Update branch slfo-main to current OBS Factory

cups.changes

@@ -1,3 +1,153 @@
+-------------------------------------------------------------------
+Wed Jan 21 08:38:41 UTC 2026 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 2.4.16:
+  See https://github.com/openprinting/cups/releases
+  The hotfix release 2.4.16 includes fix for infinite loop in GTK,
+  which was caused by change of internal behavior in libcups
+  on which GTK depended on, and workaround for stopping
+  the scheduler if configuration includes unknown directives.
+  Detailed list (from CHANGES.md):
+  * 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences,
+    potentially reading past the end of the source string
+    (Issue #1438)
+  * The web interface did not support domain usernames fully
+    (Issue #1441)
+  * Fixed an infinite loop issue in the GTK+ print dialog
+    (Issue #1439 boo#1254353)
+  * Fixed stopping scheduler on unknown directive in
+    configuration (Issue #1443)
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+- Version upgrade to 2.4.15:
+  See https://github.com/openprinting/cups/releases
+  The release CUPS 2.4.15 brings two CVE fixes:
+  Fix various cupsd issues which cause local DoS
+  (CVE-2025-61915 bsc#1253783)
+  Fix unresponsive cupsd process caused by slow client
+  (CVE-2025-58436 bsc#1244057)
+  and several bug fixes described in CHANGES.md.
+  Detailed list (from CHANGES.md):
+  * Fixed potential crash in 'cups-driverd' when there are
+    duplicate PPDs (Issue #1355)
+  * Fixed error recovery when scanning for PPDs
+    in 'cups-driverd' (Issue #1416)
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.16
+- Fixed entry below dated "Sat Sep 30 08:52:42 UTC 2017"
+  which contained needless UTF-8 Unicode characters that are
+  now replaced by plain ASCII text in "... line - the ..."
+  to fix a rpmlint "non-break-space" warning.
+- Adapted and enhanced 'tmpfiles.d' related things in cups.spec
+  to "Fix packages for Immutable Mode - cups"
+  (implementation task jsc#PED-14775 from epic jsc#PED-14688)
+
+-------------------------------------------------------------------
+Wed Sep 17 06:47:34 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 2.4.14:
+  See https://github.com/openprinting/cups/releases
+  The hotfix release brings fix for installation process
+  of localized templates and CUPS web UI home pages.
+- Version upgrade to 2.4.13:
+  See https://github.com/openprinting/cups/releases
+  The release 2.4.13 brings two CVE fixes
+  fix for important CVE-2025-58060
+  "Authentication bypass with AuthType Negotiate" (bsc#1249049)
+  and fix for moderate CVE-2025-58364
+  "Remote DoS via null dereference" (bsc#1249128)
+  together with several bug fixes.
+  The release includes a new feature - new attribute
+  for printer and job objects - print-as-raster - which
+  allows enforce rasterization of the file for
+  IPP Everywhere/AirPrint printers, which supports PDF
+  and raster document formats. The feature is useful for
+  working around internal PDF issues in the printer firmware,
+  for example missing diacritic when printing a PDF.
+  Detailed list (from CHANGES.md):
+  * Blocked authentication using alternate methods
+    in cupsd (CVE-2025-58060)
+  * Fixed extension tag handling in 'ipp_read_io()'
+    in libcups (CVE-2025-58364)
+  * Added 'print-as-raster' printer and job attributes
+    for forcing rasterization (Issue #1282)
+  * Updated documentation (Issue #1086)
+  * Updated IPP backend to try a sanitized user name if the
+    printer/server does not like the value (Issue #1145)
+  * Updated the scheduler to send the "printer-added"
