Bug#839226: marked as done ([PATCH] cups : SSL is vulnerable to POODLE)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 30 Sep 2016 14:51:41 +0200
with message-id <3413926.mgdGv8aA39@gyllingar>
and subject line Re: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE
has caused the Debian Bug report #839226,
regarding [PATCH] cups : SSL is vulnerable to POODLE
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
839226: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839226
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: [PATCH] cups : SSL is vulnerable to POODLE
• From: Frederic Bonnard <frediz@linux.vnet.ibm.com>
• Date: Fri, 30 Sep 2016 12:52:55 +0200
• Message-id: <[🔎] 20160930125255.GE11135@kin.test.toulouse-stg.fr.ibm.com>

Package: cups
Version: 1.5.3-5+deb7u6
Tags: patch

--

Hi,

would it be possible to review and maybe have this patch in wheezy ? (maybe also
jessie as all cups < 2.1b1 are concerned).
It has been applied in Redhat/Centos and Ubuntu in greater version (1.6.3 and
1.7.2).
I disables SSLv3 by default but gives the possibility with AllowSSL3 to turns SSLv3
back on and also AllowRC4 turns on just the RC4 cyphers.
I tried to backport it to 1.5.3, so double checking would be nice.
I tried it and it seems to work (also options to re-enable SSL3/RC4 cyphers).
For Jessie, it seems that the patch from Ubuntu cups-1.7.2-0ubuntu1.7 applies
with some refresh.

https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163
https://bugzilla.redhat.com/show_bug.cgi?id=1161172
https://www.cups.org/str.php?L4476


F.

Description: Disable SSLv3 with option to turn back on.
 This disables SSLv3 in cups. It also provided 2 configuration 
 options to renable by specifying SSLOptions in the cupsd.conf
 file. AllowSSL3 turns SSLv3 back on and AllowRC4 turns on just
 the RC4 cypers.
 This patch was originally taken from https://git.centos.org/raw/rpms!cups/68a3ed04baba43d09f5cdd7557dda2480070feb0/SOURCES!cups-str4476.patch
 and backported to cups 1.5.3.
Origin: vendor, https://bugzilla.redhat.com/show_bug.cgi?id=1161172
Bug: https://www.cups.org/str.php?L4476
Bug-Ubuntu: https://launchpad.net/bugs/1505328
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/cups/http.c
+++ b/cups/http.c
@@ -182,6 +182,8 @@
  * Local globals...
  */
 
+static int		tls_options = 0; /* Options for TLS connections */
+
 static const char * const http_fields[] =
 			{
 			  "Accept-Language",
@@ -3620,7 +3622,10 @@
   if (http->encryption == HTTP_ENCRYPT_REQUIRED && !http->tls)
   {
     httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
-    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.0,SSL/2.0,SSL/3.0");
+    if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0");
+    else
+      httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0");
   }
 #endif /* HAVE_SSL */
 
@@ -3906,6 +3911,10 @@
   context = SSL_CTX_new(SSLv23_client_method());
 
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+  if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
+    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+  if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
+    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
 
   bio = BIO_new(_httpBIOMethods());
   BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
@@ -3965,7 +3974,16 @@
   gnutls_certificate_allocate_credentials(credentials);
 
   gnutls_init(&http->tls, GNUTLS_CLIENT);
-  gnutls_set_default_priority(http->tls);
+  if (!tls_options)
+    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+  else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
+	   (tls_options & _HTTP_TLS_ALLOW_RC4))
+    gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
+  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
+  else
+    gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
+
   gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
                          strlen(hostname));
   gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
@@ -4378,7 +4396,10 @@
 
   httpClearFields(http);
   httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
-  httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
+  if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
+  else
+    httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0");
 
   if ((ret = httpOptions(http, "*")) == 0)
   {
@@ -4704,6 +4725,16 @@
 }
 #endif /* HAVE_SSL */
 
+/*
+ * '_httpTLSSetOptions()' - Set TLS/SSL options.
+ */
+
+void
+_httpTLSSetOptions(int options)
+{
+  tls_options = options;
+}
+
 
 /*
  * End of "$Id: http.c 10450 2012-05-04 22:52:56Z mike $".
--- a/cups/http-private.h
+++ b/cups/http-private.h
@@ -136,6 +136,10 @@
 #    endif /* HAVE_GETIFADDRS */
 #  endif /* !WIN32 */
 
+/* care - these should be the same values as the CUPSD_SSL_* equivalents */
+#define _HTTP_TLS_ALLOW_RC4	2
+#define _HTTP_TLS_ALLOW_SSL3	4
+
 
 /*
  * C++ magic...
@@ -392,6 +396,8 @@
 extern int		_httpUpdate(http_t *http, http_status_t *status);
 extern int		_httpWait(http_t *http, int msec, int usessl);
 
+extern void		_httpTLSSetOptions(int options);
+
 
 /*
  * C++ magic...
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -63,7 +63,8 @@
 #endif /* HAVE_GSSAPI */
 				      const char *cups_anyroot,
 				      const char *cups_expiredroot,
-				      const char *cups_expiredcerts);
+				      const char *cups_expiredcerts,
+				      int ssl_options);
 
 
 /*
@@ -248,6 +249,9 @@
   _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
 
 
+  if (cg->encryption == (http_encryption_t)-1)
+    _cupsSetDefaults();
+
   cg->encryption = e;
 
   if (cg->http)
@@ -575,7 +579,36 @@
   if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
       !cg->ipp_port)
   {
+   /*
+    * Look for CUPS_SERVERROOT/client.conf...
+    */
+
+    snprintf(filename, sizeof(filename), "%s/client.conf",
+	     cg->cups_serverroot);
+    fp = cupsFileOpen(filename, "r");
+
+   /*
+    * Read the configuration file and apply any environment variables; both
+    * functions handle NULL cups_file_t pointers...
+    */
+
+    cups_read_client_conf(fp, cg, cups_encryption, cups_server,
+#ifdef HAVE_GSSAPI
+			  cups_gssservicename,
+#endif /* HAVE_GSSAPI */
+			  cups_anyroot, cups_expiredroot,
+			  cups_expiredcerts, 1);
+
+   /*
+    * Then user defaults, if it is safe to do so...
+    */
+
+#ifdef HAVE_GETEUID
+    if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() &&
+	(home = getenv("HOME")) != NULL)
+#else
     if ((home = getenv("HOME")) != NULL)
+#endif
     {
      /*
       * Look for ~/.cups/client.conf...
@@ -583,33 +616,19 @@
 
       snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
       fp = cupsFileOpen(filename, "r");
-    }
-    else
-      fp = NULL;
-
-    if (!fp)
-    {
      /*
-      * Look for CUPS_SERVERROOT/client.conf...
+      * Read the configuration file and apply any environment variables; both
+      * functions handle NULL cups_file_t pointers...
       */
 
-      snprintf(filename, sizeof(filename), "%s/client.conf",
-               cg->cups_serverroot);
-      fp = cupsFileOpen(filename, "r");
-    }
-
-   /*
-    * Read the configuration file and apply any environment variables; both
-    * functions handle NULL cups_file_t pointers...
-    */
-
-    cups_read_client_conf(fp, cg, cups_encryption, cups_server,
+      cups_read_client_conf(fp, cg, cups_encryption, cups_server,
 #ifdef HAVE_GSSAPI
-			  cups_gssservicename,
+	  cups_gssservicename,
 #endif /* HAVE_GSSAPI */
-			  cups_anyroot, cups_expiredroot,
-			  cups_expiredcerts);
-    cupsFileClose(fp);
+	  cups_anyroot, cups_expiredroot,
+	  cups_expiredcerts, 0);
+      cupsFileClose(fp);
+    }
   }
 }
 
