<patchinfo>
  <!-- generated from request(s) 353360 -->
  <issue tracker="bnc" id="1219503">cups 2.4.7 in Tumbleweed snapshot 20240131 requires "group(ntadmin)" and pulls in samba as the only provider.</issue>
  <issue tracker="bnc" id="1225365">VUL-0: CVE-2024-35235: cups: Listen port arbitrary chmod 0140777</issue>
  <issue tracker="cve" id="2023-4504"/>
  <issue tracker="cve" id="2023-32324"/>
  <issue tracker="cve" id="2023-32360"/>
  <issue tracker="cve" id="2023-34241"/>
  <issue tracker="cve" id="2024-35235"/>
  <packager>jsmeix</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for cups</summary>
  <description>This update for cups fixes the following issues:

- Version upgrade to 2.4.11:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.11 brings several bug fixes regarding IPP response
  validation, processing PPD values, Web UI support
  (checkbox support, modifying printers) and others fixes.
  Detailed list (from CHANGES.md):
  * Updated the maximum file descriptor limit
    for `cupsd` to 64k-1 (Issue #989)
  * Fixed `lpoptions -d` with a discovered
    but not added printer (Issue #833)
  * Fixed incorrect error message for HTTP/IPP errors (Issue #893)
  * Fixed JobPrivateAccess and SubscriptionPrivateAccess support
    for "all" (Issue #990)
  * Fixed issues with cupsGetDestMediaByXxx (Issue #993)
  * Fixed adding and modifying of printers
    via the web interface (Issue #998)
  * Fixed HTTP PeerCred authentication
    for domain users (Issue #1001)
  * Fixed checkbox support (Issue #1008)
  * Fixed printer state notifications (Issue #1013)
  * Fixed IPP Everywhere printer setup (Issue #1033)
  Issues are those at https://github.com/OpenPrinting/cups/issues
  In particular CUPS 2.4.11 contains those commit regarding
  IPP response validation and processing PPD values:
  * "Quote PPD localized strings"
    https://github.com/OpenPrinting/cups/commit/1e6ca5913eceee906038bc04cc7ccfbe2923bdfd
    plus a cleanup to "Fix warnings for unused vars"
    https://github.com/OpenPrinting/cups/commit/2abe1ba8a66864aa82cd9836b37e57103b8e1a3b

- Version upgrade to 2.4.10:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.10 brings two fixes:
  * Fixed error handling when reading a mixed 1setOf attribute.
  * Fixed scheduler start if there is only domain socket
    to listen on (Issue #985) which is fix for regression
    after fix for CVE-2024-35235 in scenarios where is
    no other listeners in cupsd.conf than domain socket
    created on demand by systemd, launchd or upstart.
  Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.9:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.9 brings security fix for CVE-2024-35235 and
  several bug fixes regarding CUPS Web User Interface,
  PPD generation and HTTP protocol implementation.
  Detailed list (from CHANGES.md):
  * Fixed domain socket handling (CVE-2024-35235)
  * Fixed creating of `cupsUrfSupported` PPD keyword
    (Issue #952)
  * Fixed searching for destinations in web ui (Issue #954)
  * Fixed TLS negotiation using OpenSSL with servers
    that require the TLS SNI extension.
  * Really raised `cups_enum_dests()` timeout for listing
    available IPP printers (Issue #751)...
  * Fixed `Host` header regression (Issue #967)
  * Fixed DNS-SD lookups of local services with Avahi
    (Issue #970)
  * Fixed listing jobs in destinations in web ui.
    (Apple issue #6204)
  * Fixed showing search query in web ui help page.
    (Issue #977)
  Issues are those at https://github.com/OpenPrinting/cups/issues
  Apple issues are those at https://github.com/apple/cups/issues

- Update to version 2.4.8:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.8 brings many bug fixes which aggregated over the last
  half a year. It brings the important fix for race conditions
  and errors which can happen when installing permanent
  IPP Everywhere printer, support for PAM modules password-auth
  and system-auth and new option for lpstat which can show only
  the successful jobs.