+    or "printer-modified" events  whenever an IPP Everywhere PPD
+    is installed (Issue #1244)
+  * Updated the scheduler to send the "printer-modified" event
+    whenever the system default printer is changed (Issue #1246)
+  * Fixed a memory leak in 'httpClose' (Issue #1223)
+  * Fixed missing commas in 'ippCreateRequestedArray'
+    (Issue #1234)
+  * Fixed subscription issues in the scheduler and D-Bus notifier
+    (Issue #1235)
+  * Fixed media-default reporting for custom sizes (Issue #1238)
+  * Fixed support for IPP/PPD options with periods or underscores
+    (Issue #1249)
+  * Fixed parsing of real numbers in PPD compiler source files
+    (Issue #1263)
+  * Fixed scheduler freezing with zombie clients (Issue #1264)
+  * Fixed support for the server name in the ErrorLog filename
+    (Issue #1277)
+  * Fixed job cleanup after daemon restart (Issue #1315)
+  * Fixed handling of buggy DYMO USB printer serial numbers
+   (Issue #1338)
+  * Fixed unreachable block in IPP backend (Issue #1351)
+  * Fixed memory leak in _cupsConvertOptions (Issue #1354)
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.14
+
+-------------------------------------------------------------------
+Thu Apr 10 13:37:02 UTC 2025 - Johannes Meixner <jsmeix@suse.com>
+
+- Version upgrade to 2.4.12:
+  See https://github.com/openprinting/cups/releases
+  The last planned release of CUPS 2.4.x series
+  (the next will be 2.5.x series) contains several enhancements
+  among set of bug fixes, such following cryptographic policies
+  when using GnuTLS crypto provider and possibility to opt-out
+  from this behavior, logging job debugging history if print
+  queue backends fails, or raising alerts for certificate issues
+  in IPPS backend.
+  Detailed list (from CHANGES.md):
+  * GnuTLS follows system crypto policies now (Issue #1105)
+  * Added `NoSystem` SSLOptions value (Issue #1130)
+  * Now we raise alert for certificate issues (Issue #1194)
+  * Added Kyocera USB quirk (Issue #1198)
+  * The scheduler now logs a job's debugging history
+    if the backend fails (Issue #1205)
+  * Fixed a potential timing issue with `cupsEnumDests`
+    (Issue #1084)
+  * Fixed a potential "lost PPD" condition in the scheduler
+    (Issue #1109)
+  * Fixed a compressed file error handling bug (Issue #1070)
+  * Fixed a bug in the make-and-model whitespace trimming
+    code (Issue #1096)
+  * Fixed a removal of IPP Everywhere permanent queue
+    if installation failed (Issue #1102)
+  * Fixed `ServerToken None` in scheduler (Issue #1111)
+  * Fixed invalid IPP keyword values created from PPD
+    option names (Issue #1118)
+  * Fixed handling of "media" and "PageSize" in the same
+    print request (Issue #1125)
+  * Fixed client raster printing from macOS (Issue #1143)
+  * Fixed the default User-Agent string.
+  * Fixed a recursion issue in `ippReadIO`.
+  * Fixed handling incorrect radix in `scan_ps()` (Issue #1188)
+  * Fixed validation of dateTime values with time zones
+    more than UTC+11 (Issue #1201)
+  * Fixed attributes returned by the Create-Xxx-Subscriptions
+    requests (Issue #1204)
+  * Fixed `ippDateToTime` when using a non GMT/UTC timezone
+    (Issue #1208)
+  * Fixed `job-completed` event notifications for jobs that are
+    cancelled before started (Issue #1209)
+  * Fixed DNS-SD discovery with `ippfind` (Issue #1211)
+  Issues are those at https://github.com/OpenPrinting/cups/issues
+- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.12
+  
 -------------------------------------------------------------------
 Wed Oct 16 14:58:07 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
 
