Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Adam D. Barratt]

Control: tags -1 + pending

On Fri, 2017-07-21 at 14:59 +0200, Didier 'OdyX' Raboud wrote:
> Le mardi, 27 juin 2017, 20.32:11 h CEST Cyril Brulebois a écrit :
> > Assuming that this was successfully tested (including by setting those
> > two options to restore support for insecure crypto) on a jessie system,
> > and once you've fixed the codename in debian/changelog (you want jessie
> > rather than jessie-security), feel free to upload.
> 
> Uploaded now after testing. I also fixed a typo in the changelog: AllowSSLv3 
> vs AllowSSL3 (superfluous 'v').

Flagged for acceptance.

Regards,

Adam

Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + pending
Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1
Added tag(s) pending.

-- 
840643: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Le mardi, 27 juin 2017, 20.32:11 h CEST Cyril Brulebois a écrit :
> Assuming that this was successfully tested (including by setting those
> two options to restore support for insecure crypto) on a jessie system,
> and once you've fixed the codename in debian/changelog (you want jessie
> rather than jessie-security), feel free to upload.

Uploaded now after testing. I also fixed a typo in the changelog: AllowSSLv3 
vs AllowSSL3 (superfluous 'v').

Sorry for the delay.

Cheers,
OdyX

signature.asc
Description: This is a digitally signed message part.

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Cyril Brulebois]

Control: tag -1 confirmed

Hi,

Didier 'OdyX' Raboud  (2017-01-31):
> That's Ubuntu's patch as released in their 1.7.2-0ubuntu1.7 trusty-security 
> upload from Nov 2015, fixing [LP:1505328], written by Bryan Quigley and 
> reviewed by their security team member Marc Deslauriers. But they arguably 
> missed that wrong documentation change, indeed.
> 
> Updated debdiff attached.

Assuming that this was successfully tested (including by setting those
two options to restore support for insecure crypto) on a jessie system,
and once you've fixed the codename in debian/changelog (you want jessie
rather than jessie-security), feel free to upload.

Thanks.


KiBi.


signature.asc
Description: Digital signature

Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 confirmed
Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1
Added tag(s) confirmed.

-- 
840643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo
Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1
Removed tag(s) moreinfo.

-- 
840643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Control: tags -1 -moreinfo

Hi there Adam,

Le samedi, 28 janvier 2017, 17.15:32 h CET Adam D. Barratt a écrit :
> On Tue, 2016-12-20 at 09:20 +0100, Didier 'OdyX' Raboud wrote:
> > Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > > The debdiff is the one we tend to look at, but it looks like it was not
> > > attached.
> > 
> > Indeed, sorry. Here it comes.
> 
> +--- a/doc/help/ref-cupsd-conf.html.in
>  b/doc/help/ref-cupsd-conf.html.in
> +@@ -2004,23 +2004,23 @@
> + variable that should be passed to child processes.
> +
> +
> +-SSLListen
> ++SSLOptions
> +
> + Examples
> +
> + 
> +-SSLListen 127.0.0.1:443
> +-SSLListen 192.0.2.1:443
> ++SSLOptions 127.0.0.1:443
> ++SSLOptions 192.0.2.1:443
> + 
> 
> This looks wrong, as do the remainder of the changes to that hunk of the
> diff.

That's Ubuntu's patch as released in their 1.7.2-0ubuntu1.7 trusty-security 
upload from Nov 2015, fixing [LP:1505328], written by Bryan Quigley and 
reviewed by their security team member Marc Deslauriers. But they arguably 
missed that wrong documentation change, indeed.

Updated debdiff attached.

-- 
OdyX

[LP:1505328] https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1505328diff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2015-06-09 09:45:50.0 +0200
+++ cups-1.7.5/debian/changelog	2016-10-10 10:05:10.0 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud   Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2016-10-10 10:05:10.0 +0200
@@ -27,7 +27,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2016-10-10 10:05:10.0 +0200
@@ -21,7 +21,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2016-10-10 10:05:10.0 +0200
@@ -13,7 +13,7 @@
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch	2016-10-10 10:05:10.0 +0200
@@ -24,7 +24,7 @@
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- 

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Adam D. Barratt]

Control: tags -1 + moreinfo

On Tue, 2016-12-20 at 09:20 +0100, Didier 'OdyX' Raboud wrote:
> Control: tag -1 -moreinfo
> 
> Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > > - and debdiff
> > >   cups_1.7.5-11+deb8u2.debdiff
> > 
> > The debdiff is the one we tend to look at, but it looks like it was not
> > attached.
> 
> Indeed, sorry. Here it comes.

+--- a/doc/help/ref-cupsd-conf.html.in
 b/doc/help/ref-cupsd-conf.html.in
+@@ -2004,23 +2004,23 @@
+ variable that should be passed to child processes.
+ 
+ 
+-SSLListen
++SSLOptions
+ 
+ Examples
+ 
+ 
+-SSLListen 127.0.0.1:443
+-SSLListen 192.0.2.1:443
++SSLOptions 127.0.0.1:443
++SSLOptions 192.0.2.1:443
+ 

This looks wrong, as do the remainder of the changes to that hunk of the
diff.

