[Pkg-cups-devel] Bug#530027: cups: Request from "…" using invalid Host: field "…"

[Ben Finney]

package cups
found 530027 1.4.2-4
thanks

On 23-May-2009, Ben Finney wrote:
> On 23-May-2009, Ben Finney wrote:
> > Could this be related to the following entry in the Debian
> > changelog:
> > 
> > =====
> >   * New upstream security/bug fix release:
> >     - The scheduler now protects against DNS rebinding attacks. Please note
> >       that this could lead to some regressions. (CVE-2009-0164)
> > =====
> > 
> > I'm completely unable to print or manage CUPS while this
> > continues. That sounds like a regression to me, but there's no
> > hint of how to fix it or know whether that's behind the problem.

This bug continues to occur in cups 1.4.2-4.

Enabling debug logging shows the following log entries when a client
attempts to connect:

=====
D [06/Dec/2009:11:14:27 +1100] cupsdAcceptClient: 13 from 192.168.5.7:631 (IPv4)
D [06/Dec/2009:11:14:27 +1100] cupsdReadClient: 13 GET / HTTP/1.1
D [06/Dec/2009:11:14:27 +1100] cupsdSetBusyState: Active clients and dirty files
D [06/Dec/2009:11:14:27 +1100] cupsdAuthorize: No authentication data provided.
E [06/Dec/2009:11:14:27 +1100] Request from "192.168.5.7" using invalid Host: field "printserver:631"
D [06/Dec/2009:11:14:27 +1100] cupsdReadClient: 13 Closing because Keep-Alive disabled
D [06/Dec/2009:11:14:27 +1100] cupsdCloseClient: 13
D [06/Dec/2009:11:14:27 +1100] cupsdSetBusyState: Dirty files
=====

What is the plan to address this bug? I'm unable to upgrade to any
version released in Squeeze so far.

-- 
 \         “People's Front To Reunite Gondwanaland: Stop the Laurasian |
  `\              Separatist Movement!” —wiredog, http://kuro5hin.org/ |
_o__)                                                                  |
Ben Finney <ben at benfinney.id.au>