@@ -1237,7 +1387,7 @@ Fri Oct 13 11:11:10 UTC 2017 - jengelh@inai.de
 -------------------------------------------------------------------
 Sat Sep 30 08:52:42 UTC 2017 - jengelh@inai.de
 
-- Remove redundant Requires(pre) line — the use of %post -p
+- Remove redundant Requires(pre) line - the use of %post -p
   already implies it.
 
 -------------------------------------------------------------------

cups.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package cups
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -40,18 +40,18 @@ Name:           cups
 # "zypper vcmp 2.3.b99 2.3.0" shows "2.3.b99 is older than 2.3.0" and
 # "zypper vcmp 2.2.99 2.3b6" show "2.2.99 is older than 2.3b6" so that
 # version upgrades from 2.2.x via 2.3.b* to 2.3.0 work:
-Version:        2.4.11
+Version:        2.4.16
 Release:        0
 Summary:        The Common UNIX Printing System
 License:        Apache-2.0
 Group:          Hardware/Printing
 URL:            https://openprinting.github.io/cups
 # To get Source0 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.11-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz
-Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz
+# wget --no-check-certificate -O cups-2.4.16-source.tar.gz https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz
+Source0:        https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz
 # To get Source1 go to https://github.com/OpenPrinting/cups/releases or use e.g.
-# wget --no-check-certificate -O cups-2.4.11-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz.sig
-Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.11/cups-2.4.11-source.tar.gz.sig
+# wget --no-check-certificate -O cups-2.4.16-source.tar.gz.sig https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz.sig
+Source1:        https://github.com/OpenPrinting/cups/releases/download/v2.4.16/cups-2.4.16-source.tar.gz.sig
 # To make Source2 use e.g.
 #   gpg --keyserver keys.openpgp.org --recv-keys 7082A0A50A2E92640F3880E0E4522DCC9B246FF7
 #   gpg --export --armor 7082A0A50A2E92640F3880E0E4522DCC9B246FF7 >cups.keyring
@@ -61,7 +61,7 @@ Source2:        cups.keyring
 # To manually verify Source0 with Source1 and Source2 do e.g.
 #   gpg --import cups.keyring
 #   gpg --list-keys | grep -1 'Zdenek Dohnal'
-#   gpg --verify cups-2.4.11-source.tar.gz.sig cups-2.4.11-source.tar.gz
+#   gpg --verify cups-2.4.16-source.tar.gz.sig cups-2.4.16-source.tar.gz
 Source102:      Postscript.ppd.gz
 Source105:      Postscript-level1.ppd.gz
 Source106:      Postscript-level2.ppd.gz
@@ -408,7 +408,6 @@ ln -sf libcups.so.2 %{buildroot}%{_libdir}/libcups.so
 test -d %{buildroot}%{_libdir}/pkgconfig || mv %{buildroot}/usr/lib/pkgconfig %{buildroot}%{_libdir}/pkgconfig
 # Add missing usual directories:
 install -d -m755 %{buildroot}%{_datadir}/cups/drivers
-install -d -m755 %{buildroot}%{_localstatedir}/cache/cups
 # Add conf/pam.suse regarding support for PAM (see Patch100: cups-pam.diff):
 %if 0%{?suse_version} > 1500
 install -d -m755 %{buildroot}%{_pam_vendordir}
@@ -446,21 +445,43 @@ ln -s service %{buildroot}%{_sbindir}/rccups
 ln -s service %{buildroot}%{_sbindir}/rccups-lpd
 %endif
 # Install /usr/lib/tmpfiles.d/cups.conf
-# According to
-# https://developers.redhat.com/blog/2016/09/20/managing-temporary-files-with-systemd-tmpfiles-on-rhel7/
-#   d /var/spool/cups/tmp - - - 30d
-# results that each file older than 30 days on /var/spool/cups/tmp will be deleted where a file
-# will be considered unused only if atime, mtime and ctime are all older than the specified time.
-# We use group 'root' for /run/cups/certs (instead of 'sys')