Regards,

Adam

Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + moreinfo
Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1
Added tag(s) moreinfo.

-- 
840643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 -moreinfo
Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1
Removed tag(s) moreinfo.

-- 
840643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Control: tag -1 -moreinfo

Le samedi, 17 décembre 2016, 11.38:59 h CET Julien Cristau a écrit :
> > - and debdiff
> > cups_1.7.5-11+deb8u2.debdiff
> 
> The debdiff is the one we tend to look at, but it looks like it was not
> attached.

Indeed, sorry. Here it comes.

-- 
Cheers,
OdyXdiff -Nru cups-1.7.5/debian/changelog cups-1.7.5/debian/changelog
--- cups-1.7.5/debian/changelog	2015-06-09 09:45:50.0 +0200
+++ cups-1.7.5/debian/changelog	2016-10-10 10:05:10.0 +0200
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud   Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout.patch	2016-10-10 09:55:05.0 +0200
@@ -27,7 +27,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff -Nru cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch
--- cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/cupsd-idleexittimeout-systemd.patch	2016-10-10 09:55:10.0 +0200
@@ -21,7 +21,7 @@
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff -Nru cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch
--- cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/log-debug-history-nearly-unlimited.patch	2016-10-10 09:55:09.0 +0200
@@ -13,7 +13,7 @@
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff -Nru cups-1.7.5/debian/patches/pidfile.patch cups-1.7.5/debian/patches/pidfile.patch
--- cups-1.7.5/debian/patches/pidfile.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/pidfile.patch	2016-10-10 09:55:08.0 +0200
@@ -24,7 +24,7 @@
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff -Nru cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch
--- cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch	2016-10-10 09:55:07.0 +0200
@@ -11,7 +11,7 @@
 
 --- a/scheduler/ipp.c
 +++ b/scheduler/ipp.c
-@@ -8249,6 +8249,11 @@
+@@ -8206,6 +8206,11 @@
ipp_attribute_t	*attr,		/* Current attribute */
  			*attr2,		/* Job attribute */
  			*prev2;		/* Previous job attribute */
@@ -23,7 +23,7 @@
  
  
   /*
-@@ -8310,6 +8315,85 @@
+@@ -8267,6 +8272,85 @@
}
  
   /*
diff -Nru cups-1.7.5/debian/patches/series cups-1.7.5/debian/patches/series
--- cups-1.7.5/debian/patches/series	2015-06-09 09:36:38.0 +0200
+++ cups-1.7.5/debian/patches/series	2016-10-10 09:54:51.0 +0200
@@ -6,6 +6,7 @@
 str4500-cupsGetPPD3-Only-use-symlink-if-file-is-readable-STR.patch
 str4551-fix-buffer-overflow-in-cupsRasterReadPixels.patch
 

Processed: Re: Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #840643 [release.debian.org] jessie-pu: package cups/1.7.5-11+deb8u1
Added tag(s) moreinfo.

-- 
840643: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840643
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Julien Cristau]

Control: tag -1 moreinfo

On Thu, Oct 13, 2016 at 16:28:58 +0200, Didier 'OdyX' Raboud wrote:

> We've been made aware that CUPS' SSL as of Jessie (and Wheezy, but I'll see
> this with the LTS team) is vulnerable to POODLE.
> 
> Here come:
> - patch;
>   str4476-disable-sslv3-and-rc4-by-default.patch
> - git commit series;
>   0001-Disable-SSLv3-and-RC4-by-default-to-address-POODLE-v.patch
>   0002-Refresh-patches.patch
>   0003-cups-1.7.5-11-deb8u2-Debian-release.patch
> - and debdiff
>   cups_1.7.5-11+deb8u2.debdiff
> 
The debdiff is the one we tend to look at, but it looks like it was not
attached.

Cheers,
Julien

Bug#840643: jessie-pu: package cups/1.7.5-11+deb8u1

[Didier 'OdyX' Raboud]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

We've been made aware that CUPS' SSL as of Jessie (and Wheezy, but I'll see
this with the LTS team) is vulnerable to POODLE.

