Your message dated Sat, 07 Oct 2023 09:59:43 +0000
with message-id <e1qp463-00a4k5...@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1053523,
regarding bookworm-pu: cups/2.4.2-3+deb12u4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053523
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I
got some complaints:
- the mentioned filename of the cupsd configuration contained a typo
and several users were unsure what to do now ...
- ... especially as the contents of debian/NEWS was also shown on
computers where only cups client was installed.
So this upload fixes the typo and removes debian/NEWS again, so that the
text is only shown when cups-daemon will be updated.
I know it is rather late for this, but maybe this makes things easier for
our users.
Thorsten
diff -Nru cups-2.4.2/debian/changelog cups-2.4.2/debian/changelog
--- cups-2.4.2/debian/changelog 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.4.2/debian/changelog 2023-10-05 16:35:27.000000000 +0200
@@ -1,3 +1,11 @@
+cups (2.4.2-3+deb12u4) bookworm; urgency=medium
+
+ * remove debian/NEWS again to avoid too much information when only
+ the client part is installed
+ * fix typo in config filename
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Thu, 05 Oct 2023 16:35:27 +0200
+
cups (2.4.2-3+deb12u3) bookworm; urgency=medium
* move debian/NEWS.Debian to debian/NEWS
diff -Nru cups-2.4.2/debian/cups-daemon.NEWS cups-2.4.2/debian/cups-daemon.NEWS
--- cups-2.4.2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.4.2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.000000000 +0200
@@ -4,7 +4,7 @@
unauthorized users to fetch documents over local or remote networks.
Since this is a configuration fix, it might be that it does not reach you if
you
are updating 'cups-daemon' (rather than doing a fresh installation).
- Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ Please double check your /etc/cups/cupsd.conf file, whether it limits the
access
to CUPS-Get-Document with something like the following
> <Limit CUPS-Get-Document>
> AuthType Default
diff -Nru cups-2.4.2/debian/NEWS cups-2.4.2/debian/NEWS
--- cups-2.4.2/debian/NEWS 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.4.2/debian/NEWS 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-cups (2.4.2-3+deb12u3) bookworm; urgency=medium
-
- This release addresses a security issue (CVE-2023-32360) which allows
- unauthorized users to fetch documents over local or remote networks.
- Since this is a configuration fix, it might be that it does not reach you if
you
- are updating 'cups-daemon' (rather than doing a fresh installation).
- Please double check your /etc/cups/cupds.conf file, whether it limits the
access
- to CUPS-Get-Document with something like the following
- > <Limit CUPS-Get-Document>
- > AuthType Default
- > Require user @OWNER @SYSTEM
- > Order deny,allow
- > </Limit>
- (The important line is the 'AuthType Default' in this section)
-
- -- Thorsten Alteholz <deb...@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
--- End Message ---
--- Begin Message ---
Version: 12.2
The upload requested in this bug has been released as part of 12.2.
--- End Message ---
