Linux Vulnerability Announced, Details Kept Secret [Solved]

[CharlesV]

It looked like the fixes that were posted resolved 3 of the 4 issues ?

If your machine is not in a hostile environment, and you have a firewall between you and the internet (ie your machine ip is not exposed TO the internet)... then there is little chance there will be an issue.

But, yes, it looks like blocking UDP port 631 will be the best stop for this.

[operadude]

But, yes, it looks like blocking UDP port 631 will be the best stop for this.

@CharlesV Silly(?) Question:

I am not (to the best of my knowledge) in a hostile environment, and I occasionally use port 631 (localhost) to login, via my password-protected router, into "CUPS", so as to maintain and/or change my printers (drivers, names, etc), that are all (Network) shared on my Local Network (router).

Given all of the previous comments, should I NOT be using port 631?

I do not know of any other way to login to CUPS.

Oh...I'm not sure if I'm using UDP, or some other protocol. I guess I'm using whatever the defaults are for all MX distros (KDE, Fluxbox, Xfce)-- I use all of them.

Awaiting precious explication...

[mxethernut]

@operadude: Looks like you do not want to disable the system.d cups-browsed service because you need your printers:

Code: Select all

systemctl status cups-browsed 

to check if you have it enabled

Code: Select all

sudo systemctl disable --now cups-browsed

to stop/disable.

Is it

Code: Select all

status cups-browsed.service

and

Code: Select all

sudo disable cups-browsed.service

on Sysvinit? (Not using it b/c of sound issues)


Do you have ufw/gufw installed and running as a service? You can close port 631 with this firewall. It will protect this and all other ports by default.

ufw deny 631/tcp >> Please check https://docs.e2enetworks.com/guides/ufw.html, this is for system.d however.

[karlchen]

Hello, LinuxSpring1.

So if the service cups-browsed is disabled or the package is uninstalled then will not the printing and scanning be impacted? Because the RedHat article refers to the case where printing is not needed. Many of us are using Desktops and there printing and scanning is required.

The answer to this question is: well, it depends.

In case your network MFP printer has been added to your system through cups-browsed only, then switching off cup-browsed will indeed make the device disappear from the system again. So, the answer in this case would be: yes.

In case, however, your network MFP device has been set up manually e.g. through HPLIP like my HP Color Laserjet Pro MFP M277dw, then during this setup the MFP's IP address has been added to the relevant configuration files. As a consequence the system will not depend on cups-browsed in order to connect to the MFP. Printing and scanning will work without cups-browsed.

Note:
HPLIP is only used for HP printers and scanners. For printers of other producers you will have to install their appropriate driver software instead.

Hope my explanation was not too confusing.

Karl

[karlchen]

Hell, mxethernut-

Do you have ufw/gufw installed and running as a service? You can close port 631 with this firewall.

Code: Select all

ufw deny 631/tcp

Closing TCP port 631 is closing the CUPS port. I suspect this will prevent you from printing completely.

In order to prevent connecting to cups-browsed from outside you have to close UDP port 631.

In the most simple scenario you simply switch on ufw by executing

Code: Select all

sudo ufw enable

This will tell the MX software firewall to reject any incoming connection requests, including UDP port 631.

Karl

[operadude]

@operadude: Looks like you do not want to disable the system.d cups-browsed service because you need your printers:

Code: Select all

systemctl status cups-browsed 

to check if you have it enabled

Code: Select all

sudo systemctl disable --now cups-browsed

to stop/disable.

Is it

Code: Select all

status cups-browsed.service

and

Code: Select all

sudo disable cups-browsed.service

on Sysvinit? (Not using it b/c of sound issues)


Do you have ufw/gufw installed and running as a service? You can close port 631 with this firewall. It will protect this and all other ports by default.

ufw deny 631/tcp >> Please check https://docs.e2enetworks.com/guides/ufw.html, this is for system.d however.

Yeah, I am not changing anything until I hear that I really should!

Thanks for the command snippets, but I am using sysVinit, and thus no "systctl":

Code: Select all

$ systemctl status cups-browsed
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

And:

Code: Select all

$ systemctl status cups-browsed.service
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down

Good to Know:

Do you have ufw/gufw installed and running as a service? You can close port 631 with this firewall. It will protect this and all other ports by default.

My ufw status:

Code: Select all

$ sudo ufw status
[sudo] password for opera-dude:            
Status: active

Assuming for now that I'm OK.

[operadude]

Hell, mxethernut-

Do you have ufw/gufw installed and running as a service? You can close port 631 with this firewall.

Code: Select all

ufw deny 631/tcp

Closing TCP port 631 is closing the CUPS port. I suspect this will prevent you from printing completely.

In order to prevent connecting to cups-browsed from outside you have to close UDP port 631.

In the most simple scenario you simply switch on ufw by executing

Code: Select all

sudo ufw enable

This will tell the MX software firewall to reject any incoming connection requests, including UDP port 631.

Karl

Feeling better that I have "ufw" enabled (I think it's the default now)

[aika]

Thank you MX/Debian for getting updates out quickly!

Code: Select all

Start-Date: 2024-09-30  01:10:34
Commandline: apt dist-upgrade
Requested-By: aika (1000)
Upgrade: libcups2:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-filters:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-bsd:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-common:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-client:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-ppdc:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-daemon:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), libfontembed1:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-filters-core-drivers:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-ipp-utils:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-browsed:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-core-drivers:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-server-common:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), libcupsfilters1:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3)
End-Date: 2024-09-30  01:11:20

My firewall was activated beforehand anyway:

Code: Select all

sudo ufw status verbose
[sudo] Passwort für aika: 
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
5060/udp                   ALLOW IN    Anywhere                  
1720/tcp                   ALLOW IN    Anywhere                  
39275/udp                  ALLOW IN    Anywhere
...

[mxethernut]

Feeling better that I have "ufw" enabled (I think it's the default now)

Unsure, it might be. Is it?

I remember Manjaro had it off by default

[mxethernut]

Thanks for the command snippets, but I am using sysVinit, and thus no "systctl":


Assuming for now that I'm OK.

Yes you probably are.

Can you try:

Code: Select all

status cups-browsed

or

Code: Select all

status cups-browsed.service