Bug#1053857: cups: CVE-2023-32360 instructions in NEWS have a typo and are unclear
Package: cups
Version: 2.4.7-1
Severity: important
Dear Maintainer,
The NEWS entry for CVE-2023-32360 says /etc/cups/cupds.conf when ite
should say /etc/cups/cupsd.conf.
In addition, after reading the NEWS entry and reviewing the contents
of my cupsd.conf file, I'm left completely clueless about whether I
actually need to change anything, or if doing so will break cups.
Two reasons for this:
* I don't have any "<Limit CUPS-Get-Document>" stanzas in my
cupsd.conf. all of the stanzas that reference CUPS-Get-Document
reference many other commands at the same time. For example:
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
I don't know whether changing one of these stanzas will break
something because it will affect things other than CUPS-Get-Document.
* There are three different <Limit ...> blocks in my cupsd.conf that
reference CUPS-Get-Document, under <Policy Default>, <Policy
Authenticated>, and <Policy kerberos>. The first has no "AuthType
Default" line, the second says "AuthType Default", and the third says
"AuthType Negotiate". I don't know whether I need to add "AuthType
Default" to the first one or if the fact that the second one already
has "AuthType Default" means I'm protected.
This isn't great.
jik
Reply to: