Le lundi, 26 novembre 2012 19.52:46, Michael Sweet a écrit : > OK, I've posted proposed patches for CUPS 1.6 and trunk (1.7); patches for > older versions of CUPS will be substantially similar (might be some churn > due to new configuration directives) > > Available at: > > http://www.cups.org/str.php?L4223
Hi Michael, hi Debian Security Team, I have now taken a look at the proposed upstream security fix and have merged it in the 1.6.1 branch, see the two commits on the pkg-cups/cups.git repository: - 6026af39ea3da038c6e49226779de59520da7cc6 for the proposed patches; - d39e6abee95f747d024f2b41970c6d7a888f0dd0 for the fixes in other patches; Roughly, the patch splits the configuration stanzas from /etc/cups/cupsd.conf into two files: /etc/cups/cupsd.conf and /etc/cups/cups-files.conf. The first stays web-configurable and the latter can only be configured by root. While it's a nice long-term solution for new cups installs, I'm afraid it's not suitable as a security hotfix (so probably not targetted at Debian testing nor stable): the administrator has to handle the configuration files split un himself. In addition to that, web-modified cupsd.conf is very likely to hinder the automatic configuration stanza's split. On the longer term (for Jessie), I think web-modifiable cupsd.conf (and printers.conf) should be moved to /var/lib/cupsd/ and I think we should stick to this new cups configuration files handling. Opinions on ways forward for Wheezy (testing) and Squeeze (stable) ? Cheers, OdyX
signature.asc
Description: This is a digitally signed message part.
