[Pkg-cups-devel] Bug#692791: members of lpadmin can read every file on server via cups
Michael Sweet
msweet at apple.com
Tue Nov 27 22:14:21 UTC 2012
Note: disabling he web interface is not enough, you also need to disable HTTP PUT in cupsd, which takes care of cupsctl too. However, since that also disables helpful things like changing the log level you might want to reconsider fixing things that way...
Sent from my iPad
On 2012-11-27, at 3:51 PM, Didier 'OdyX' Raboud <odyx at debian.org> wrote:
> Le mardi, 27 novembre 2012 15.30:46, Marc Deslauriers a écrit :
>> FYI, as a security fix for our stable releases in Ubuntu, we plan on
>> disabling cupsd.conf modification in the web interface entirely.
>> Attached is the patch we plan on using.
>
> Hi Marc,
>
> while testing your patch I noticed it was not masking the "Edit Configuration
> File" input button in all locales (found in templates/*/admin.tmpl in 1.5.3).
>
> Updated patch is attached.
>
> Cheers,
>
> OdyX
> <CVE-2012-5519.patch>
More information about the Pkg-cups-devel
mailing list