Package: cups-daemon Version: 2.2.10-6+deb10u3 Severity: normal Apparantly, there is something fishy in cups around server host names. I found several issues:
(1) When the client is configured to connect to the server using a host name unknown to the server (the name is sent in the "Host:" header), the server responds with status code 400 (Bad Request). By the HTTP standard, this is the correct response if the Host header is missing, present multiple times, or malformed. But I seriously doubt that 400 applies when the Host header matches no host name of the server. (2) If lpstat (and probably other clients, too) receives the status code 400, it gives a misleading error message "Error - add '/version=1.1' to server name". Adding that does not help the above issue and the message is given even if the version string is already present. ... let's move on to why the server's opinion on its own host name is wrong: (3) cupsd uses gethostname() to get the host name. By Debian Reference, section 3.2.1 (https://www.debian.org/doc/manuals/debian-reference/ch03.en.html#_the_hostname), this should be only the system hostname, not a FQDN. Still, cupsd boldly compares this to the value in the Host header, which usually is a FQDN. (4) cupsd is willing to use gethostbyname() to obtain additional host aliases from /etc/hosts, but only if the HostNameLookups switch is on. This does not match the documentation (both the man page and https://www.cups.org/doc/man-cupsd.conf.html), which explicitly tells that HostNameLookups affects only reverse lookups of connecting clients. (5) cupsd also matches the Host header against the list of network interfaces (function valid_host() in scheduler/client.c) in the NetIFList. However, the function cupsdNetIFUpdate (scheduler/network.c) which populates this list seems to be never called, at least in the default configuration. Also, local IP addresses of interfaces are resolved to host names only if HostNameLookups is turned on. (6) HostNameLookups is not turned on in default configuration, so cupsd knows only the unqualified hostname. (Still, it's probably a good idea to have it turned off since resolving all client IPs slows the server down. It is really unfortunate that HostNameLookups controls two unrelated things.) All this put together, cupsd in Debian Buster works with non-local clients only if they refer to the server by its unqualified hostname. If they want to use the FQDN, cupsd configuration must include either HostNameLookups or explicit ServerName/ServerAlias with the FQDN. -- System Information: Debian Release: 10.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-8-amd64 (SMP w/8 CPU cores) Locale: LANG=C, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8), LANGUAGE=en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.118 ii bc 1.07.1-2+b1 ii libavahi-client3 0.7-4+b1 ii libavahi-common3 0.7-4+b1 ii libc6 2.28-10 ii libcups2 2.2.10-6+deb10u3 ii libdbus-1-3 1.12.16-1 ii libgssapi-krb5-2 1.17-3 ii libpam0g 1.3.1-5 ii libpaper1 1.1.28 ii libsystemd0 241-7~deb10u4 ii lsb-base 10.2019051400 ii procps 2:3.3.15-2 ii ssl-cert 1.0.39 Versions of packages cups-daemon recommends: ii avahi-daemon 0.7-4+b1 ii colord 1.4.3-4 ii cups-browsed 1.21.6-5 Versions of packages cups-daemon suggests: ii cups 2.2.10-6+deb10u3 ii cups-bsd 2.2.10-6+deb10u3 ii cups-client 2.2.10-6+deb10u3 ii cups-common 2.2.10-6+deb10u3 ii cups-filters [foomatic-filters] 1.21.6-5 pn cups-pdf <none> ii cups-ppdc 2.2.10-6+deb10u3 ii cups-server-common 2.2.10-6+deb10u3 ii foomatic-db 20181217-2 ii ghostscript 9.27~dfsg-2+deb10u3 pn hplip <none> ii poppler-utils 0.71.0-5 pn printer-driver-gutenprint <none> pn printer-driver-hpcups <none> ii smbclient 2:4.9.5+dfsg-5+deb10u1 ii udev 241-7~deb10u4 -- no debconf information