@@ -630,7 +649,8 @@
 #endif /* HAVE_GSSAPI */
     const char	    *cups_anyroot,	/* I - CUPS_ANYROOT env var */
     const char	    *cups_expiredroot,	/* I - CUPS_EXPIREDROOT env var */
-    const char	    *cups_expiredcerts)	/* I - CUPS_EXPIREDCERTS env var */
+    const char	    *cups_expiredcerts,	/* I - CUPS_EXPIREDCERTS env var */
+    int		     ssl_options)	/* I - Allow setting of SSLOptions? */
 {
   int	linenum;			/* Current line number */
   char	line[1024],			/* Line from file */
@@ -697,6 +717,43 @@
       cups_gssservicename = gss_service_name;
     }
 #endif /* HAVE_GSSAPI */
+    else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
+    {
+     /*
+      * SSLOptions [AllowRC4] [AllowSSL3] [None]
+      */
+
+      int	options = 0;		/* SSL/TLS options */
+      char	*start,			/* Start of option */
+		*end;			/* End of option */
+
+      for (start = value; *start; start = end)
+      {
+       /*
+	* Find end of keyword...
+	*/
+
+	end = start;
+	while (*end && !_cups_isspace(*end))
+	  end++;
+
+	if (*end)
+	  *end++ = '\0';
+
+       /*
+	* Compare...
+	*/
+
+	if (!_cups_strcasecmp(start, "AllowRC4"))
+	  options |= _HTTP_TLS_ALLOW_RC4;
+	else if (!_cups_strcasecmp(start, "AllowSSL3"))
+	  options |= _HTTP_TLS_ALLOW_SSL3;
+	else if (!_cups_strcasecmp(start, "None"))
+	  options = 0;
+      }
+
+      _httpTLSSetOptions(options);
+    }
   }
 
  /*
--- a/doc/help/ref-cupsd-conf.html.in
+++ b/doc/help/ref-cupsd-conf.html.in
@@ -2459,23 +2459,23 @@
 variable that should be passed to child processes.</P>
 
 
-<H2 CLASS="title"><A NAME="SSLListen">SSLListen</A></H2>
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
 
 <H3>Examples</H3>
 
 <PRE CLASS="command">
-SSLListen 127.0.0.1:443
-SSLListen 192.0.2.1:443
+SSLOptions 127.0.0.1:443
+SSLOptions 192.0.2.1:443
 </PRE>
 
 <H3>Description</H3>
 
-<P>The <CODE>SSLListen</CODE> directive specifies a network
+<P>The <CODE>SSLOptions</CODE> directive specifies a network
 address and port to listen for secure connections. Multiple
-<CODE>SSLListen</CODE> directives can be provided to listen on
+<CODE>SSLOptions</CODE> directives can be provided to listen on
 multiple addresses.</P>
 
-<P>The <CODE>SSLListen</CODE> directive is similar to the <A
+<P>The <CODE>SSLOptions</CODE> directive is similar to the <A
 HREF="#SSLPort"><CODE>SSLPort</CODE></A> directive but allows you
 to restrict access to specific interfaces or networks.</P>
 
@@ -2487,15 +2487,22 @@
 <PRE CLASS="command">
 SSLOptions None
 SSLOptions NoEmptyFragments
+SSLOptions AllowSSL3
+SSLOptions AllowRC4
 </PRE>
 
 <H3>Description</H3>
 
 <P>The <CODE>SSLOptions</CODE> directive specifies additional SSL/TLS
-protocol options to use for encrypted connected. Currently only two
-options are supported - <code>None</code> (the default) for the most
-secure mode and <code>NoEmptyFragments</code> to allow CUPS to work with
-Microsoft Windows with the FIPS conformance mode enabled.</p>
+protocol options to use for encrypted connected. By default, CUPS only
+supports encryption using TLS v1.0 or higher using known secure cipher
+suites. The <code>NoEmptyFragments</code> option allows CUPS to work
+with Microsoft Windows with the FIPS conformance mode
+enabled. The <code>AllowRC4</code> option enables the 128-bit RC4
+cipher suites, which are required for some older clients that do not
+implement newer ones. The <code>AllowSSL3</code> option enables SSL
+v3.0, which is required for some older clients that do not support TLS
+v1.0.</p>
 
