Bug#689991: CUPS: error_log flooded due to AllowUser restriction
* Brian Potkin [2014-02-27 16:22:57 +0000]:
> It was remiss of me not to have pushed the initial report of the bug
> upstream, but the str database was offline and I also had got it into my
> head that upstream was not considering any further changes to 1.5.3. If
> it is thought appropriate I could make amends for this lack of
> judgement. :)
Would it be appropriate to backport the fix from 1.7.1? Any client-side fix
is going to be difficult to deploy: the clients with a buggy IPP back-end
may not even be running Debian. But it sounds like upstream doesn't have any
server-side mitigation for this yet; maybe that's worth pointing out in
an STR. (I'm not sure what countermeasures there could be; tarpitting of
clients with excessive error rates, perhaps? In any case I'd look for
something generic, that can protect from a whole class of accidental or
deliberate DoS attacks.)
Reply to: