Re: Message in Debian (reproduced below). See also:
<https://security-tracker.debian.org/tracker/CVE-2012-5519> where there is this: "Name CVE-2012-5519 Description CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface." I have: $ ls -l /var/run/cups/certs/0 -r--r----- 1 root lpadmin 32 Jan 17 08:01 /var/run/cups/certs/0 I only have read about it today. Gentoo, Debian, Mageia, Mandriva, Ubuntu, Red Hat (Fedora too?), all seem to be affected. Should we do anything about it? []s, Fernando >From root@vmwdebian Thu Jan 10 07:21:07 2013 Envelope-to: root@vmwdebian Delivery-date: Thu, 10 Jan 2013 07:21:07 -0300 Date: Thu, 10 Jan 2013 07:21:07 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Subject: =?utf-8?q?apt-listchanges=3A_not=C3=ADcias_para_VMWDebian?= To: root@vmwdebian From: root <root@vmwdebian> cups (1.4.4-7+squeeze2) stable-security; urgency=high In order to mitigate a privilege escalation from the lpadmin to root (CVE-2012-5519), the /etc/cups/cupsd.conf configuration file is split in two configuration files: * /etc/cups/cupsd.conf can be edited by members of the lpadmin group through the cups web interface; * /etc/cups/cups-files.conf can only be edited by root; Many sensitive configuration statements can now only be set in cups-files.conf. No statements have been moved automatically. Please check the respective manpages. -- Didier Raboud <o...@debian.org> Sat, 29 Dec 2012 12:33:27 +0100 -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
