Debian Bug report logs -
#915909
cups: CVE-2018-4700: Linux session cookies used a predictable random number seed
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 7 Dec 2018 20:45:02 UTC
Severity: important
Tags: patch, security, upstream
Found in versions cups/2.2.1-8, cups/2.2.9-4, cups/2.2.1-8+deb9u2
Fixed in versions cups/2.2.10-1, cups/2.3~b6-1
Done: Didier Raboud <odyx@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>:
Bug#915909; Package src:cups.
(Fri, 07 Dec 2018 20:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Printing Team <debian-printing@lists.debian.org>.
(Fri, 07 Dec 2018 20:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cups
Version: 2.2.9-4
Severity: important
Tags: patch security upstream
Hi,
The following vulnerability was published for cups.
CVE-2018-4700[0]:
Linux session cookies used a predictable random number seed
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-4700
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4700
[1] https://github.com/apple/cups/commit/feb4c62b211bfbd78dc10d737d873439ccdfa58c
[2] https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions cups/2.2.1-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 08 Dec 2018 10:03:02 GMT) (full text, mbox, link).
Marked as found in versions cups/2.2.1-8+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 08 Dec 2018 10:03:04 GMT) (full text, mbox, link).
Reply sent
to Didier Raboud <odyx@debian.org>:
You have taken responsibility.
(Sat, 08 Dec 2018 12:36:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 08 Dec 2018 12:36:08 GMT) (full text, mbox, link).
Message #14 received at 915909-close@bugs.debian.org (full text, mbox, reply):
Source: cups
Source-Version: 2.2.10-1
We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 08 Dec 2018 12:58:43 +0100
Source: cups
Binary: libcups2 libcupsimage2 cups cups-core-drivers cups-daemon cups-client cups-ipp-utils libcups2-dev libcupsimage2-dev cups-bsd cups-common cups-server-common cups-ppdc
Architecture: source
Version: 2.2.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups - Common UNIX Printing System(tm) - PPD/driver support, web interfa
cups-bsd - Common UNIX Printing System(tm) - BSD commands
cups-client - Common UNIX Printing System(tm) - client programs (SysV)
cups-common - Common UNIX Printing System(tm) - common files
cups-core-drivers - Common UNIX Printing System(tm) - driverless printing
cups-daemon - Common UNIX Printing System(tm) - daemon
cups-ipp-utils - Common UNIX Printing System(tm) - IPP developer/admin utilities
cups-ppdc - Common UNIX Printing System(tm) - PPD manipulation utilities
cups-server-common - Common UNIX Printing System(tm) - server common files
libcups2 - Common UNIX Printing System(tm) - Core library
libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
Closes: 915909
Changes:
cups (2.2.10-1) unstable; urgency=medium
.