 
 <H2 CLASS="title"><A NAME="SSLPort">SSLPort</A></H2>
--- a/man/cupsd.conf.man.in
+++ b/man/cupsd.conf.man.in
@@ -585,9 +585,16 @@
 .TP 5
 SSLOptions None
 .TP 5
-SSLOptions NoEmptyFragments
+SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR]
 .br
-Sets SSL/TLS protocol options for encrypted connections.
+Sets SSL/TLS protocol options for encrypted connections. By default,
+CUPS only supports encryption using TLS v1.0 or higher using known
+secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
+work with Microsoft Windows with the FIPS conformance mode
+enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
+suites, which are required for some older clients that do not
+implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
+which is required for some older clients that do not support TLS v1.0.
 .TP 5
 SSLPort
 .br
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -3654,17 +3654,54 @@
     else if (!_cups_strcasecmp(line, "SSLOptions"))
     {
      /*
+      * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
+      */
+
+      int	options = 0;	/* SSL/TLS options */
+
+     /*
       * SSLOptions options
       */
 
-      if (!value || !_cups_strcasecmp(value, "none"))
-        SSLOptions = CUPSD_SSL_NONE;
-      else if (!_cups_strcasecmp(value, "noemptyfragments"))
-        SSLOptions = CUPSD_SSL_NOEMPTY;
-      else
-        cupsdLogMessage(CUPSD_LOG_ERROR,
-	                "Unknown value \"%s\" for SSLOptions directive on "
-			"line %d.", value, linenum);
+      if (value)
+      {
+	char	*start,		/* Start of option */
+		*end;		/* End of option */
+
+	for (start = value; *start; start = end)
+	{
+	 /*
+	  * Find end of keyword...
+	  */
+
+	  end = start;
+	  while (*end && !_cups_isspace(*end))
+	    end++;
+
+	  if (*end)
+	    *end++ = '\0';
+
+	 /*
+	  * Compare...
+	  */
+
+	  if (!_cups_strcasecmp(start, "NoEmptyFragments"))
+	    options |= CUPSD_SSL_NOEMPTY;
+	  else if (!_cups_strcasecmp(start, "AllowRC4"))
+	    options |= CUPSD_SSL_ALLOW_RC4;
+	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
+	    options |= CUPSD_SSL_ALLOW_SSL3;
+	  else if (!_cups_strcasecmp(start, "None"))
+	    options = 0;
+	  else
+	    cupsdLogMessage(CUPSD_LOG_ERROR,
+			    "Unknown value \"%s\" for SSLOptions directive on "
+			    "line %d.", start, linenum);
+	}
+      }
+
+      SSLOptions = options;
+      _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
     }
 #endif /* HAVE_SSL */
     else if (!_cups_strcasecmp(line, "AccessLog") ||
--- a/scheduler/conf.h
+++ b/scheduler/conf.h
@@ -78,6 +78,8 @@
 
 #define CUPSD_SSL_NONE		0	/* No special options */
 #define CUPSD_SSL_NOEMPTY	1	/* Do not insert empty fragments */
+#define CUPSD_SSL_ALLOW_RC4	2	/* Allow RC4 cipher suites */
+#define CUPSD_SSL_ALLOW_SSL3	4	/* Allow SSL 3.0 */
 
 
 /*
--- a/doc/help/ref-client-conf.html
+++ b/doc/help/ref-client-conf.html
@@ -33,6 +33,26 @@
 
 <P>The default setting is <VAR>IfRequested</VAR>.</P>
 
+<H2 CLASS="title"><A NAME="SSLOptions">SSLOptions</A></H2>
+
+<H3>Examples</H3>
+
+<PRE CLASS="command">
+SSLOptions None
+SSLOptions AllowSSL3
+SSLOptions AllowRC4
+</PRE>
+
+<H3>Description</H3>
+
+<P>Sets encryption options (only in /etc/cups/client.conf). By
+default, CUPS only supports encryption using TLS v1.0 or higher using
+known secure cipher suites. The <i>AllowRC4</i> option enables the
+128-bit RC4 cipher suites, which are required for some older clients
+that do not implement newer ones. The <i>AllowSSL3</i> option enables
+SSL v3.0, which is required for some older clients that do not support
+TLS v1.0.</P>
+
 
