cups-1.3.7-11.4.1AXS3
エラータID: AXSA:2009-423:04
リリース日:
2009/11/20 Friday - 14:43
題名:
cups-1.3.7-11.4.1AXS3
影響のあるチャネル:
Asianux Server 3 for x86
Asianux Server 3 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- CUPS の WEB インターフェースには HTTP ヘッダと HTML テンプレートを適切に扱っていない問題が存在し、リモートの攻撃者が製品のWEB インターフェース、印刷システムの設定、印刷されるジョブのタイトルによってクロスサイトスクリプティング攻撃 (XSS) と HTTP レスポンス分割攻撃を行う脆弱性があります。(CVE-2009-2820)
- CUPS の scheduler/select.c には解放後使用の脆弱性が存在し、大量の印刷ジョブの一覧を作成している間にクライアントのコネクションを切断することによって、リモートの攻撃者がサービス拒否 (デーモンのクラッシュあるいはハングアップ) を引き起こす脆弱性があります。(CVE-2009-3553)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2009-2820
The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.
The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues.
CVE-2009-3553
Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.
Use-after-free vulnerability in the abstract file-descriptor handling interface in the cupsdDoSelect function in scheduler/select.c in the scheduler in cupsd in CUPS 1.3.7 and 1.3.10 allows remote attackers to cause a denial of service (daemon crash or hang) via a client disconnection during listing of a large number of print jobs, related to improperly maintaining a reference count. NOTE: some of these details are obtained from third party information.
追加情報:
N/A
ダウンロード:
SRPMS
- cups-1.3.7-11.4.1AXS3.src.rpm
MD5: 083712ed0092c1ee09d0e3aa45ade650
SHA-256: b8af1469d87bf18c70f5f323b4a829aaae83cd99dd0d40070934fef2f8b1249f
Size: 4.16 MB
Asianux Server 3 for x86
- cups-1.3.7-11.4.1AXS3.i386.rpm
MD5: a090b5340c4859a10f7227b3a9719419
SHA-256: a5754e56e3a3ccc090dd1846d957d83621cca5f9645869abf73945fa62a5a7d4
Size: 3.82 MB - cups-devel-1.3.7-11.4.1AXS3.i386.rpm
MD5: 92f6861fc670f70acc69cfa3a1ca7393
SHA-256: 63b30110128797bd20bc0c4a126d2775869367a7041deac46f66d57aebcb4d1e
Size: 74.96 kB - cups-libs-1.3.7-11.4.1AXS3.i386.rpm
MD5: ae121123e07159daa54db28f37caabe6
SHA-256: 582558cc17bd0ebc3845bc64fa64a8feefb53e056bb5d640f0ce1664c510b141
Size: 195.37 kB
Asianux Server 3 for x86_64
- cups-1.3.7-11.4.1AXS3.x86_64.rpm
MD5: 3511214e53cf6b157a63f1a9ca600614
SHA-256: ba86db7860fabfb7feb5c6ac871bbf6829c893cf46d60e015472ef6e596178db
Size: 3.86 MB - cups-devel-1.3.7-11.4.1AXS3.x86_64.rpm
MD5: bd596ac3a827679304818ba3f14c0da8
SHA-256: 2191420597ef73fbd8a36cb10e7edba01cccdfc82c448ae64908ecbde02bc348
Size: 74.94 kB - cups-libs-1.3.7-11.4.1AXS3.x86_64.rpm
MD5: a6cf96bf57b47320d8eab0d6ac951bc8
SHA-256: 37538ebb3ea354d46b99ca59725d4b0c2df73dce0be132c0077638b27f6080fb
Size: 191.40 kB