Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I got some complaints: - the mentioned filename of the cupsd configuration contained a typo and several users were unsure what to do now ... - ... especially as the contents of debian/NEWS was also shown on computers where only cups client was installed. So this upload fixes the typo and removes debian/NEWS again, so that the text is only shown when cups-daemon will be updated. I know it is rather late for this, but maybe this makes things easier for our users. Thorsten
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog --- cups-2.3.3op2/debian/changelog 2023-09-29 21:20:27.000000000 +0200 +++ cups-2.3.3op2/debian/changelog 2023-10-05 16:35:27.000000000 +0200 @@ -1,3 +1,11 @@ +cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium + + * remove debian/NEWS again to avoid too much information when only + the client part is installed + * fix typo in config filename + + -- Thorsten Alteholz <deb...@alteholz.de> Thu, 05 Oct 2023 16:35:27 +0200 + cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium * move debian/NEWS.Debian to debian/NEWS diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS cups-2.3.3op2/debian/cups-daemon.NEWS --- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.000000000 +0200 +++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.000000000 +0200 @@ -4,7 +4,7 @@ unauthorized users to fetch documents over local or remote networks. Since this is a configuration fix, it might be that it does not reach you if you are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access + Please double check your /etc/cups/cupsd.conf file, whether it limits the access to CUPS-Get-Document with something like the following > <Limit CUPS-Get-Document> > AuthType Default diff -Nru cups-2.3.3op2/debian/NEWS cups-2.3.3op2/debian/NEWS --- cups-2.3.3op2/debian/NEWS 2023-09-29 21:20:27.000000000 +0200 +++ cups-2.3.3op2/debian/NEWS 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ -cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium - - This release addresses a security issue (CVE-2023-32360) which allows - unauthorized users to fetch documents over local or remote networks. - Since this is a configuration fix, it might be that it does not reach you if you - are updating 'cups-daemon' (rather than doing a fresh installation). - Please double check your /etc/cups/cupds.conf file, whether it limits the access - to CUPS-Get-Document with something like the following - > <Limit CUPS-Get-Document> - > AuthType Default - > Require user @OWNER @SYSTEM - > Order deny,allow - > </Limit> - (The important line is the 'AuthType Default' in this section) - - -- Thorsten Alteholz <deb...@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