* New 2.2.10 upstream release
- CVE-2018-4700: Linux session cookies used a predictable random number
seed (Closes: #915909)
* Manpage translations refresh
* Drop superfluous dpkg-dev B-D
Checksums-Sha1:
76a71faa79201efed0a768fade6ddcd087df3d53 3258 cups_2.2.10-1.dsc
6c9ae0eb292f4604109553795726c0184c8a0058 10403568 cups_2.2.10.orig.tar.gz
4825086c0b2dd9fdd89f1ec4ee10c295b5d62d8f 864 cups_2.2.10.orig.tar.gz.asc
1cf384ade574fd0827cdbfafa313531724b4f079 349736 cups_2.2.10-1.debian.tar.xz
Checksums-Sha256:
e15e2da5455813da77e43c9addb45cd392892216aa15f25a55023ff37fed6310 3258 cups_2.2.10-1.dsc
77c8b2b3bb7fe8b5fbfffc307f2c817b2d7ec67b657f261a1dd1c61ab81205bb 10403568 cups_2.2.10.orig.tar.gz
be235dd0cc526e5bde2a67f0dc2888be5d8dc40d1dfa44ab1a322d83f606e82d 864 cups_2.2.10.orig.tar.gz.asc
a9b17c1b925a39f87db4ab25ebf64c06326766c94ef8e6087af085084be3953e 349736 cups_2.2.10-1.debian.tar.xz
Files:
0a55ebdab7d66b2bb1322bfb6a9b584c 3258 net optional cups_2.2.10-1.dsc
3d22d747403ec5dcd0b66d1332564816 10403568 net optional cups_2.2.10.orig.tar.gz
f4cd381ccf4c052fdfba96f34bd87089 864 net optional cups_2.2.10.orig.tar.gz.asc
88a5a7449708a9d9f16e4fc4da46f7a9 349736 net optional cups_2.2.10-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEe+WPIRpjNw1/GSB7i8+nHsoWNFUFAlwLuAYACgkQi8+nHsoW
NFVm8wv/RTThqcSFDRfGGoWEqzEJKQQVuBJOn6f1S1DegwkN/iNAY5riwbbZXaoh
1XoNUn3jrUGyEWxb4YJNYGA8VHsWDzkxzBohbrtTOg77m8hl8nhkU/NA+Os1Yf38
5rS6lmRQRxJvaBlnOfVO2SYygycxclyMwW4IJ8vDyYpGQBia/4leMGntSL5xUe1V
b4YYQO9UrXmApbOaURRZMVn2CTUKE3zt4/BT6ecWV0tjx321qQU0SaAN3cHrVfdQ
T5eVu1wU9FoGqI/QzdS31D3FbI7yL00f0iq6sssWZ8Es+6oJZNSWSOqJWsyi3Mj4
Z7/L16BgV1u0y+EXZarzhorvL1zJyPx7u1WdImJ4eEW5n25QJO/QuTa4rfzx5Q/k
OwbKKyKyu3hnJSPWyGBlibDuop2axMk8oOTgqRkH32Y5ra0CIA32SSWaCWCBXjaz
2JtN47ORhJUmfvEVIjmT6JcmKHcp5vAwHRzMLBsY8zM4fewHxuec0IK1rC/XKYFm
FEv/IO3o
=OuuZ
-----END PGP SIGNATURE-----
Reply sent
to Didier Raboud <odyx@debian.org>:
You have taken responsibility.
(Mon, 10 Dec 2018 09:51:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 10 Dec 2018 09:51:03 GMT) (full text, mbox, link).
Message #19 received at 915909-close@bugs.debian.org (full text, mbox, reply):
Source: cups
Source-Version: 2.3~b6-1
We believe that the bug you reported is fixed in the latest version of
cups, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 915909@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 10 Dec 2018 10:18:41 +0100
Source: cups
Binary: libcups2 libcupsimage2 cups cups-core-drivers cups-daemon cups-client cups-ipp-utils libcups2-dev libcupsimage2-dev cups-bsd cups-common cups-server-common cups-ppdc
Architecture: source
Version: 2.3~b6-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Description:
cups - Common UNIX Printing System(tm) - PPD/driver support, web interfa
cups-bsd - Common UNIX Printing System(tm) - BSD commands
cups-client - Common UNIX Printing System(tm) - client programs (SysV)
cups-common - Common UNIX Printing System(tm) - common files
cups-core-drivers - Common UNIX Printing System(tm) - driverless printing
cups-daemon - Common UNIX Printing System(tm) - daemon
cups-ipp-utils - Common UNIX Printing System(tm) - IPP developer/admin utilities
cups-ppdc - Common UNIX Printing System(tm) - PPD manipulation utilities
cups-server-common - Common UNIX Printing System(tm) - server common files
libcups2 - Common UNIX Printing System(tm) - Core library
libcups2-dev - Common UNIX Printing System(tm) - Development files CUPS library
libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
libcupsimage2-dev - Common UNIX Printing System(tm) - Development files CUPS image li
Closes: 915909
Changes:
cups (2.3~b6-1) experimental; urgency=medium
.