  Detailed list (from CHANGES.md):
  * Added warning if the device has to be asked for
    'all,media-col-database' separately (Issue #829)
  * Added new value for 'lpstat' option '-W' - successfull - for
    getting successfully printed jobs (Issue #830)
  * Added support for PAM modules password-auth
    and system-auth (Issue #892)
  * Updated IPP Everywhere printer creation error
    reporting (Issue #347)
  * Updated and documented the MIME typing buffering
    limit (Issue #925)
  * Raised 'cups_enum_dests()' timeout for listing
    available IPP printers (Issue #751)
  * Now report an error for temporary printer defaults
    with lpadmin (Issue #237)
  * Fixed mapping of PPD InputSlot, MediaType,
    and OutputBin values (Issue #238)
  * Fixed "document-unprintable-error" handling (Issue #391)
  * Fixed the web interface not showing an error
    for a non-existent printer (Issue #423)
  * Fixed printing of jobs with job name longer than 255 chars
    on older printers (Issue #644)
  * Really backported fix for Issue #742
  * Fixed 'cupsCopyDestInfo' device connection
    detection (Issue #586)
  * Fixed "Upgrade" header handling when there is
    no TLS support (Issue #775)
  * Fixed memory leak when unloading a job (Issue #813)
  * Fixed memory leak when creating color profiles (Issue #815)
  * Fixed a punch finishing bug in the IPP Everywhere
    support (Issue #821)
  * Fixed crash in 'scan_ps()' if incoming argument
    is NULL (Issue #831)
  * Fixed setting job state reasons for successful
    jobs (Issue #832)
  * Fixed infinite loop in IPP backend if hostname
    is IP address with Kerberos (Issue #838)
  * Added additional check on socket if 'revents' from 'poll()'
    returns POLLHUP together with POLLIN or POLLOUT
    in 'httpAddrConnect2()' (Issue #839)
  * Fixed crash in 'ppdEmitString()' if 'size' is NULL (Issue #850)
  * Fixed reporting 'media-source-supported' when
    sharing printer  which has numbers as strings instead of
    keywords as 'InputSlot' values (Issue #859)
  * Fixed IPP backend to support the "print-scaling" option
    with IPP printers (Issue #862)
  * Fixed potential race condition for the creation
    of temporary queues (Issue #871)
  * Fixed 'httpGets' timeout handling (Issue #879)
  * Fixed checking for required attributes during
    PPD generation (Issue #890)
  * Fixed encoding of IPv6 addresses in HTTP requests (Issue #903)
  * Fixed sending response headers to client (Issue #927)
  * Fixed CGI program initialization and validation
    of form checkbox and text fields.
  Issues are those at https://github.com/OpenPrinting/cups/issues

- Version upgrade to 2.4.7:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.7 is released to ship the fix for CVE-2023-4504
  and several other changes, among them it is
  adding OpenSSL support for cupsHashData function and bug fixes.
  Detailed list:
  * CVE-2023-4504 - Fixed Heap-based buffer overflow when
    reading Postscript in PPD files
  * Added OpenSSL support for cupsHashData (Issue #762)
  * Fixed delays in lpd backend (Issue #741)
  * Fixed extensive logging in scheduler (Issue #604)
  * Fixed hanging of lpstat on IBM AIX (Issue #773)
  * Fixed hanging of lpstat on Solaris (Issue #156)
  * Fixed printing to stderr if we can't open cups-files.conf
    (Issue #777)
  * Fixed purging job files via cancel -x (Issue #742)
  * Fixed RFC 1179 port reserving behavior in LPD backend
    (Issue #743)
  * Fixed a bug in the PPD command interpretation code
    (Issue #768)
  Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.6:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.6 is released to ship the fix for CVE-2023-34241
  and two other bug fixes.