 <H2 CLASS="title"><A NAME="ServerName">ServerName</A></H2>
 
--- a/man/client.conf.man.in
+++ b/man/client.conf.man.in
@@ -46,6 +46,16 @@
 .br
 Specifies the address and optionally the port to use when connecting to the
 server. \fBNote: Not supported on Mac OS X 10.7 or later.\fR
+.TP 5
+SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
+.br
+Sets SSL/TLS protocol options for encrypted connections. By default,
+CUPS only supports encryption using TLS v1.0 or higher using known
+secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
+RC4 cipher suites, which are required for some older clients that do
+not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
+which is required for some older clients that do not support TLS v1.0.
+.TP 5
 .SH SEE ALSO
 http://localhost:631/help
 .SH COPYRIGHT
--- a/scheduler/client.c
+++ b/scheduler/client.c
@@ -3410,6 +3410,10 @@
   SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
   if (SSLOptions & CUPSD_SSL_NOEMPTY)
     SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
+  if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
+    SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
+  if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
+    SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
   SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
   SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
 
@@ -3481,7 +3485,15 @@
 				       ServerKey, GNUTLS_X509_FMT_PEM);
 
   gnutls_init(&con->http.tls, GNUTLS_SERVER);
-  gnutls_set_default_priority(con->http.tls);
+  if (!SSLOptions)
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
+  else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
+	(SSLOptions & CUPSD_SSL_ALLOW_RC4))
+    gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
+  else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
+  else
+    gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
 
   gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
   gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr)HTTP(con));

--- End Message ---

--- Begin Message ---

• To: Frederic Bonnard <frediz@linux.vnet.ibm.com>, 839226-done@bugs.debian.org
• Cc: debian-lts@lists.debian.org, debian-release@lists.debian.org
• Subject: Re: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE
• From: Didier 'OdyX' Raboud <odyx@debian.org>
• Date: Fri, 30 Sep 2016 14:51:41 +0200
• Message-id: <3413926.mgdGv8aA39@gyllingar>
• In-reply-to: <[🔎] 20160930125255.GE11135@kin.test.toulouse-stg.fr.ibm.com>
• References: <[🔎] 20160930125255.GE11135@kin.test.toulouse-stg.fr.ibm.com>

Version: 2.0.2-1

Hi Frederic, hi Stable & LTS teams,

Frederic's suggestion is to patch CUPS to disable SSLv3 and RC4 algorithms to 
protect CUPS from the POODLE vulnerability.

Have we removed protocols' support in {old,}stable  before? Ubuntu applied 
this patch in Ubuntu Trusty, and RedHat did it in RHEL-7. I can prepare the 
patches if that's OKay for the LTS and stable release teams.

Looking forward to your feedback!
	Cheers,
	OdyX

Le vendredi, 30 septembre 2016, 12.52:55 h CEST Frederic Bonnard a écrit :
> would it be possible to review and maybe have this patch in wheezy ? (maybe
> also jessie as all cups < 2.1b1 are concerned).
> It has been applied in Redhat/Centos and Ubuntu in greater version (1.6.3
> and 1.7.2).
> I disables SSLv3 by default but gives the possibility with AllowSSL3 to
> turns SSLv3 back on and also AllowRC4 turns on just the RC4 cyphers.
> I tried to backport it to 1.5.3, so double checking would be nice.
> I tried it and it seems to work (also options to re-enable SSL3/RC4
> cyphers). For Jessie, it seems that the patch from Ubuntu
> cups-1.7.2-0ubuntu1.7 applies with some refresh.
> 
> https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1510163
> https://bugzilla.redhat.com/show_bug.cgi?id=1161172
> https://www.cups.org/str.php?L4476

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---