Package: cups Version: 2.4.7-1 Severity: important Dear Maintainer,
The NEWS entry for CVE-2023-32360 says /etc/cups/cupds.conf when ite should say /etc/cups/cupsd.conf. In addition, after reading the NEWS entry and reviewing the contents of my cupsd.conf file, I'm left completely clueless about whether I actually need to change anything, or if doing so will break cups. Two reasons for this: * I don't have any "<Limit CUPS-Get-Document>" stanzas in my cupsd.conf. all of the stanzas that reference CUPS-Get-Document reference many other commands at the same time. For example: <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document> I don't know whether changing one of these stanzas will break something because it will affect things other than CUPS-Get-Document. * There are three different <Limit ...> blocks in my cupsd.conf that reference CUPS-Get-Document, under <Policy Default>, <Policy Authenticated>, and <Policy kerberos>. The first has no "AuthType Default" line, the second says "AuthType Default", and the third says "AuthType Negotiate". I don't know whether I need to add "AuthType Default" to the first one or if the fact that the second one already has "AuthType Default" means I'm protected. This isn't great. jik
