Your message dated Sat, 07 Oct 2023 12:41:28 +0100
with message-id
<84bb5ff8312f749ebe536897993782bf35aa1977.ca...@adam-barratt.org.uk>
and subject line Closing opu requests for updates included in 11.8
has caused the Debian Bug report #1053522,
regarding bullseye-pu: cups/2.3.3op2-3+deb11u6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1053522: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053522
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: [email protected]
Usertags: pu
After uploading the fix for CVE-2023-4504 and CVE-2023-32360 to Buster I
got some complaints:
- the mentioned filename of the cupsd configuration contained a typo
and several users were unsure what to do now ...
- ... especially as the contents of debian/NEWS was also shown on
computers where only cups client was installed.
So this upload fixes the typo and removes debian/NEWS again, so that the
text is only shown when cups-daemon will be updated.
I know it is rather late for this, but maybe this makes things easier for
our users.
Thorsten
diff -Nru cups-2.3.3op2/debian/changelog cups-2.3.3op2/debian/changelog
--- cups-2.3.3op2/debian/changelog 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.3.3op2/debian/changelog 2023-10-05 16:35:27.000000000 +0200
@@ -1,3 +1,11 @@
+cups (2.3.3op2-3+deb11u6) bullseye; urgency=medium
+
+ * remove debian/NEWS again to avoid too much information when only
+ the client part is installed
+ * fix typo in config filename
+
+ -- Thorsten Alteholz <[email protected]> Thu, 05 Oct 2023 16:35:27 +0200
+
cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium
* move debian/NEWS.Debian to debian/NEWS
diff -Nru cups-2.3.3op2/debian/cups-daemon.NEWS
cups-2.3.3op2/debian/cups-daemon.NEWS
--- cups-2.3.3op2/debian/cups-daemon.NEWS 2023-09-29 21:20:27.000000000
+0200
+++ cups-2.3.3op2/debian/cups-daemon.NEWS 2023-10-05 16:35:27.000000000
+0200
@@ -4,7 +4,7 @@
unauthorized users to fetch documents over local or remote networks.
Since this is a configuration fix, it might be that it does not reach you if
you
are updating 'cups-daemon' (rather than doing a fresh installation).
- Please double check your /etc/cups/cupds.conf file, whether it limits the
access
+ Please double check your /etc/cups/cupsd.conf file, whether it limits the
access
to CUPS-Get-Document with something like the following
> <Limit CUPS-Get-Document>
> AuthType Default
diff -Nru cups-2.3.3op2/debian/NEWS cups-2.3.3op2/debian/NEWS
--- cups-2.3.3op2/debian/NEWS 2023-09-29 21:20:27.000000000 +0200
+++ cups-2.3.3op2/debian/NEWS 1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-cups (2.3.3op2-3+deb11u5) bullseye; urgency=medium
-
- This release addresses a security issue (CVE-2023-32360) which allows
- unauthorized users to fetch documents over local or remote networks.
- Since this is a configuration fix, it might be that it does not reach you if
you
- are updating 'cups-daemon' (rather than doing a fresh installation).
- Please double check your /etc/cups/cupds.conf file, whether it limits the
access
- to CUPS-Get-Document with something like the following
- > <Limit CUPS-Get-Document>
- > AuthType Default
- > Require user @OWNER @SYSTEM
- > Order deny,allow
- > </Limit>
- (The important line is the 'AuthType Default' in this section)
-
- -- Thorsten Alteholz <[email protected]> Tue, 19 Sep 2023 21:20:27 +0200
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.8
Hi,
The updates referred to by each of these requests were included in
today's 11.8 bullseye point release.
Regards,
Adam
--- End Message ---
