| Package | cups |
|---|---|
| Version | 1.7.5-11+deb8u12 (jessie), 2.2.1-8+deb9u11 (stretch) |
| Related CVEs | CVE-2023-4504 CVE-2023-32360 |
Two issues have been found in cups, the Common UNIX Printing System(tm).
CVE-2023-4504
Due to missing boundary checks a heap-based buffer overflow and code execution might be possible by using crafted postscript documents.
CVE-2023-32360
Unauthorized users might be allowed to fetch recently printed documents.
Since this is a configuration fix, it might be that it does not reach you if you are updating the package. Please double check your /etc/cups/cupsd.conf file, whether it limits the access to CUPS-Get-Document with something like the following
AuthType Default Require user @OWNER @SYSTEM Order deny,allow
(The important line is the ‘AuthType Default’ in this section)
For Debian 8 jessie, these problems have been fixed in version 1.7.5-11+deb8u12.
For Debian 9 stretch, these problems have been fixed in version 2.2.1-8+deb9u11.
We recommend that you upgrade your cups packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.