Here come:
- patch;
str4476-disable-sslv3-and-rc4-by-default.patch
- git commit series;
0001-Disable-SSLv3-and-RC4-by-default-to-address-POODLE-v.patch
0002-Refresh-patches.patch
0003-cups-1.7.5-11-deb8u2-Debian-release.patch
- and debdiff
cups_1.7.5-11+deb8u2.debdiff

Thanks for your consideration

--
Cheers,
OdyX
>From c2aabd5199b3acb0a1b4f3b4866ef87dc8cd6e68 Mon Sep 17 00:00:00 2001
From: Didier Raboud 
Date: Mon, 10 Oct 2016 10:05:10 +0200
Subject: [PATCH 3/3] cups 1.7.5-11+deb8u2 Debian release

---
 debian/changelog | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index bff361e..01fb495 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+cups (1.7.5-11+deb8u2) jessie-security; urgency=high
+
+  * Disable SSLv3 and RC4 by default to address POODLE vulnerability
+(Closes: #839226)
+- Implement SSLOptions to permit the use of AllowSSLv3 and AllowRC4
+  respectively
+  * Refresh patches
+
+ -- Didier Raboud   Mon, 10 Oct 2016 10:05:10 +0200
+
 cups (1.7.5-11+deb8u1) jessie-security; urgency=high
 
   * Import 1.7 upstream fix for CERT VU#810572: Privilege escalation through
-- 
2.9.3

>From c5d8f701e8d3cd9dc927705d16c31878bae0b5b0 Mon Sep 17 00:00:00 2001
From: Didier Raboud 
Date: Mon, 10 Oct 2016 10:03:37 +0200
Subject: [PATCH 2/3] Refresh patches

---
 debian/patches/cupsd-idleexittimeout-systemd.patch| 4 ++--
 debian/patches/cupsd-idleexittimeout.patch| 2 +-
 debian/patches/log-debug-history-nearly-unlimited.patch   | 2 +-
 debian/patches/pidfile.patch  | 4 ++--
 ...bedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch | 4 ++--
 debian/patches/systemd-optional-socket-activation.patch   | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/debian/patches/cupsd-idleexittimeout-systemd.patch b/debian/patches/cupsd-idleexittimeout-systemd.patch
index 4abc692..8800658 100644
--- a/debian/patches/cupsd-idleexittimeout-systemd.patch
+++ b/debian/patches/cupsd-idleexittimeout-systemd.patch
@@ -21,7 +21,7 @@ Last-Update: 2014-10-23
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -251,6 +251,9 @@
+@@ -253,6 +253,9 @@
  VAR int			IdleExitTimeout		VALUE(0);
  	/* Time after which an idle cupsd will exit */
  
@@ -51,7 +51,7 @@ Last-Update: 2014-10-23
  #endif /* HAVE_SYSTEMD */
 --- a/man/cupsd.conf.man.in
 +++ b/man/cupsd.conf.man.in
-@@ -521,6 +521,12 @@
+@@ -528,6 +528,12 @@
  "notify-events", "notify-pull-method", "notify-recipient-uri",
  "notify-subscriber-user-name", and "notify-user-data".
  .TP 5
diff --git a/debian/patches/cupsd-idleexittimeout.patch b/debian/patches/cupsd-idleexittimeout.patch
index c799b3c..9f5f3b4 100644
--- a/debian/patches/cupsd-idleexittimeout.patch
+++ b/debian/patches/cupsd-idleexittimeout.patch
@@ -27,7 +27,7 @@ Last-Update: 2014-06-04
LaunchdTimeout = 10;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -246,6 +246,9 @@
+@@ -248,6 +248,9 @@
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
  
diff --git a/debian/patches/log-debug-history-nearly-unlimited.patch b/debian/patches/log-debug-history-nearly-unlimited.patch
index 25378cb..fc66d3e 100644
--- a/debian/patches/log-debug-history-nearly-unlimited.patch
+++ b/debian/patches/log-debug-history-nearly-unlimited.patch
@@ -13,7 +13,7 @@ Author: till.kamppe...@gmail.com
LogTimeFormat= CUPSD_TIME_STANDARD;
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -166,7 +166,7 @@
+@@ -168,7 +168,7 @@
  	/* Allow overrides? */
  			ConfigFilePerm		VALUE(0640),
  	/* Permissions for config files */
diff --git a/debian/patches/pidfile.patch b/debian/patches/pidfile.patch
index 9496ed1..90bc57b 100644
--- a/debian/patches/pidfile.patch
+++ b/debian/patches/pidfile.patch
@@ -24,7 +24,7 @@ Last-Update: 2012-11-29
  
if (!strcmp(CUPS_DEFAULT_PRINTCAP, "/etc/printers.conf"))
  PrintcapFormat = PRINTCAP_SOLARIS;
-@@ -,6 +3335,7 @@
+@@ -3370,6 +3372,7 @@
   !_cups_strcasecmp(line, "SystemGroup") ||
   !_cups_strcasecmp(line, "SystemGroupAuthKey") ||
   !_cups_strcasecmp(line, "TempDir") ||
@@ -34,7 +34,7 @@ Last-Update: 2012-11-29
cupsdLogMessage(CUPSD_LOG_INFO,
 --- a/scheduler/conf.h
 +++ b/scheduler/conf.h
-@@ -245,6 +245,8 @@
+@@ -247,6 +247,8 @@
  VAR int			SSLOptions		VALUE(CUPSD_SSL_NONE);
  	/* SSL/TLS options */
  #endif /* HAVE_SSL */
diff --git a/debian/patches/read-embedded-options-from-incoming-postscript-and-add-to-ipp-attrs.patch