[Pkg-cups-devel] Bug#530027: cups: Request from " … " using invalid Host: field " … "

[Ben Finney]

package cups
severity 530027 grave
thanks

On 11-Oct-2009, Ian Zimmerman wrote:
> If you look at the vaild_host() function, in the case the connecting
> address matches 127.*.*.* [1], the ServerAlias check is completely
> bypassed and only "localhost" or its numerical equivalents are
> allowed as values of the Host: header.

Which is no use when the software is running on a remote print server;
the client's ‘localhost’ is not the print server.

> This breaks connection via SSH tunnels, maybe other things.  
> I'll have to downgrade to 1.3.* until this is fixed :(  

This has been the case for me for every version in Squeeze since I
initially reported this bug.

Given the number of people reporting the same bug and for whom the
workarounds do not help, I'm upgrading the severity to ‘grave’ since
for many people this bug makes the package completely unusable.

> Interestingly, I have apache2 set up the same way and it cares not
> one whit about the Host header.  Perhaps the cure is worse that the
> disease here, given that the original vulnerability was mostly
> theoretical and involved broken clients?

Could the maintainer please respond on this? It seems that the
original patch should be reverted to address this bug.

-- 
 \        “Good judgement comes from experience. Experience comes from |
  `\                              bad judgement.” —Frederick P. Brooks |
_o__)                                                                  |
Ben Finney <ben at benfinney.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20100913/54a50953/attachment.pgp>