Le mardi, 1 décembre 2015, 09.14:12 Moritz Muehlenhoff a écrit : > B0;115;0cOn Mon, Nov 30, 2015 at 10:21:58PM +0100, Didier 'OdyX' Raboud wrote: > > Hi Till, > > > > Le jeudi, 26 novembre 2015, 18.08:16 Till Kamppeter a écrit : > > > I have released cups-filters 1.2.0 now, with the following > > > changes: > > > > > > - cups-browsed: When using IP-address-based device URIs via the > > > "IPBasedDeviceURIs" directive in cups-browsed.conf, add two > > > additional settings to restrict the used IP addresses to either > > > only IPv4 addresses or only IPv6 addresses. > > > - foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as > > > an > > > illegal shell escape character. Thanks to Michal Kowalczyk from > > > the > > > Google Security Team for the hint (CVE-2015-8327). > > > > Uploaded, thanks! > > > > I'm hereby CC'ing the security team to discuss the backport of that > > security fix (patch CC'ed) to jessie-security. At this stage, I > > don't > > have more details than the above, can you share more Till? > > Thanks! Please upload to security-master. I'll take care of the DSA. Uploaded, thanks. But… As Till mentionned further down that thread: Le mardi, 1 décembre 2015, 08.47:36 Till Kamppeter a écrit : > foomatic-rip is part of cups-filters from version 1.0.42 on, before > that version, foomatic-rip of the foomatic-filters package was used. That means that src:foomatic-filters is affected by this bug, for all suites. That also means pre-jessie src:cups-filters versions are unaffected. I'll file a serious bug against foomatic-filters, as it's not (anymore) under the Debian Printing Team umbrella (although it _was_ in oldstable). The (straight-forward) patch should really be easy to port. :) Cheers, OdyX
Attachment:
signature.asc
Description: This is a digitally signed message part.