Bug#891142: stretch-pu: package cups/2.2.1-8+

To: Didier 'OdyX' Raboud <odyx@debian.org>, 891142@bugs.debian.org
Subject: Bug#891142: stretch-pu: package cups/2.2.1-8+
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 23 Feb 2018 17:50:52 +0000
Message-id: <[🔎] 1519408252.20519.30.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 891142@bugs.debian.org
In-reply-to: <[🔎] 151931865396.3794.11671427606846780833.reportbug@gyllingar>
References: <[🔎] 151931865396.3794.11671427606846780833.reportbug@gyllingar> <[🔎] 151931865396.3794.11671427606846780833.reportbug@gyllingar>

Control: tags -1 + confirmed

On Thu, 2018-02-22 at 17:57 +0100, Didier 'OdyX' Raboud wrote:
> CUPS is affected by CVE-2017-18190: remote attackers could execute
> arbitrary
> IPP commands by sending POST requests to the CUPS daemon in
> conjunction with
> DNS rebinding. This was caused by a whitelisted
> "localhost.localdomain" entry.
> 
> According to the Security Team it doesn't warrant a DSA, but still
> makes sense
> to be addressed on Stretch (and Jessie). It was fixed independently
> on wheezy
> already.
> 
> The proposed debdiff is attached; can I upload to stretch?

Please go ahead.

> Do you need another bug for Jessie ?

Yes, please.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#891142: stretch-pu: package cups/2.2.1-8+
  - From: Didier 'OdyX' Raboud <odyx@debian.org>

References:
- Bug#891142: stretch-pu: package cups/2.2.1-8+
  - From: Didier 'OdyX' Raboud <odyx@debian.org>

Prev by Date: Bug#891053: stretch-pu: package acme-tiny/20160801-3
Next by Date: Processed: Re: Bug#891142: stretch-pu: package cups/2.2.1-8+
Previous by thread: Bug#891142: stretch-pu: package cups/2.2.1-8+
Next by thread: Bug#891142: stretch-pu: package cups/2.2.1-8+
Index(es):
- Date
- Thread