Bug#1052419: cups-daemon: NEWS.Debian is only tech-gibberish
Package: cups-daemon
Version: 2.4.2-6
Severity: normal
Dear Maintainer,
While doing a routing update on my Debian/sid laptop today, i was greeted with
the following:
> cups (2.4.2-6) unstable; urgency=low
>
> In case this is not a fresh installation of cups, please double check
> whether your cupsd.conf really does contain the limitiation for
> "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch)
>
> -- Thorsten Alteholz <debian@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
wth?
NEWS.Debian is a user-facing interface for telling them important news.
(That's why they are shown in the first place).
As such, I think that the users ought to understand what this means.
I'm fine with the first two lines, but then it goes downhill.
Which "limitation of CUPS-Get-Document"? which patch?
I think we cannot expect our users to do a 'apt-get source cupsd' to hunt down a
patchfile and then understand the implications of what it does.
Even if they are smart enough to just head over to
<https://salsa.debian.org/printing-team/cups/-/blob/605d5df62adecb8941b9b3b25d5b0e92c0df752e/debian/patches/0015-CVE-2023-32360.patch>
to inspect the patch.
And then infer from the subject of the patch, that they might also hunt down
CVE-2023-32360 to see what this is all about.
*maybe* (but hey, i know that this is hard to write) something like this is better:
> This release addresses a security issue (CVE-2023-32360) which allows
> unauthorized users to fetch documents over local or remote networks.
> Since this is a configuration fix, it might be that it does not reach you if you
> are updating 'cups-daemon' (rather than doing a fresh installation).
> Please double check your /etc/cups/cupds.conf file, whether it limits the access
> to CUPS-Get-Document with something like the following
> > <Limit CUPS-Get-Document>
> > AuthType Default
> > Require user @OWNER @SYSTEM
> > Order deny,allow
> > </Limit>
> (The important line is the 'AuthType Default' in this section)
(sidenote: since the NEWS.Debian file is shown only on upgrade, i think it is
safe to assume that "this is not a fresh installation of cups".)
Thanks for maintaining cups, probably one of the most installed packages
(outside of essential) in Debian (that's why I think it is even more important
to get the NEWS right)
cheers
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-daemon depends on:
ii adduser 3.137
ii bc 1.07.1-3+b1
ii init-system-helpers 1.65.2
ii libavahi-client3 0.8-11
ii libavahi-common3 0.8-11
ii libc6 2.37-10
ii libcups2 2.4.2-6
ii libdbus-1-3 1.14.10-1
ii libgssapi-krb5-2 1.20.1-4
ii libpam0g 1.5.2-7
ii libpaper1 1.1.29
ii libsystemd0 254.4-1
ii procps 2:4.0.3-1
ii ssl-cert 1.1.2
ii sysvinit-utils [lsb-base] 3.08-1
Versions of packages cups-daemon recommends:
ii avahi-daemon 0.8-11
ii colord 1.4.6-3
ii cups-browsed 1.28.17-3
ii ipp-usb 0.9.23-1+b6
Versions of packages cups-daemon suggests:
ii cups 2.4.2-6
ii cups-bsd 2.4.2-6
ii cups-client 2.4.2-6
ii cups-common 2.4.2-6
ii cups-filters 1.28.17-3
pn cups-pdf <none>
ii cups-ppdc 2.4.2-6
ii cups-server-common 2.4.2-6
ii foomatic-db-compressed-ppds [foomatic-db] 20230202-1
ii ghostscript 10.02.0~dfsg-2
ii poppler-utils 22.12.0-2+b1
pn smbclient <none>
ii udev 254.4-1
-- no debconf information
Reply to: