cups-1.3.7-18.4.0.1.AXS3

エラータID: AXSA:2010-368:03

Release date: 
Tuesday, June 22, 2010 - 20:59
Subject: 
cups-1.3.7-18.4.0.1.AXS3
Affected Channels: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

The Common UNIX Printing System provides a portable printing layer for
UNIX® operating systems. It has been developed by Easy Software Products
to promote a standard printing solution for all UNIX vendors and users.
CUPS provides the System V and Berkeley command-line interfaces.
Security issues fixed with this release:
CVE-2010-0540
Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to hijack the authentication of administrators for requests that change settings.
CVE-2010-0542
No description available at the time of writing, please use the CVE link below.
CVE-2010-1748
The web interface in CUPS in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, reads uninitialized memory during handling of form variables, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via unspecified vectors.

Solution: 

Update packages.

CVEs: 
CVE-2010-0540
Cross-site request forgery (CSRF) vulnerability in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, allows remote attackers to hijack the authentication of administrators for requests that change settings.
CVE-2010-0542
The _WriteProlog function in texttops.c in texttops in the Text Filter subsystem in CUPS before 1.4.4 does not check the return values of certain calloc calls, which allows remote attackers to cause a denial of service (NULL pointer dereference or heap memory corruption) or possibly execute arbitrary code via a crafted file.
CVE-2010-1748
The cgi_initialize_string function in cgi-bin/var.c in the web interface in CUPS before 1.4.4, as used on Apple Mac OS X 10.5.8, Mac OS X 10.6 before 10.6.4, and other platforms, does not properly handle parameter values containing a % (percent) character without two subsequent hex characters, which allows context-dependent attackers to obtain sensitive information from cupsd process memory via a crafted request, as demonstrated by the (1) /admin?OP=redirect&URL=% and (2) /admin?URL=/admin/&OP=% URIs.




Additional Info: 

N/A

Download: 

SRPMS
  1. cups-1.3.7-18.4.0.1.AXS3.src.rpm
    MD5: ae21add564dc8accd10309371bd4ebcb
    SHA-256: 930a0a89c189f19b64fd54bbabed8a8e01f3bd80985c9715160fc11c235ab040
    Size: 4.17 MB

Asianux Server 3 for x86
  1. cups-1.3.7-18.4.0.1.AXS3.i386.rpm
    MD5: dfe856f8066600dc04469984f580f3c9
    SHA-256: 5de4dc818f926b32e8c7f461f0da00367bd8cf583d02f00c1b4b89072bd83598
    Size: 3.52 MB
  2. cups-devel-1.3.7-18.4.0.1.AXS3.i386.rpm
    MD5: 1b2bfee97135e9869ddd0615defb2414
    SHA-256: c294b6b3c52d3d2f13fc0e86f0e4f33c093a9b64c911b9e4a462d2214ce1f700
    Size: 77.41 kB
  3. cups-libs-1.3.7-18.4.0.1.AXS3.i386.rpm
    MD5: c7fb5724f067ba3f9e0d9a2a755b231b
    SHA-256: 0c83f72a847e1fd1920c89da86a32b3f4f56dc8f894af4cf095af624f8ab8ce6
    Size: 197.86 kB

Asianux Server 3 for x86_64
  1. cups-1.3.7-18.4.0.1.AXS3.x86_64.rpm
    MD5: 50f4c4ab8dc116c0f2d524c7df11857c
    SHA-256: 5037f5ae1650d5bd496013ee4eefd4051e51358f6c0d99ab072394c197b9d1ed
    Size: 3.53 MB
  2. cups-devel-1.3.7-18.4.0.1.AXS3.x86_64.rpm
    MD5: de799ed49e06154bf377de96096d7ce8
    SHA-256: 444ee45325857633ab70038b296a5250353553241235f67867c616a0309f6510
    Size: 77.39 kB
  3. cups-libs-1.3.7-18.4.0.1.AXS3.x86_64.rpm
    MD5: 1700a7f65443656dd3757988698dd216
    SHA-256: e8687155267db60b74a604f8a4c4bee6ac4fbd887eadec86013823581baa0bbd
    Size: 193.84 kB