Bug#1083067: cups: CVE-2024-47176 reports severe vulnerability in CUPS **EXTERNAL EMAIL**

[Thorsten Alteholz <debian@alteholz.de>]

On Tue, 1 Oct 2024, Murray, Ronald-1 (A&F) wrote:

> Perhaps you should simply reassign the bug to the cups-browsed package instead?

No, in the Debian bug tracker you assign a bug to a source package and 
there is no source package "cups-browsed" in Debian. There is a binary 
package "cups-browsed" that is built from source package "cups-filters" 
and this was already fixed on 29.09.

> All I know is that our security people notified me about this vulnerability, and had me shut down the cups services.

This is not a good sign for your security people.

> > As for your apparent inability to understand that CVE-2024-47176 applies to at least some part of the cups system, it certainly says that it does in the link I provided.

Before you write such stuff, I would recommend to become familiar with the 
Debian security tracker. All relevant bugs about the recent CUPS CVEs have 
been filed and all upstream patches have been applied to the corresponding 
Debian packages.

> > And the cups-browsed service does indeed bind to `*:631 ( INADDR_ANY )`:

Yes, this is intentionally and changing it won't help much. But this would 
be something you need to discuss with upstream.

  Thorsten