From security@linux-mandrake.com Thu Nov 6 14:14:15 2003 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 6 Nov 2003 03:01:08 -0000 Subject: [Full-Disclosure] MDKSA-2003:104 - Updated CUPS packages fix denial of service vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrake Linux Security Update Advisory _______________________________________________________________________ Package name: cups Advisory ID: MDKSA-2003:104 Date: November 5th, 2003 Affected versions: 9.0, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A bug in versions of CUPS prior to 1.1.19 was reported by Paul Mitcheson in the Internet Printing Protocol (IPP) implementation would result in CUPS going into a busy loop, which could result in a Denial of Service (DoS) condition. To be able to exploit this problem, an attacker would need to be able to make a TCP connection to the IPP port (port 631 by default). The provided packages have been patched to correct this problem. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0788 ______________________________________________________________________ Updated Packages: Corporate Server 2.1: 584a05963995876e075e5ca9817cfadb corporate/2.1/RPMS/cups-1.1.18-2.2.C21mdk.i586.rpm 7971d0e5ac93d322e6aa97677e815eef corporate/2.1/RPMS/cups-common-1.1.18-2.2.C21mdk.i586.rpm 06320efce369f26e61c37f32eb16169f corporate/2.1/RPMS/cups-serial-1.1.18-2.2.C21mdk.i586.rpm 525bb92144b0b12c8ed04422cdc82d71 corporate/2.1/RPMS/libcups1-1.1.18-2.2.C21mdk.i586.rpm 6d35d2b7a8cb4eb93292cf47f408a4fe corporate/2.1/RPMS/libcups1-devel-1.1.18-2.2.C21mdk.i586.rpm b93777ca1fa1ef8b3471f5a3827c1e32 corporate/2.1/SRPMS/cups-1.1.18-2.2.C21mdk.src.rpm Corporate Server 2.1/x86_64: 32240f855fb4495a9041f06f595ab8e2 x86_64/corporate/2.1/RPMS/cups-1.1.18-2.2.C21mdk.x86_64.rpm 77f573305193f54dd39d7f0418da466e x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.2.C21mdk.x86_64.rpm 5b68c85307ccbcb6dd7d8b4494781cf9 x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.2.C21mdk.x86_64.rpm bcc3fdf22ebc631bbd0560795413d312 x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.2.C21mdk.x86_64.rpm 67d11d928cd59d3e734c90a9b1f02e05 x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.2.C21mdk.x86_64.rpm b93777ca1fa1ef8b3471f5a3827c1e32 x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.2.C21mdk.src.rpm Mandrake Linux 9.0: ef999ce7a7361856bde78493357c173c 9.0/RPMS/cups-1.1.18-2.2.90mdk.i586.rpm 23772861be6813682316071ac5142169 9.0/RPMS/cups-common-1.1.18-2.2.90mdk.i586.rpm 517a0a906e0f6135aacb31fc1dc98c1c 9.0/RPMS/cups-serial-1.1.18-2.2.90mdk.i586.rpm e5ba8a833fab015d04743e61466adcb3 9.0/RPMS/libcups1-1.1.18-2.2.90mdk.i586.rpm fce8efc7313816c9aaabaa6c9abf6201 9.0/RPMS/libcups1-devel-1.1.18-2.2.90mdk.i586.rpm 4357ea21f3bb199c65fc37c9eebd1066 9.0/SRPMS/cups-1.1.18-2.2.90mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team by executing: gpg --recv-keys --keyserver www.mandrakesecure.net 0x22458A98 Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE/qbl0mqjQ0CJFipgRAgU6AJ98a4C4+wz2tysAQGwy2/WEN5K+NQCfQjBX 6X9Q3Opeh6oBY9pPaluq1ls= =l25S -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html