* New 2.3~b6 upstream pre-release
- CVE-2018-4700: Linux session cookies used a predictable random number
seed (Closes: #915909)
- The `cupsaddsmb` program has been removed (Issue #5449)
- The `cupstestdsc` program has been removed (Issue #5450)
- Rebase patches
.
* Merge 2.2.10-1
* Manpage translations update
* Add patch to fix FTBFS due to wrong `usage(int)` usage
* Update libcups2 symbols: +12 cupsRaster*
* Cope with cupsaddsmb and cupstestdsc removals:
- Remove from cups-client installed files
- Remove from manpage translation infrastructure
- Remove from libcups2's README.Debian
Checksums-Sha1:
ec9edac4f9d8a16b69d070456eed7edf4638917f 3254 cups_2.3~b6-1.dsc
c582c879e689c5e69015ca23fa36d8fcb7036c0c 10240934 cups_2.3~b6.orig.tar.gz
dd4dd7f214262eeee7b2f229fd1f89daef426480 864 cups_2.3~b6.orig.tar.gz.asc
fbce7bf3708d3f983681c000206787fdeeba005c 349912 cups_2.3~b6-1.debian.tar.xz
Checksums-Sha256:
35755a1ca183ea35979ec4572a66d35a4fd3ce8aea311bf9135dd58cff061de1 3254 cups_2.3~b6-1.dsc
8e2f5acecb4fb71c46d5a4fecbd5d78ce7d9e7be9920d38d344ee414065061b7 10240934 cups_2.3~b6.orig.tar.gz
67e6ff6669fda21c3d4370933a53e4b224a021d13c52ef82fd2bb6148603c86f 864 cups_2.3~b6.orig.tar.gz.asc
37e731822a2dda4df3f243d45bfd5d0b282279e27679312cf3c1563addebef87 349912 cups_2.3~b6-1.debian.tar.xz
Files:
786fe2f459e52e189b41714d4227f364 3254 net optional cups_2.3~b6-1.dsc
774784e45046ad10e5a51db861f3be75 10240934 net optional cups_2.3~b6.orig.tar.gz
587177b8c1a3a014f9659a769067993a 864 net optional cups_2.3~b6.orig.tar.gz.asc
9b40d2b39a2712dda2e890df10c61cec 349912 net optional cups_2.3~b6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEe+WPIRpjNw1/GSB7i8+nHsoWNFUFAlwOMVoACgkQi8+nHsoW
NFWmiAv9G+Vybu7kyTae1MmnQtvvUYfgATImxDYZBsOEcJk4zMI2k9XIwiK1jlP+
9InahyGY3QpJOyMwSnzeldjwWOOFeHkV0msd9k1SlhV6ZTL/9AYqS4aotQf5apH1
RzMKSRs3f9euxMQOHcORpLEZEpRLdjLRKFgIAM768Lg8PLJRX7LKXQZbJFNOtwqx
mUM3lDzuKlqmkYL1XqZY2d1tgWuPdqOqyejDgzM5WHZ3TLtVX5wOrXI2MaMDFxgL
0rU3Yr1xAqsFNqEhhlaYnMBCNWxC0a9TYp4fH96wthbjt0cr2dLTnq7sikIcMqe6
NjqbogdXQlITIfd8urPY9bxYrTrCiZyAl+MDeYCevyOYsNlcIa6tgg+lptBOzNzc
ATXWiHY2/hdip5HZMdpW8chle5xVEkE4Kv2l+8efh4THw7sNpDpodG51scz5hBM7
Bz4YTYhfhze4gI54tl/UUTfE+0Jzsv0e5c0UZwWIBOw2HEBpbSmcZ+1GK7mpG00p
IM5aMXIk
=PFOr
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 12 Jan 2019 07:26:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:11:51 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon