Hello community, here is the log from the commit of package cups for openSUSE:Factory checked in at 2015-02-20 13:50:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cups (Old) and /work/SRC/openSUSE:Factory/.cups.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups" Changes: -------- --- /work/SRC/openSUSE:Factory/cups/cups.changes 2014-11-29 08:39:45.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cups.new/cups.changes 2015-02-20 13:50:46.000000000 +0100 @@ -2 +2 @@ -Tue Nov 25 16:13:50 CET 2014 - [email protected] +Thu Feb 12 13:50:58 UTC 2015 - [email protected] @@ -4,15 +4 @@ -- Refresh and/or clean up the systemd units that belong to CUPS - (cups.service cups.socket cups.path) via RPM posttrans scriplet - in a generic way via "systemctl --force reenable" (bnc#904215). - An enabled systemd unit may need a refresh via - "systemctl --force reenable" after updating a package when - the new package had installed a changed systemd unit file. - A disabled systemd unit also may need a refresh via - "systemctl --force reenable" but then it is again disabled. - A systemd unit may become obsolete by updating a package when - the new package does no longer provide a unit file. In this - case "systemctl --force reenable" removes the unit. - In any case currently running services are not stopped even - when the new package does no longer provide the unit file - because a RPM package update must not automatically disrupt - (stop or restart) running services. +- Add back the posttrans cleanup script as it is needed @@ -21 +7 @@ -Tue Nov 4 13:26:04 CET 2014 - [email protected] +Thu Feb 12 09:22:30 UTC 2015 - [email protected] @@ -23,5 +9,2 @@ -- Also for SLE12 krb5-devel must be used for build - (cf. the entry below dated "Wed Jun 26 10:39:30 CEST 2013") - because in contrast to IBS where krb5-mini-devel is available - for build in SUSE:SLE-12:GA in OBS it cannot build for SLE_12 - with "unresolvable: nothing provides krb5-mini-devel". +- Add patch cups-systemd-socket.patch to fix socket activation + and to match socket approach Fedora has. @@ -30 +13 @@ -Mon Oct 13 09:30:49 UTC 2014 - [email protected] +Thu Feb 12 09:12:05 UTC 2015 - [email protected] @@ -32,2 +15,7 @@ -- use Settings;Printing;HardwareSettings desktop file category - instead of System category in the desktop file +- Version bump to 2.0.2: + * Security: cupsRasterReadPixels buffer overflow with invalid page header and + compressed raster data (STR #4551) + * Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was + already an IPP keyword (<rdar://problem/19121005>) + * cupsGetPPD* sent bad requests (STR #4567) + * For detailed list see CHANGES.txt file @@ -36 +24 @@ -Tue Sep 2 15:48:23 CEST 2014 - [email protected] +Thu Feb 12 09:10:09 UTC 2015 - [email protected] @@ -38,5 +26 @@ -- Let fdupes only create symlinks in /usr/share/cups/templates/ to - avoid a symlink /usr/share/cups/webcontent/images/cups-icon.png - because the cupsd web server does no longer follow symlinks - to avoid the security issues mentioned in the previous entry - below (fixes bnc#892587 a regression of bnc#887240). +- Enable PIE for build @@ -45 +29 @@ -Tue Sep 2 15:26:36 CEST 2014 - [email protected] +Fri Jan 30 10:44:47 UTC 2015 - [email protected] @@ -47,6 +31,2 @@ -- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch - fixes that the web interface incorrectly served symlinked files - and files that were not world-readable, potentially leading to - a disclosure of information (CVE-2014-3537 STR #4450 plus the - subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455 - all in bnc#887240). +- Remove legacy paralel-port support as it is not really needed + as most do not want it @@ -55 +35 @@ -Thu May 22 10:16:17 UTC 2014 - [email protected] +Fri Jan 30 10:39:41 UTC 2015 - [email protected] @@ -57,2 +37,6 @@ -- Add build require pkgconfig(libsystemd-daemon) to allow to move - systemd.pc back to systemd package +- Update descriptions to just state what changed and let user + find it out. +- Add back comment about %fdupes +- Remove exit 0 on scriptlets as it is provided by the %service bla + ones already +- Fix the comment about openSUSE version on tmpfilesdir declaration @@ -61 +45 @@ -Fri Apr 11 09:42:30 CEST 2014 - [email protected] +Fri Jan 16 16:00:20 UTC 2015 - [email protected] @@ -63,3 +47,33 @@ -- cups-1.5.4-strftime.patch fixes CUPS upstream STR #4388: - no or malformed output from lpstat in charset other than utf-8 - (bnc#873030). +- cups-2.0.1 update: + * lengthy list of changes see the upstream CHANGES.txt that is + distributed with the package + * Disabling of sslv3 to mitigate poodle +- Use gnutls to provide SSLOPtions configuration directive + * openssl is no longer supported upstream + * Remove the with-openssl-exception from license +- Remove cups.sysconfig as it is not used with systemd based distros +- Purposely lose support for SLE11 as it doubles size of some of the + sections and keep suppor for openSUSE+SLE12 + * even with the conditions we would have to go unencrypted only + as needs newer gnutls, so don't bother with keeping the compat +- Use upstream service and socket files to allow more working tools +- Removed patches: + * cups-0001-systemd-add-systemd-socket-activation-and-unit-files.patch + * cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch + * cups-0003-systemd-secure-cups.service-unit-file.patch + * cups-1.3.6-access_conf.patch + * cups-1.5-additional_policies.patch + * cups-1.5.4-CVE-2012-5519.patch + * cups-1.5.4-strftime.patch + * cups-move-everything-to-run.patch + * cups-polld_avoid_busy_loop.patch + * cups-provides-cupsd-service.patch + * str4190.patch + * str4351.patch + * str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch +- Refreshed patches: + * cups-1.3.9-desktop_file.patch + * cups-config-libs.patch +- Added patches: + * cups-1.7-additional_policies.patch + * cups-systemd-socket.patch @@ -68 +82 @@ -Thu Feb 20 13:57:24 CET 2014 - [email protected] +Tue Sep 23 13:57:31 CEST 2014 - [email protected] @@ -70,15 +84,96 @@ -- Cautious clean up of systemd units via RPM scriptlets - (see the entry below dated "Wed Feb 19 15:05:44 CET 2014") - does not work reliable because it would leave a messsed up - systemd setup for cupsd when YaST was used before - to start/stop/enable/disable the cupsd, see - https://bugzilla.novell.com/show_bug.cgi?id=857372#c115 - so that now cups.socket and cups.path are stopped and disabled - in any case to ensure starting/stopping/enabling/disabling - of the cupsd also works with YaST, see - https://bugzilla.novell.com/show_bug.cgi?id=857372#c120 - (bnc#857372). -- str4351.patch from CUPS upstream fixes - https://www.cups.org/str.php?L4351 - "STR #4351 cups-lpd hugh jobs (>2G) fail" - (bnc#864782). +- change BuildRequires for systemd to pkgconfig(systemd) + and pkgconfig(libsystemd-daemon) to avoid build-cycles + +------------------------------------------------------------------- +Mon Aug 25 13:19:19 CEST 2014 - [email protected] + +- Version upgrade to 1.7.5: + CUPS 1.7.5 addresses some minor issues and expands upon the + symlink security protection. Changes include (excerpt): + * Security: Addressed some more situations where symlinked + files would be served by the web interface (CVE-2014-5029 + CVE-2014-5030 CVE-2014-5031 STR #4455 and bnc#887240). + * The LPD backend did not work with some versions + of glibc (STR #4452) + * CGI scripts did not work (STR #4454) +- str4455-1.7.patch (see the previous entry below) + is obsolete because it is fixed upstream since CUPS 1.7.5. +- Let fdupes only create symlinks in /usr/share/cups/templates/ to + avoid a symlink /usr/share/cups/webcontent/images/cups-icon.png + because since CUPS 1.7.4/1.7.5 the cupsd web server does + no longer follow symlinks to avoid the security issues + mentioned in the previous two entries below + (fixes bnc#892587 a regression of bnc#887240). + +------------------------------------------------------------------- +Tue Jul 29 16:41:10 CEST 2014 - [email protected] + +- str4455-1.7.patch complements the incomplete fix for + CVE-2014-3537 STR#445 in the CUPS 1.7.4 sources + to fix the subsequent CVE-2014-5029 CVE-2014-5030 + CVE-2014-5031 STR#4455 (bnc#887240). + +------------------------------------------------------------------- +Tue Jul 15 11:13:14 CEST 2014 - [email protected] + +- Version upgrade to 1.7.4: + CUPS 1.7.4 fixes several networking and build issues, + and addresses a symlink security issue CVE-2014-3537. + Changes since 1.7.3 include (excerpt): + * Security: The web interface incorrectly served symlinked files + and files that were not world-readable, potentially leading to + a disclosure of information (CVE-2014-3537, STR #4450, + and bnc#887240). + * The "snmp" option did not work with the network backends + (STR #4422). + * The User directive in client.conf did not override the USER + environment variable (STR #4426). + * The web interface now properly shows a "Go" button for + all text-based browsers (STR #4425). + * The MaxJobTime directive now properly supports time + values (STR #4434). + * Fixed an "IPP read error" race condition issue (STR #4440). + +------------------------------------------------------------------- +Mon Jun 2 13:21:31 CEST 2014 - [email protected] + +- Version upgrade to 1.7.3: + CUPS 1.7.3 includes a number of general bug fixes. + Changes since 1.7.2 include (excerpt): + * Fixed mapping of OutputBin values such as "Tray1". + * Several ippGet* functions incorrectly returned -1 ++++ 499 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/cups/cups.changes ++++ and /work/SRC/openSUSE:Factory/.cups.new/cups.changes Old: ---- PSLEVEL1.PPD.bz2 PSLEVEL2.PPD.bz2 cups-0001-systemd-add-systemd-socket-activation-and-unit-files.patch cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch cups-0003-systemd-secure-cups.service-unit-file.patch cups-1.3.6-access_conf.patch cups-1.5-additional_policies.patch cups-1.5.4-CVE-2012-5519.patch cups-1.5.4-source.tar.bz2 cups-1.5.4-strftime.patch cups-move-everything-to-run.patch cups-polld_avoid_busy_loop.patch cups-provides-cupsd-service.patch cups.init cups.sysconfig cups.xinetd postscript.ppd.bz2 str4190.patch str4351.patch str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch New: ---- Postscript-level1.ppd.gz Postscript-level2.ppd.gz Postscript.ppd.gz cups-1.7-additional_policies.patch cups-2.0.2-source.tar.bz2 cups-systemd-socket.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cups.spec ++++++ ++++ 1097 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/cups/cups.spec ++++ and /work/SRC/openSUSE:Factory/.cups.new/cups.spec ++++++ cups-1.3.9-desktop_file.patch ++++++ --- /var/tmp/diff_new_pack.16NrQH/_old 2015-02-20 13:50:47.000000000 +0100 +++ /var/tmp/diff_new_pack.16NrQH/_new 2015-02-20 13:50:47.000000000 +0100 @@ -6,7 +6,7 @@ [Desktop Entry] -Categories=System;Printing;HardwareSettings;X-Red-Hat-Base; -Exec=@CUPS_HTMLVIEW@ http://localhost:631/ -+Categories=Settings;Printing;HardwareSettings; ++Categories=System;Printing;Settings;HardwareSettings; +Exec=desktop-launch http://localhost:631/ +NotShowIn=GNOME; Icon=cups ++++++ cups-1.5-additional_policies.patch -> cups-1.7-additional_policies.patch ++++++ --- /work/SRC/openSUSE:Factory/cups/cups-1.5-additional_policies.patch 2014-02-07 10:25:42.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cups.new/cups-1.7-additional_policies.patch 2015-02-20 13:50:46.000000000 +0100 @@ -1,9 +1,12 @@ ---- conf/cupsd.conf.in.orig 2014-01-29 14:31:32.000000000 +0100 -+++ conf/cupsd.conf.in 2014-01-29 15:20:30.000000000 +0100 -@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@ +Index: conf/cupsd.conf.in +=================================================================== +--- conf/cupsd.conf.in.orig ++++ conf/cupsd.conf.in +@@ -127,3 +127,36 @@ WebInterface @CUPS_WEBIF@ + Order deny,allow </Limit> </Policy> - ++ +# The policy below is added by SUSE during build of our cups package. +# The policy 'allowallforanybody' is totally open and insecure and therefore +# it can only be used within an internal network where only trused users exist @@ -14,7 +17,7 @@ +# print jobs from an internal network to any external destination, see +# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell +# For documentation regarding 'Managing Operation Policies' see -+# http://www.cups.org/documentation.php/doc-1.5/policies.html ++# http://www.cups.org/documentation.php/doc-1.7/policies.html +<Policy allowallforanybody> + # Allow anybody to access job's private values: + JobPrivateAccess all @@ -36,7 +39,3 @@ +</Policy> +# Explicitly set the CUPS 'default' policy to be used by default: +DefaultPolicy default -+ - # - # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $". - # ++++++ cups-1.5.4-source.tar.bz2 -> cups-2.0.2-source.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/cups/cups-1.5.4-source.tar.bz2 /work/SRC/openSUSE:Factory/.cups.new/cups-2.0.2-source.tar.bz2 differ: char 11, line 1 ++++++ cups-client.conf ++++++ --- /var/tmp/diff_new_pack.16NrQH/_old 2015-02-20 13:50:47.000000000 +0100 +++ /var/tmp/diff_new_pack.16NrQH/_new 2015-02-20 13:50:47.000000000 +0100 @@ -1,77 +1,28 @@ -# Sample client configuration file for the Common UNIX Printing System -# (CUPS). -# -# Copyright 1997-2005 by Easy Software Products, all rights reserved. -# Klaus Singvogel <[email protected]> modified it for SUSE distribution. -# -# These coded instructions, statements, and computer programs are the -# property of Easy Software Products and are protected by Federal -# copyright law. Distribution and use rights are outlined in the file -# "LICENSE.txt" which should have been included with this file. If this -# file is missing or damaged please contact Easy Software Products -# at: -# -# Attn: CUPS Licensing Information -# Easy Software Products -# 44141 Airport View Drive, Suite 204 -# Hollywood, Maryland 20636 USA -# -# Voice: (301) 373-9600 -# EMail: [email protected] -# WWW: http://www.cups.org -# +# CUPS client configuration file (optional). -######################################################################## -# # -# This is the CUPS client configuration file. This file is used to # -# define client-specific parameters, such as the default server or # -# default encryption settings. # -# # -# Put this file on /etc/cups/client.conf (system use) or # -# ~/.cups/client.conf (personal use). # -# # -# more information in the manual page client.conf(5) -######################################################################## +# You may use /etc/cups/client.conf (system wide) +# or ~/.cups/client.conf (per user). +# For more information see "man 5 client.conf". -# -# Encryption: directive specifies the default encryption settings for -# the client. -# -# Possible values: -# -# IfRequested -# Never -# Required -# Always -# -# The default value is "IfRequested". -# This parameter can also be set # using the CUPS_ENCRYPTION environment -# variable. -# +# The ServerName directive specifies the remote server +# that is to be used for all client operations. That is, it +# redirects all client requests directly to that remote server +# so that a local running cupsd is not used in this case. +# The default is to use the local server ("localhost") or domain socket. +# Only one ServerName directive may appear. +# If multiple names are present, only the last one is used. +# The default port number is 631 but can be overridden by adding +# a colon followed by the desired port number. +# The default IPP version is 2.0 but can be overridden by adding +# a slash followed by version=V where V is 1.0 or 1.1 or 2.0 or 2.1 or 2.2. +# IPP version 2.0 does do not work with CUPS 1.3 or older servers. +# If an CUPS 1.3 or older server is used, its older IPP version +# must be specified as .../version=1.1 or .../version=1.0. -#Encryption IfRequested -#Encryption Never -#Encryption Required -#Encryption Always +# Examples: +# ServerName sever.example.com +# ServerName 192.0.2.10 +# ServerName sever.example.com:8631 +# ServerName older.server.example.com/version=1.1 +# ServerName older.server.example.com:8631/version=1.1 -# -# ServerName: directive specifies sets the remote server that is to be -# used for all client operations. That is, it redirects all client -# requests to the remote server. -# -# By default CUPS will use the domain socket /var/run/cups/cups.sock or -# local server ("localhost"), if so configured. The value can be -# overwritten by the CUPS_SERVER environment variable. -# -# The default port number is 631 but can be overridden by adding a colon -# followed by the desired port number to the value. -# -# ONLY ONE SERVER NAME MAY BE SPECIFIED AT A TIME. To use more than one -# server you must use a local scheduler with browsing and possibly -# polling. -# - -#ServerName /domain/socket -#ServerName foo.bar.com -#ServerName 11.22.33.444 -#ServerName foo.bar.com:8631 ++++++ cups-config-libs.patch ++++++ --- /var/tmp/diff_new_pack.16NrQH/_old 2015-02-20 13:50:47.000000000 +0100 +++ /var/tmp/diff_new_pack.16NrQH/_new 2015-02-20 13:50:47.000000000 +0100 @@ -1,13 +1,11 @@ ---- cups-config.in.orig -+++ cups-config.in -@@ -35,8 +35,8 @@ INSTALLSTATIC=@INSTALLSTATIC@ +--- cups-config.in.orig 2011-08-27 11:23:01.000000000 +0200 ++++ cups-config.in 2012-11-27 15:47:27.000000000 +0100 +@@ -35,7 +35,7 @@ INSTALLSTATIC=@INSTALLSTATIC@ # flags for C++ compiler: CFLAGS="" LDFLAGS="@EXPORT_LDFLAGS@" --LIBS="@LIBGSSAPI@ @EXPORT_SSLLIBS@ @EXPORT_LIBZ@ @LIBS@" --IMGLIBS="@EXPORT_LIBTIFF@ @EXPORT_LIBJPEG@ @EXPORT_LIBPNG@" +-LIBS="@LIBGSSAPI@ @EXPORT_SSLLIBS@ @LIBZ@ @LIBS@" +LIBS="" -+IMGLIBS="" # Check for local invocation... selfdir=`dirname $0` ++++++ cups-systemd-socket.patch ++++++ diff -up cups-2.0.2/cups/usersys.c.ustTJg cups-2.0.2/cups/usersys.c --- cups-2.0.2/cups/usersys.c.ustTJg 2015-02-10 13:40:24.294545077 +0100 +++ cups-2.0.2/cups/usersys.c 2015-02-10 13:46:56.763989233 +0100 @@ -1017,7 +1017,7 @@ cups_finalize_client_conf( struct stat sockinfo; /* Domain socket information */ if (!stat(CUPS_DEFAULT_DOMAINSOCKET, &sockinfo) && - (sockinfo.st_mode & S_IRWXO) == S_IRWXO) + (sockinfo.st_mode & (S_IROTH | S_IWOTH)) == (S_IROTH | S_IWOTH)) cups_set_server_name(cc, CUPS_DEFAULT_DOMAINSOCKET); else #endif /* CUPS_DEFAULT_DOMAINSOCKET */ diff -up cups-2.0.2/scheduler/main.c.ustTJg cups-2.0.2/scheduler/main.c --- cups-2.0.2/scheduler/main.c.ustTJg 2015-02-10 13:40:24.121547526 +0100 +++ cups-2.0.2/scheduler/main.c 2015-02-10 13:40:24.295545063 +0100 @@ -658,8 +658,15 @@ main(int argc, /* I - Number of comm #if defined(HAVE_LAUNCHD) || defined(HAVE_SYSTEMD) if (OnDemand) + { cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started on demand."); - else +# ifdef HAVE_SYSTEMD + sd_notifyf(0, "READY=1\n" + "STATUS=Scheduler is running...\n" + "MAINPID=%lu", + (unsigned long) getpid()); +# endif /* HAVE_SYSTEMD */ + } else #endif /* HAVE_LAUNCHD || HAVE_SYSTEMD */ if (fg) cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started in foreground."); diff -up cups-2.0.2/scheduler/org.cups.cupsd.path.in.ustTJg cups-2.0.2/scheduler/org.cups.cupsd.path.in --- cups-2.0.2/scheduler/org.cups.cupsd.path.in.ustTJg 2014-03-21 15:50:24.000000000 +0100 +++ cups-2.0.2/scheduler/org.cups.cupsd.path.in 2015-02-10 13:40:24.295545063 +0100 @@ -2,7 +2,7 @@ Description=CUPS Scheduler [Path] -PathExists=@CUPS_CACHEDIR@/org.cups.cupsd +PathExistsGlob=@CUPS_REQUESTS@/d* [Install] WantedBy=multi-user.target diff -up cups-2.0.2/scheduler/org.cups.cupsd.service.in.ustTJg cups-2.0.2/scheduler/org.cups.cupsd.service.in --- cups-2.0.2/scheduler/org.cups.cupsd.service.in.ustTJg 2014-10-21 13:55:01.000000000 +0200 +++ cups-2.0.2/scheduler/org.cups.cupsd.service.in 2015-02-10 13:40:24.296545049 +0100 @@ -1,10 +1,11 @@ [Unit] Description=CUPS Scheduler Documentation=man:cupsd(8) +After=network.target [Service] ExecStart=@sbindir@/cupsd -l -Type=simple +Type=notify [Install] Also=org.cups.cupsd.socket org.cups.cupsd.path -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
