CVE-2023-32360 without /etc/cups/cupds.conf

Wed, 04 Oct 2023 15:18:12 -0700 

Dear Maintainer,

thank you for maintaining the cups eco system! This is a cornerstone of
many installations.
Today I updated some servers that do not have a print server installed and therefore no /etc/cups/cupds.conf (I guess)
As I get a cups warning I am a bit confused to what extent this is applicable. 


cups (2.2.10-6+deb10u9) buster-security; urgency=high

  This release addresses a security issue (CVE-2023-32360) which allows
  unauthorized users to fetch documents over local or remote networks.
  Since this is a configuration fix, it might be that it does not reach you if 
you
  are updating 'cups-daemon' (rather than doing a fresh installation).
  Please double check your /etc/cups/cupds.conf file, whether it limits the 
access
  to CUPS-Get-Document with something like the following
  >  <Limit CUPS-Get-Document>
  >    AuthType Default
  >    Require user @OWNER @SYSTEM
  >    Order deny,allow
  >   </Limit>
  (The important line is the 'AuthType Default' in this section)
1. Only when updating I get such warnings and not at a new installation, so the reasoning here "if you are updating 'cups-daemon' (rather than doing a fresh installation)." applies automatic or not? That is bit irritating but not the real problem. 

2. The package 'cups-daemon' is not installed.

aptitude search cups|egrep '^i'
i A libcups2 - Common UNIX Printing System(tm) - Core library
i A libcupsfilters1 - OpenPrinting CUPS Filters - Shared library
i A libcupsimage2 - Common UNIX Printing System(tm) - Raster image library
aptitude search cups-daemon 

p   cups-daemon - Common UNIX Printing System(tm) - daemon
3. The system has no /etc/cups/cupds.conf therefor the check is negative, there is no CUPS-Get-Document inside a non existing file. 

What are the consequences?
a) Should I create the file and add the configuration, even though the cups-daemon is not installed? 
b) Or should I just ignore this warning and not create the file?
c) Or should I assume that the "configuration fix" did not "reached" me
because the file is not present, even though the text suggest that it
should be and I should check what went wrong with the update or do something else to fix the system. 

I assume I should ignore it, but to be sure I am asking here.

An advice or comment would be appreciated.

Kind regards
Christian

PS: I am not a member of the list

Reply via email to