  Detailed list:
  * Fix linking error on old MacOS (Issue #715)
  * Fix printing multiple files on specific printers (Issue #643)
  * Fix use-after-free when logging warnings in case of failures
    in cupsdAcceptClient() (fixes CVE-2023-34241)
  Issues are those at https://github.com/OpenPrinting/cups/issues
- Version upgrade to 2.4.5:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.5 is a hotfix release for a bug which corrupted
  locally saved certificates, which broke secured printing
  via TLS after the first print job.
- Version upgrade to 2.4.4:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.4 release is created as a hotfix for segfault
  in cupsGetNamedDest(), when caller tries to find
  the default destination and the default destination
  is not set on the machine.
- Version upgrade to 2.4.3:
  See https://github.com/openprinting/cups/releases
  CUPS 2.4.3 brings fix for CVE-2023-32324, several improvements
  and many bug fixes. CUPS now implements fallback for printers
  with broken firmware, which is not capable of answering
  to IPP request get-printer-attributes with all,
  media-col-database - this enables driverless support for
  bunch of printers which don't follow IPP Everywhere standard.
  Aside from the CVE fix the most important fixes are around color
  settings, printer application support fixes and OpenSSL support.
  Detailed list of changes:
  * Added a title with device uri for found network printers
    (Issues #402, #393)
  * Added new media sizes defined by IANA (Issues #501)
  * Added quirk for GoDEX label printers (Issue #440)
  * Fixed --enable-libtool-unsupported (Issue #394)
  * Fixed configuration on RISC-V machines (Issue #404)
  * Fixed the device_uri invalid pointer for driverless printers
    with .local hostname (Issue #419)
  * Fixed an OpenSSL crash bug (Issue #409)
  * Fixed a potential SNMP OID value overflow issue (Issue #431)
  * Fixed an OpenSSL certificate loading issue (Issue #465)
  * Fixed Brazilian Portuguese translations (Issue #288)
  * Fixed cupsd default keychain location when building
    with OpenSSL (Issue #529)
  * Fixed default color settings for CMYK printers as well
    (Issue #500)
  * Fixed duplicate PPD2IPP media-type names (Issue #688)
  * Fixed possible heap buffer overflow in _cups_strlcpy()
    (fixes CVE-2023-32324)
  * Fixed InputSlot heuristic for photo sizes smaller than 5x7"
    if there is no media-source in the request (Issue #569)
  * Fixed invalid memory access during generating IPP Everywhere
    queue (Issue #466)
  * Fixed lprm if no destination is provided (Issue #457)
  * Fixed memory leaks in create_local_bg_thread() (Issue #466)
  * Fixed media size tolerance in ippeveprinter (Issue #487)
  * Fixed passing command name without path into ippeveprinter
    (Issue #629)
  * Fixed saving strings file path in printers.conf (Issue #710)
  * Fixed TLS certificate generation bugs (Issue #652)
  * ippDeleteValues would not delete the last value (Issue #556)
  * Ignore some of IPP defaults if the application sends
    its PPD alternative (Issue #484)
  * Make Letter the default size in ippevepcl (Issue #543)
  * Now accessing Admin page in Web UI requires authentication
    (Issue #518)
  * Now look for default printer on network if needed (Issue #452)
  * Now we poll media-col-database separately if we fail at first
    (Issue #599)
  * Now report fax attributes and values as needed (Issue #459)
  * Now localize HTTP responses using the Content-Language value
    (Issue #426)
  * Raised file size limit for importing PPD via Web UI
    (Issue #433)
  * Raised maximum listen backlog size to INT MAX (Issue #626)
  * Update print-color-mode if the printer is modified
    via ColorModel PPD option (Issue #451)
  * Use localhost when printing via printer application
    (Issue #353)
  * Write defaults into /etc/cups/lpoptions if we're root
    (Issue #456)
  Issues are those at https://github.com/OpenPrinting/cups/issues
</description>
  <package>cups</package>
  <seperate_build_arch/>
</patchinfo>