ccf4c20d75545d2b9fc804f12 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14.orig.tar.gz Size/MD5 checksum: 6150756 0dfa41f29fa73e7744903b2471d2ca2f Alpha architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 1899802 4f68d49c505e401ec65c45fc89baaef0 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 74186 87538022f3f049de24a67524f6b6e374 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 92828 a97dec155e925386ec24723825fb821b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 2445680 b0ee9dc5e73ab807fc4befa4f62ed2e4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 137850 4c95ecf39a123d7fc2b20a11471478d4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_alpha.deb Size/MD5 checksum: 180786 1daecceb7cfdce5a2715ae10cd227c0d ARM architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_arm.deb Size/MD5 checksum: 1821486 8e7f3aca59e978f96d5d85ed7d9b132c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_arm.deb Size/MD5 checksum: 68322 6cb0d1d79e7c630e62a316f9991d04c6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_arm.deb Size/MD5 checksum: 85500 303f4eb613479f112c84f496190c9b72 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_arm.deb Size/MD5 checksum: 2345676 99216618a594ee5bb5a87c3023428355 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_arm.deb Size/MD5 checksum: 112826 52e2ea3acbdcfdb3b0182833b5713541 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_arm.deb Size/MD5 checksum: 150236 b49e83f022a165d4a1c84b757d3f9292 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_i386.deb Size/MD5 checksum: 1788306 a96f7bf460aa90e3f26e0a0dff99090d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_i386.deb Size/MD5 checksum: 67852 ee72adda3436557359f244a48088ee5d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_i386.deb Size/MD5 checksum: 84012 fdcfac62cfdd73d412a82d6f7d4d5659 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_i386.deb Size/MD5 checksum: 2311820 8fe69ac7ea5cf3fb82f25387a6c3be71 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_i386.deb Size/MD5 checksum: 110854 3e9c9b1102844a6f82c853682b1c2e77 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_i386.deb Size/MD5 checksum: 136426 827b43571bfed94ccf6e7dd6d423d1b8 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_ia64.deb Size/MD5 checksum: 2007756 3a4d0833b9efea469ff3a839ecb699a9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_ia64.deb Size/MD5 checksum: 77250 aec887b9d536409c3888be0519b92e4f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_ia64.deb Size/MD5 checksum: 96978 b4088ed3cbdf7707e1454761fa737ae7 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_ia64.deb Size/MD5 checksum: 2656628 3d1c5e6c5d9e690eb365051e2b547a38 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_ia64.deb Size/MD5 checksum: 155830 c57c5e454626ab01a048ad5e891f1e04 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_ia64.deb Size/MD5 checksum: 182796 c0392a8c7865cb50d04be0e94652950e HP Precision architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_hppa.deb Size/MD5 checksum: 1881442 563a1aa0dd580b6ad3c6c0a2349dca4a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_hppa.deb Size/MD5 checksum: 70642 5621e5d9b87d09518989007f56226829 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_hppa.deb Size/MD5 checksum: 89672 3b0e46f09ddf5729ecf1ff2ffd96e330 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_hppa.deb Size/MD5 checksum: 2455902 b2cec64fb76c5897e80ae5f1dcac544e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_hppa.deb Size/MD5 checksum: 126408 1e2d78fb9ea9ccf33c8795e299c80472 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_hppa.deb Size/MD5 checksum: 159394 4f3b418889cca6c58a6f43e45f4a850b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_m68k.deb Size/MD5 checksum: 1754764 f87db50992018fe8b5de25211b574426 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_m68k.deb Size/MD5 checksum: 66118 296777959e50722e6b9f9d6faa4cfc1b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_m68k.deb Size/MD5 checksum: 81236 32a5503de356745eec4e1c635038fceb http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_m68k.deb Size/MD5 checksum: 2261258 c019c2ae5fcbd0971f3d2cda8d9e3847 