Control: tags -1 + confirmed
On Thu, 2018-02-22 at 17:57 +0100, Didier 'OdyX' Raboud wrote:
> CUPS is affected by CVE-2017-18190: remote attackers could execute
> IPP commands by sending POST requests to the CUPS daemon in
> conjunction with
> DNS rebinding. This was caused by a whitelisted
> "localhost.localdomain" entry.
> According to the Security Team it doesn't warrant a DSA, but still
> makes sense
> to be addressed on Stretch (and Jessie). It was fixed independently
> on wheezy
> The proposed debdiff is attached; can I upload to stretch?
Please go ahead.
> Do you need another bug for Jessie ?