Package: cups-daemon Version: 2.4.2-6 Severity: normal Dear Maintainer,
While doing a routing update on my Debian/sid laptop today, i was greeted with the following: > cups (2.4.2-6) unstable; urgency=low > > In case this is not a fresh installation of cups, please double check > whether your cupsd.conf really does contain the limitiation for > "CUPS-Get-Document" (see patch 0015-CVE-2023-32360.patch) > > -- Thorsten Alteholz <[email protected]> Tue, 19 Sep 2023 21:20:27 +0200 wth? NEWS.Debian is a user-facing interface for telling them important news. (That's why they are shown in the first place). As such, I think that the users ought to understand what this means. I'm fine with the first two lines, but then it goes downhill. Which "limitation of CUPS-Get-Document"? which patch? I think we cannot expect our users to do a 'apt-get source cupsd' to hunt down a patchfile and then understand the implications of what it does. Even if they are smart enough to just head over to <https://salsa.debian.org/printing-team/cups/-/blob/605d5df62adecb8941b9b3b25d5b0e92c0df752e/debian/patches/0015-CVE-2023-32360.patch> to inspect the patch. And then infer from the subject of the patch, that they might also hunt down CVE-2023-32360 to see what this is all about. *maybe* (but hey, i know that this is hard to write) something like this is better: > This release addresses a security issue (CVE-2023-32360) which allows > unauthorized users to fetch documents over local or remote networks. > Since this is a configuration fix, it might be that it does not reach you if > you > are updating 'cups-daemon' (rather than doing a fresh installation). > Please double check your /etc/cups/cupds.conf file, whether it limits the > access > to CUPS-Get-Document with something like the following > > <Limit CUPS-Get-Document> > > AuthType Default > > Require user @OWNER @SYSTEM > > Order deny,allow > > </Limit> > (The important line is the 'AuthType Default' in this section) (sidenote: since the NEWS.Debian file is shown only on upgrade, i think it is safe to assume that "this is not a fresh installation of cups".) Thanks for maintaining cups, probably one of the most installed packages (outside of essential) in Debian (that's why I think it is even more important to get the NEWS right) cheers -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.5.0-1-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages cups-daemon depends on: ii adduser 3.137 ii bc 1.07.1-3+b1 ii init-system-helpers 1.65.2 ii libavahi-client3 0.8-11 ii libavahi-common3 0.8-11 ii libc6 2.37-10 ii libcups2 2.4.2-6 ii libdbus-1-3 1.14.10-1 ii libgssapi-krb5-2 1.20.1-4 ii libpam0g 1.5.2-7 ii libpaper1 1.1.29 ii libsystemd0 254.4-1 ii procps 2:4.0.3-1 ii ssl-cert 1.1.2 ii sysvinit-utils [lsb-base] 3.08-1 Versions of packages cups-daemon recommends: ii avahi-daemon 0.8-11 ii colord 1.4.6-3 ii cups-browsed 1.28.17-3 ii ipp-usb 0.9.23-1+b6 Versions of packages cups-daemon suggests: ii cups 2.4.2-6 ii cups-bsd 2.4.2-6 ii cups-client 2.4.2-6 ii cups-common 2.4.2-6 ii cups-filters 1.28.17-3 pn cups-pdf <none> ii cups-ppdc 2.4.2-6 ii cups-server-common 2.4.2-6 ii foomatic-db-compressed-ppds [foomatic-db] 20230202-1 ii ghostscript 10.02.0~dfsg-2 ii poppler-utils 22.12.0-2+b1 pn smbclient <none> ii udev 254.4-1 -- no debconf information
