Hello, Nico Golde [2009-04-26 15:43 +0200]: > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for cups some time ago. > > CVE-2009-0164[0]: > | The web interface for CUPS before 1.3.10 does not validate > | the HTTP Host header in a client request, which makes it > | easier for remote attackers to conduct DNS rebinding > | attacks. > > Unfortunately the vulnerability described above is not important enough > to get it fixed via regular security update in Debian stable. It does > not warrant a DSA. > > However it would be nice if this could get fixed via a regular point update[1]. The reason why I didn't include it in the recent DSA in the first place was that the rationale is dubious, and that the changed behaviour could cause regressions. Now that the patch is in unstable (through the new upstream version 1.3.10) I very much suspect that bug 525910 is one such regression. Thus I will not ever propose to upload this patch to stable-updates either. Does anyone think that this is serious enough? Thanks, Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
Attachment:
signature.asc
Description: Digital signature