LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

The Android Dev Phone 1

LWN.net Weekly Edition for December 25, 2008

The Grumpy Editor's 2008 retrospective

The 2008 Linux and free software timeline

LWN.net Weekly Edition for December 18, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Fedora alert FEDORA-2008-8844 (cups)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 9 Update: cups-1.3.9-1.fc9


Date:
    	      Thu, 16 Oct 2008 02:08:34 +0000


Message-ID:
    	      <20081016020834.E5CC020896E@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-8844
2008-10-16 00:45:07
--------------------------------------------------------------------------------

Name        : cups
Product     : Fedora 9
Version     : 1.3.9
Release     : 1.fc9
URL         : http://www.cups.org/
Summary     : Common Unix Printing System
Description :
The Common UNIX Printing System provides a portable printing layer for
UNIX® operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.

--------------------------------------------------------------------------------
Update Information:

Security release.  This updates to 1.3.9 and fixes three integer overflows in
the CUPS text and image filters.
--------------------------------------------------------------------------------
ChangeLog:

* Fri Oct 10 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.9-1
- 1.3.9, including fixes for CVE-2008-3639 / STR #2918,
  CVE-2008-3640 / STR #2919 and CVE-2008-3641 / STR #2911
  (bug #466419).
- No longer need str2892 or res_init patches.
* Wed Sep 10 2008 Tim Waugh <twaugh@redhat.com>
- Backported patch for FatalErrors configuration directive
  (bug #314941, STR #2536).
* Wed Sep  3 2008 Tim Waugh <twaugh@redhat.com>
- The dnssd backend uses avahi-browse so require it (bug #458565).
- cups-polld: reinit the resolver if we haven't yet resolved the
  hostname (bug #354071).
* Tue Aug  5 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.8-2
- Mark template files config(noreplace) for site-local modifications
  (bug #441719).
* Sun Aug  3 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.8-1
- 1.3.8.
- Applied patch to fix STR #2892 (bug #453610).
- Removed autoconf requirement by applying autoconf-generated changes
  to patches that caused them.  Affected patches: cups-lspp.
- CVE-2008-1373 patch is no longer needed (applied upstream).
- Mark HTML files and templates config(noreplace) for site-local
  modifications (bug #441719).
- The cups-devel package requires zlib-devel (bug #455192).
* Tue Jul  1 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.7-8
- Fixed bug #447200 again.
* Tue Jun 17 2008 Tim Waugh <twaugh@redhat.com>
- Don't overwrite the upstream snmp.conf file.
* Tue Jun 17 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.7-7
- Backported cupsGetNamedDest from 1.4 (bug #428086).
- Fixed bug #447200 again.
* Tue Jun  3 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.7-6
- Applied patch to fix STR #2750 (IPP authentication).
* Fri May 30 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.7-5
- Better fix for cupsdTimeoutJob LSPP configuration suggested by
  Matt Anderson (bug #447200).
* Thu May 29 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.7-4
- Fix last fix (bug #447200).
* Wed May 28 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.7-3
- If cupsdTimeoutJob is called when the originating connection is still
  known, pass that to the function so that copy_banner can get at it if
  necessary (bug #447200).
* Fri May  9 2008 Tim Waugh <twaugh@redhat.com> 1:1.3.7-2
- Applied patch to fix CVE-2008-1722 (integer overflow in image filter,
  bug #441692, STR #2790).
* Thu Apr  3 2008 Tim Waugh <twaugh@redhat.com>
- Main package requires exactly-matching libs package.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #464710 - CVE-2008-3639 CUPS: SGI image parser heap-based buffer overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=464710
  [ 2 ] Bug #464713 - CVE-2008-3640 CUPS: texttops integer overflow
        https://bugzilla.redhat.com/show_bug.cgi?id=464713
  [ 3 ] Bug #464716 - CVE-2008-3641 CUPS: HP/GL reader insufficient bounds checking
        https://bugzilla.redhat.com/show_bug.cgi?id=464716
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update cups' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds