[SECURITY] [DLA 1288-1] cups security update

2018-02-2215:20:39

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

Confidence

High

EPSS

0.003

Percentile

70.6%

JSON

Package : cups
Version : 1.5.3-5+deb7u7
CVE ID : CVE-2017-18190

It was discovered that there was an issue in the CUPS printer
framework where remote attackers could execute arbitrary commands by
sending POST requests to the CUPS daemon in conjunction with DNS
rebinding.

This was caused by a whitelisted "localhost.localdomain" entry.

For Debian 7 "Wheezy", this issue has been fixed in cups version
1.5.3-5+deb7u7.

We recommend that you upgrade your cups packages.

Regards,

  ,&#x27;&#x27;`.
 : :&#x27;  :     Chris Lamb
 `. `&#x27;`      [email protected] / chris-lamb.co.uk
   `-

OSVersionArchitecturePackageVersionFilename
Debian7amd64cups< 1.5.3-5+deb7u7cups_1.5.3-5+deb7u7_amd64.deb
Debian8amd64libcupscgi1< 1.7.5-11+deb8u3libcupscgi1_1.7.5-11+deb8u3_amd64.deb
Debian9amd64libcupsimage2-dev< 2.2.1-8+deb9u1libcupsimage2-dev_2.2.1-8+deb9u1_amd64.deb
Debian9i386libcupsppdc1< 2.2.1-8+deb9u1libcupsppdc1_2.2.1-8+deb9u1_i386.deb
Debian9amd64cups-client-dbgsym< 2.2.1-8+deb9u1cups-client-dbgsym_2.2.1-8+deb9u1_amd64.deb
Debian9amd64cups-ipp-utils< 2.2.1-8+deb9u1cups-ipp-utils_2.2.1-8+deb9u1_amd64.deb
Debian9arm64libcupsimage2-dbgsym< 2.2.1-8+deb9u1libcupsimage2-dbgsym_2.2.1-8+deb9u1_arm64.deb
Debian9mipslibcups2-dev< 2.2.1-8+deb9u1libcups2-dev_2.2.1-8+deb9u1_mips.deb
Debian9mipsellibcupsimage2-dbgsym< 2.2.1-8+deb9u1libcupsimage2-dbgsym_2.2.1-8+deb9u1_mipsel.deb
Debian8armelcups-core-drivers< 1.7.5-11+deb8u3cups-core-drivers_1.7.5-11+deb8u3_armel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	7	amd64	cups	< 1.5.3-5+deb7u7	cups_1.5.3-5+deb7u7_amd64.deb
Debian	8	amd64	libcupscgi1	< 1.7.5-11+deb8u3	libcupscgi1_1.7.5-11+deb8u3_amd64.deb
Debian	9	amd64	libcupsimage2-dev	< 2.2.1-8+deb9u1	libcupsimage2-dev_2.2.1-8+deb9u1_amd64.deb
Debian	9	i386	libcupsppdc1	< 2.2.1-8+deb9u1	libcupsppdc1_2.2.1-8+deb9u1_i386.deb
Debian	9	amd64	cups-client-dbgsym	< 2.2.1-8+deb9u1	cups-client-dbgsym_2.2.1-8+deb9u1_amd64.deb
Debian	9	amd64	cups-ipp-utils	< 2.2.1-8+deb9u1	cups-ipp-utils_2.2.1-8+deb9u1_amd64.deb
Debian	9	arm64	libcupsimage2-dbgsym	< 2.2.1-8+deb9u1	libcupsimage2-dbgsym_2.2.1-8+deb9u1_arm64.deb
Debian	9	mips	libcups2-dev	< 2.2.1-8+deb9u1	libcups2-dev_2.2.1-8+deb9u1_mips.deb
Debian	9	mipsel	libcupsimage2-dbgsym	< 2.2.1-8+deb9u1	libcupsimage2-dbgsym_2.2.1-8+deb9u1_mipsel.deb
Debian	8	armel	cups-core-drivers	< 1.7.5-11+deb8u3	cups-core-drivers_1.7.5-11+deb8u3_armel.deb