-#   d /run/cups/certs 0511 lp root -
-# because of https://bugzilla.opensuse.org/show_bug.cgi?id=1042916
 mkdir -p %{buildroot}%{_tmpfilesdir}
 cat > %{buildroot}%{_tmpfilesdir}/cups.conf <<EOF
 # See tmpfiles.d(5) for details
 # Type(d=directory) Path Mode UID GID Age(until delete when cleaning)
+# When cupsd creates directories with specific owner group and permissions
+# (usually owner is 'root' and group matches "configure --with-cups-group=lp")
+# we must specify same owner group and permission settings here
+# to ensure those directories are installed by RPM with the right settings
+# because if those directories were installed by RPM with different settings then
+# cupsd would use them as is and not adjust its specific owner group and permissions.
+# How cupsd creates those directories:
+#   drwxr-xr-x root lp   /run/cups
+#   dr-x--x--x lp   root /run/cups/certs
+#   drwxr-xr-x root lp   /var/log/cups
+#   drwxrwx--- root lp   /var/cache/cups
+#   drwxrwxr-x root lp   /var/cache/cups/rss
+#   drwx--x--- root lp   /var/spool/cups
+#   drwxrwx--T root lp   /var/spool/cups/tmp
+# see https://bugzilla.suse.com/show_bug.cgi?id=1184161#c7
+# We use group 'root' for /run/cups/certs (instead of 'sys')
+# because of https://bugzilla.opensuse.org/show_bug.cgi?id=1042916
+# The 'lp' user does not need write permissions in /var/log/cups
+# regardless that filters and backends are usually run as user 'lp' because
+# filters and backends write log messages to the inherited stderr file descriptor
+# and do not append them directly to /var/log/cups/error_log (via fopen on their own).
+# According to
+# https://developers.redhat.com/blog/2016/09/20/managing-temporary-files-with-systemd-tmpfiles-on-rhel7/
+#   d /var/spool/cups/tmp ... 30d
+# results that each file older than 30 days on /var/spool/cups/tmp will be deleted where a file
+# will be considered unused only if atime, mtime and ctime are all older than the specified time.
 d /run/cups 0755 root lp -
 d /run/cups/certs 0511 lp root -
-d %{_localstatedir}/spool/cups/tmp - - - 30d
+d %{_localstatedir}/log/cups 0755 root lp -
+d %{_localstatedir}/cache/cups 0770 root lp -
+d %{_localstatedir}/cache/cups/rss 0775 root lp -
+d %{_localstatedir}/spool/cups 0710 root lp -
+d %{_localstatedir}/spool/cups/tmp 1770 root lp 30d
 EOF
 # Never run fdupes carelessly over the whole buildroot directory
 # because in older openSUSE and SLE11 versions fdupes
@@ -591,23 +612,29 @@ exit 0
 # In particular all executables are listed explicitly.
 # This avoids that CUPS' configure magic might silently
 # not build and install an executable when whatever condition
-# for configure's automated tests is not fulfilled in the build system.
-# See https://bugzilla.suse.com/show_bug.cgi?id=526847#c9
+# for configure's automated tests is not fulfilled in the build system,
+# see https://bugzilla.suse.com/show_bug.cgi?id=526847#c9
 # Regarding specific owner group and permission settings for directories
 # see https://bugzilla.suse.com/show_bug.cgi?id=1184161
 # When cupsd creates directories with specific owner group and permissions
 # (usually owner is 'root' and group matches "configure --with-cups-group=lp")
 # we must specify same owner group and permission settings here
-# to ensure those directories are installed by RPM with the right settings
-# because if those directories were installed by RPM with different settings then
-# cupsd would use them as is and not adjust its specific owner group and permissions.
-# How cupsd creates those directories:
-# drwxr-xr-x ... root lp ... /etc/cups/ppd
