CVE-2023-32360 without /etc/cups/cupds.conf

To: debian-printing@lists.debian.org
Cc: debian@alteholz.de
Subject: CVE-2023-32360 without /etc/cups/cupds.conf
From: Christian Kuelker <christian.kuelker@cipworx.org>
Date: Thu, 5 Oct 2023 00:10:42 +0200
Message-id: <[🔎] 9027878a-fa59-e751-19d2-170997f36dd2@cipworx.org>

Dear Maintainer,

thank you for maintaining the cups eco system! This is a cornerstone of
many installations.

Today I updated some servers that do not have a print server installedand therefore no /etc/cups/cupds.conf (I guess)

As I get a cups warning I am a bit confused to what extent this isapplicable.

cups (2.2.10-6+deb10u9) buster-security; urgency=high

  This release addresses a security issue (CVE-2023-32360) which allows
  unauthorized users to fetch documents over local or remote networks.
  Since this is a configuration fix, it might be that it does not reach you if you
  are updating 'cups-daemon' (rather than doing a fresh installation).
  Please double check your /etc/cups/cupds.conf file, whether it limits the access
  to CUPS-Get-Document with something like the following
  >  <Limit CUPS-Get-Document>
  >    AuthType Default
  >    Require user @OWNER @SYSTEM
  >    Order deny,allow
  >   </Limit>
  (The important line is the 'AuthType Default' in this section)

1. Only when updating I get such warnings and not at a new installation,so the reasoning here "if you are updating 'cups-daemon' (rather thandoing a fresh installation)." applies automatic or not? That is bitirritating but not the real problem.


2. The package 'cups-daemon' is not installed.

aptitude search cups|egrep '^i'
i A libcups2 - Common UNIX Printing System(tm) - Core library
i A libcupsfilters1 - OpenPrinting CUPS Filters - Shared library
i A libcupsimage2 - Common UNIX Printing System(tm) - Raster image library

aptitude search cups-daemon


p   cups-daemon - Common UNIX Printing System(tm) - daemon

3. The system has no /etc/cups/cupds.conf therefor the check isnegative, there is no CUPS-Get-Document inside a non existing file.


What are the consequences?

a) Should I create the file and add the configuration, even though thecups-daemon is not installed?

b) Or should I just ignore this warning and not create the file?
c) Or should I assume that the "configuration fix" did not "reached" me
because the file is not present, even though the text suggest that it

should be and I should check what went wrong with the update or dosomething else to fix the system.


I assume I should ignore it, but to be sure I am asking here.

An advice or comment would be appreciated.

Kind regards
Christian

PS: I am not a member of the list

Reply to:

Prev by Date: Bug#863924: marked as done (rlpr: No IPv6 support)
Next by Date: Bug#1053511: Printing with cups not possible any more after system upgrade
Previous by thread: Bug#863924: marked as done (rlpr: No IPv6 support)
Next by thread: Bug#1053511: Printing with cups not possible any more after system upgrade
Index(es):
- Date
- Thread