Patric, this is not a 'security fix to change from "let's log this" into "let's not start cupsd"', the security fix is actually that when one puts a directive into cupsd.conf which requires an argument and one only puts the directive itself, without argument, CUPS crashed, which opens an actual vulnerability. The addition of properly checking the directives in cupsd.conf had as side effect that invalid directives stopped CUPS.
With his latest patch, Michael Sweet has now given a "grace period" to the bad directives which triggered bug reports, now, producing a log message and not stopping CUPS, at least for some versions. This is not perfect, as, as you say, others (or you?) get the same problem having "BrowseAddress" or "BrowseOrder" in their cupsd.conf. In my opinion, an invalid directive in a config file should not be fatal, but log an error message, of level "Error", so that it gets also logged in the default/lowest level logging mode. This would keep CUPS at least running but if it shows an unexpected behavior (mis-typed directive or directive not supported any more after update) the user sees the error messages in the log. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2133207 Title: cups security update causes issues with invalid config file To manage notifications about this bug go to: https://bugs.launchpad.net/cups/+bug/2133207/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