+# to ensure those directories are installed by RPM with the right settings.
+# When those directories were installed by RPM with different settings then
+# cupsd would adapt them and report that in /var/log/cups/error_log
+# with debug messages for example like
+# D ... Creating missing directory "/var/spool/cups"
+# D ... Repairing ownership of "/var/spool/cups"
+# D ... Repairing access permissions of "/var/spool/cups"
+# D ... Repairing ownership of "/etc/cups/ssl"
+# D ... Repairing access permissions of "/etc/cups/ssl"
+# How cupsd creates those directories see the tmpfiles.d part above and
+# drwxr-xr-x root lp /etc/cups/ppd
+# drwx------ root lp /etc/cups/ssl
 # see https://bugzilla.suse.com/show_bug.cgi?id=1184161#c7
 # The /etc/cups/ssl directory is not created by cupsd (but needed by it)
 # and when needed (e.g. during the first run of "# lpstat -E -p")
 # cupsd creates files in /etc/cups/ssl like localhost.crt and localhost.key
-# so we specify secure owner group and permissions for /etc/cups/ssl
 %config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/cups-files.conf
 %config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/cupsd.conf
 %config(noreplace) %attr(640,root,lp) %{_sysconfdir}/cups/snmp.conf
@@ -621,7 +648,7 @@ exit 0
 %config %{_sysconfdir}/cups/cups-files.conf.default
 %config %{_sysconfdir}/cups/snmp.conf.default
 %dir %attr(755,root,lp) %{_sysconfdir}/cups/ppd
-%dir %attr(700,root,root) %{_sysconfdir}/cups/ssl
+%dir %attr(700,root,lp) %{_sysconfdir}/cups/ssl
 %{_unitdir}/cups.service
 %{_unitdir}/cups.socket
 %{_unitdir}/cups.path
@@ -780,16 +807,6 @@ exit 0
 %files config
 # Regarding specific owner group and permission settings for directories
 # see the above comment in the files section of the main package.
-# How cupsd creates those directories:
-# drwx--x--- ... root lp ... /var/spool/cups
-# drwxrwx--T ... root lp ... /var/spool/cups/tmp
-# drwxr-xr-x ... root lp ... /var/log/cups
-# drwxrwx--- ... root lp ... /var/cache/cups
-# see https://bugzilla.suse.com/show_bug.cgi?id=1184161#c7
-# The 'lp' user does not need write permissions in /var/log/cups
-# regardless that filters and backends are usually run as user 'lp' because
-# filters and backends write log messages to the inherited stderr file descriptor
-# and do not append them directly to /var/log/cups/error_log (via fopen on their own).
 # The /etc/cups directory is not created by cupsd but needed by it
 # because cupsd cannot start if there is no /etc/cups/cupsd.conf file
 # (otherwise cupsd aborts with: "Unable to open /etc/cups/cupsd.conf").
@@ -798,10 +815,6 @@ exit 0
 %dir %attr(0755,root,lp) /etc/cups
 %endif
 %config(noreplace) %{_sysconfdir}/cups/client.conf
-%dir %attr(0710,root,lp) %{_var}/spool/cups
-%dir %attr(1770,root,lp) %{_var}/spool/cups/tmp
-%dir %attr(0755,root,lp) %{_var}/log/cups
-%dir %attr(0770,root,lp) %{_var}/cache/cups
 %{_bindir}/cups-config
 %{_datadir}/locale/*/cups_*
 %doc %{_mandir}/man1/cups-config.1.gz

downgrade-autoconf-requirement.patch

@@ -1,5 +1,5 @@
---- configure.ac.orig	2024-09-30 13:38:35.000000000 +0200
-+++ configure.ac	2024-09-30 15:02:31.994893137 +0200
+--- configure.ac.orig	2025-12-04 09:13:12.000000000 +0100
++++ configure.ac	2026-01-21 09:36:54.702856497 +0100
 @@ -9,8 +9,8 @@ dnl Licensed under Apache License v2.0.
  dnl information.
  dnl
@@ -10,4 +10,4 @@
 +AC_PREREQ([2.69])
  
  dnl Package name and version...
- AC_INIT([CUPS],[2.4.11],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])
+ AC_INIT([CUPS],[2.4.16],[https://github.com/openprinting/cups/issues],[cups],[https://openprinting.github.io/cups])