Le mardi, 1 décembre 2015, 09.14:12 Moritz Muehlenhoff a écrit :
> B0;115;0cOn Mon, Nov 30, 2015 at 10:21:58PM +0100, Didier 'OdyX'
Raboud wrote:
> > Hi Till,
> >
> > Le jeudi, 26 novembre 2015, 18.08:16 Till Kamppeter a écrit :
> > > I have released cups-filters 1.2.0 now, with the following
> > > changes:
> > >
> > > - cups-browsed: When using IP-address-based device URIs via the
> > > "IPBasedDeviceURIs" directive in cups-browsed.conf, add two
> > > additional settings to restrict the used IP addresses to either
> > > only IPv4 addresses or only IPv6 addresses.
> > > - foomatic-rip: SECURITY FIX: Also consider the back tick ('`') as
> > > an
> > > illegal shell escape character. Thanks to Michal Kowalczyk from
> > > the
> > > Google Security Team for the hint (CVE-2015-8327).
> >
> > Uploaded, thanks!
> >
> > I'm hereby CC'ing the security team to discuss the backport of that
> > security fix (patch CC'ed) to jessie-security. At this stage, I
> > don't
> > have more details than the above, can you share more Till?
>
> Thanks! Please upload to security-master. I'll take care of the DSA.
Uploaded, thanks. But…
As Till mentionned further down that thread:
Le mardi, 1 décembre 2015, 08.47:36 Till Kamppeter a écrit :
> foomatic-rip is part of cups-filters from version 1.0.42 on, before
> that version, foomatic-rip of the foomatic-filters package was used.
That means that src:foomatic-filters is affected by this bug, for all
suites. That also means pre-jessie src:cups-filters versions are
unaffected.
I'll file a serious bug against foomatic-filters, as it's not (anymore)
under the Debian Printing Team umbrella (although it _was_ in
oldstable). The (straight-forward) patch should really be easy to port.
:)
Cheers,
OdyXAttachment:
signature.asc
Description: This is a digitally signed message part.