Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Red Hat Enterprise Linux 6 RHSA-2014:1388-02 Moderate: CUPS Fixes

red hat
Calendar Grey October 14, 2014
Scroller Redhat
Revised cups packages released for Red Hat Enterprise Linux 6 addressing several bugs and security vulnerabilities. Advisory classified as moderate.
Updated cups packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

Summary

CUPS provides a portable printing layer for Linux, UNIX, and similar operating systems.
A cross-site scripting (XSS) flaw was found in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. (CVE-2014-2856)
It was discovered that CUPS allowed certain users to create symbolic links in certain directories under /var/cache/cups/. A local user with the 'lp' group privileges could use this flaw to read the contents of arbitrary files on the system or, potentially, escalate their privileges on the system. (CVE-2014-3537, CVE-2014-5029, CVE-2014-5030, CVE-2014-5031)
The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat Product Security.
These updated cups packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes.
All cups users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the cupsd daemon will be restarted automatically.

References

https://access.redhat.com/security/cve/CVE-2014-2856 https://access.redhat.com/security/cve/CVE-2014-3537 https://access.redhat.com/security/cve/CVE-2014-5029 https://access.redhat.com/security/cve/CVE-2014-5030 https://access.redhat.com/security/cve/CVE-2014-5031 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Technical_Notes/cups.html#RHSA-2014-1388

Package List

Red Hat Enterprise Linux Desktop (v. 6):
Source: cups-1.4.2-67.el6.src.rpm
i386: cups-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-lpd-1.4.2-67.el6.i686.rpm
x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
i386: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-php-1.4.2-67.el6.i686.rpm
x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node (v. 6):
Source: cups-1.4.2-67.el6.src.rpm
x86_64: cups-1.4.2-67.el6.x86_64.rpm cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-libs-1.4.2-67.el6.i686.rpm cups-libs-1.4.2-67.el6.x86_64.rpm cups-lpd-1.4.2-67.el6.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
x86_64: cups-debuginfo-1.4.2-67.el6.i686.rpm cups-debuginfo-1.4.2-67.el6.x86_64.rpm cups-devel-1.4.2-67.el6.i686.rpm cups-devel-1.4.2-67.el6.x86_64.rpm cups-php-1.4.2-67.el6.x86_64.rpm


Read the Full Advisory


Advisory ID: RHSA-2014:1388-02
Product: Red Hat Enterprise Linux
Issue date: 2014-10-14

Topic

Updated cups packages that fix multiple security issues and several bugsare now available for Red Hat Enterprise Linux 6.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

Bugs Fixed

978387 - Bad IPP responses with version 2.0 (collection handling bug)

1012482 - /etc/cron.daily/cups breaks rule GEN003080 in Red Hat security guide

1087122 - CVE-2014-2856 cups: cross-site scripting flaw fixed in the 1.7.2 release

1115576 - CVE-2014-3537 cups: insufficient checking leads to privilege escalation

1122600 - CVE-2014-5029 cups: Incomplete fix for CVE-2014-3537

1128764 - CVE-2014-5030 cups: allows local users to read arbitrary files via a symlink attack

1128767 - CVE-2014-5031 cups: world-readable permissions

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.