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_m68k.deb Size/MD5 checksum: 106082 4a9d724f386e377d1fd85fa99889f59a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_m68k.deb Size/MD5 checksum: 128650 667a278f8fcb605687c98b23b3f3aafe Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_mips.deb Size/MD5 checksum: 1811334 a4c2911a2e87d42a1dbc9184ef9c0816 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_mips.deb Size/MD5 checksum: 67744 413e2cd4d055e0b4c75328cb31ba7fac http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_mips.deb Size/MD5 checksum: 81192 33d5eea8d3c413e7a99e1124de8fc45a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_mips.deb Size/MD5 checksum: 2404494 015fa93177953806525c84386a2d08c8 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_mips.deb Size/MD5 checksum: 112614 74ee1d6ea3fb489e6a9934000ff458cd http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_mips.deb Size/MD5 checksum: 151050 93d3f6cf6aa5dff4864020f919628e21 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_mipsel.deb Size/MD5 checksum: 1811896 beefa067ccaea12fa4d68d5678960c3d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_mipsel.deb Size/MD5 checksum: 67718 e557c54204935027615e54070022d266 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_mipsel.deb Size/MD5 checksum: 81200 9261e171865e9b90abe5e3c32b7985c6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_mipsel.deb Size/MD5 checksum: 2406850 8c076e85e74f2bb724e8861caf5cbd1a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_mipsel.deb Size/MD5 checksum: 112422 899ee72e7435f36443cf2682fd1eedfc http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_mipsel.deb Size/MD5 checksum: 150868 3ac0b70dd963fd9d691778f3db475e78 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_powerpc.deb Size/MD5 checksum: 1800310 e91d519ebb667d0fc014197c9fc50bbf http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_powerpc.deb Size/MD5 checksum: 67750 f612f520350723784e7e412b5c5c6d76 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_powerpc.deb Size/MD5 checksum: 83326 3d6ac0b7cac6a22b7a8ab35d3284d426 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_powerpc.deb Size/MD5 checksum: 2359640 b68c2880e24184dd822858ff0f8c2c6c http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_powerpc.deb Size/MD5 checksum: 116626 965df8a04738453a1be6dcadfb185425 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_powerpc.deb Size/MD5 checksum: 145072 1f5234bbf22e3d4e87ab83e05c293aee IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_s390.deb Size/MD5 checksum: 1795398 5fb02f410f015da208095d47dd544225 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_s390.deb Size/MD5 checksum: 69130 5c18941172e2a104778aa738e77af8e4 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_s390.deb Size/MD5 checksum: 85850 3426a67e51a4681b509b8c2fb960b36d http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_s390.deb Size/MD5 checksum: 2337448 6e27c255720ee9be9a463155a44a30ab http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_s390.deb Size/MD5 checksum: 115168 ceb391d9471abff5410adfde83d063c7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_s390.deb Size/MD5 checksum: 140690 0123cc8d43645684800913c441572d9a Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.1.14-5woody7_sparc.deb Size/MD5 checksum: 1845052 2cea12827ac192d5e53aabf6f9d15c0c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.1.14-5woody7_sparc.deb Size/MD5 checksum: 70706 4585deca2f2105f00f89fe2a90dc81b5 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.1.14-5woody7_sparc.deb Size/MD5 checksum: 84132 f81ebff2f338f9c0a847cbc75e465aa6 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-pstoraster_1.1.14-5woody7_sparc.deb Size/MD5 checksum: 2354524 a171535afe6b378f471d2b7098538698 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.1.14-5woody7_sparc.deb Size/MD5 checksum: 120310 9bd1fd569c5727431647a1649e89d2f7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.1.14-5woody7_sparc.deb Size/MD5 checksum: 146600 6e5b4f99e8f1e6d2fe09d6037f2d16e1 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBbprdW5ql+IAeqTIRAs2XAKCaRQ490/C8iFKprrBBK8CsbnjVEQCaApFb HfNhjsxtZ0wRnppgq06sO7w= =gN6K -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html