Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 1:41 pm
Thank you MX/Debian for getting updates out quickly!
Just got the updates.
https://linuxsecurity.com/advisories/de ... xob7hyzfsf
MX Linux Forum
Support for MX and antiX Linux distros
http://www.forum.mxlinux.org/
Linux Vulnerability Announced, Details Kept Secret
Page 3 of 5
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 2:48 pm
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 2:49 pm
I SO hit on those like a boss. 
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 3:13 pm
Details Kept Secret
Hm details were disclosed, but above my knowledge!
https://youtu.be/lXljErWpcRQ?t=68
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 4:50 pm
So all the Linux installs around the world aren't going to get pwnd any time soon?
Re: Linux Vulnerability Announced, Details Not Kept Secret
Posted: Sun Sep 29, 2024 5:41 pm
Hi, folks.
Although the thread title told otherwise, the details about the CUPS vulnerabilities have been publically available since September 26th e.g. in several written articles on several webpages.
Anway.
The most important detail is: the Debian CUPS patches are being distributed by the MX Updater by now.
Received them on my MX 21.3 only a few minutes ago.
Karl
Although the thread title told otherwise, the details about the CUPS vulnerabilities have been publically available since September 26th e.g. in several written articles on several webpages.
Anway.
The most important detail is: the Debian CUPS patches are being distributed by the MX Updater by now.
Received them on my MX 21.3 only a few minutes ago.
Code: Select all
cups (2.3.3op2-3+deb11u9) bullseye-security; urgency=medium
* CVE-2024-47175
Fix CVE and upstream also added some extra hardening to patch
- validate URIs, attribute names, and capabilities
in cups/ppd-cache.c, scheduler/ipp.c
- sanitize make and model in cups/ppd-cache.c
- PPDize preset and template names in cups/ppd-cache.c
- quote PPD localized strings in cups/ppd-cache.c
- fix warnings in cups/ppd-cache.c
-- Thorsten Alteholz <debian@alteholz.de> Thu, 26 Sep 2024 23:45:05 +0200Code: Select all
cups-filters (1.28.7-1+deb11u3) bullseye-security; urgency=high
* CVE-2024-47076 (Closes: #1082827)
cfGetPrinterAttributes5(): Validate response attributes before return
* CVE-2024-47176 (Closes: #1082820)
Default BrowseRemoteProtocols should not include "cups" protocol
-- Thorsten Alteholz <debian@alteholz.de> Thu, 26 Sep 2024 23:45:05 +0200Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 6:25 pm
carlchen wrote
Thanks for the swift action.
Thanks to the dev and packaging team, and up stream at Debian.The most important detail is: the Debian CUPS patches are being distributed by the MX Updater by now.
Received them on my MX 21.3 only a few minutes ago.
Thanks for the swift action.
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 6:35 pm
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Sun Sep 29, 2024 7:30 pm
All credit goes to Debian for this response, we devs just stand by and cheer them on for these fixes.entropyfoe wrote: ↑Sun Sep 29, 2024 6:25 pm carlchen wroteThanks to the dev and packaging team, and up stream at Debian.The most important detail is: the Debian CUPS patches are being distributed by the MX Updater by now.
Received them on my MX 21.3 only a few minutes ago.
Thanks for the swift action.
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 12:41 am
The temporary fix for this as mentioned in the link is toCharlesV wrote: ↑Thu Sep 26, 2024 8:35 pm Another short read on the issue
https://www.phoronix.com/news/Linux-CVSS-9.9-Rating
So till a fix is made available does the UDP port 631 need to be blocked? And/Or should the cups-browsed service be disabled? It is enabled by default on KDE MX Linux 23.3 having Debian 12.7.This remote code execution issue can be exploited across the public Internet via a UDP packet to port 631 without needing any authentication, assuming the CUPS port is open through your router/firewall. LAN attacks are also possible via spoofing zeroconf / mDNS / DNS-SD advertisements.
Besides CUPS being used on Linux distributions, it also affects some BSDs, Oracle Solaris, Google Chrome OS, and others.
As of writing there is no Linux fix available for this high profile security issue. In the meantime it's recommended to disable and remove the "cups-browsed" service, updating CUPS, or at least blocking all traffic to UDP port 631.
Actually @dreamer that might not be correct. From the article that is linkeddreamer wrote: ↑Sat Sep 28, 2024 6:53 am The severe vulnerability 9.9/10 doesn’t impact basic printing and scanning.
The easiest solution is to uninstall the cups-browsed package. I always do this on my personal snapshots. It doesn’t affect printing or scanning. If you don’t want to uninstall the cups-browsed package you can disable the service while you wait for patches to be delivered.
Red Hat has a good write-up:
https://www.redhat.com/en/blog/red-hat- ... rabilities
So if the service cups-browsed is disabled or the package is uninstalled then will not the printing and scanning be impacted? Because the RedHat article refers to the case where printing is not needed. Many of us are using Desktops and there printing and scanning is required.Mitigation of these vulnerabilities is as simple as running two commands, especially in any environment where printing is not needed.