Page 4 of 5
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 12:50 am
by CharlesV
It looked like the fixes that were posted resolved 3 of the 4 issues ?
If your machine is not in a hostile environment, and you have a firewall between you and the internet (ie your machine ip is not exposed TO the internet)... then there is little chance there will be an issue.
But, yes, it looks like blocking UDP port 631 will be the best stop for this.
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 4:10 am
by operadude
But, yes, it looks like blocking UDP port 631 will be the best stop for this.
@CharlesV Silly(?) Question:
I am not (to the best of my knowledge) in a hostile environment, and I occasionally use port 631 (localhost) to login, via my password-protected router, into "CUPS", so as to maintain and/or change my printers (drivers, names, etc), that are all (Network) shared on my Local Network (router).
Given all of the previous comments, should I NOT be using port 631?
I do not know of any other way to login to CUPS.
Oh...I'm not sure if I'm using UDP, or some other protocol. I guess I'm using whatever the defaults are for all MX distros (KDE, Fluxbox, Xfce)-- I use all of them.
Awaiting precious explication...
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 5:18 am
by mxethernut
@operadude: Looks like you do not want to disable the system.d cups-browsed service because you need your printers:
joekamprad @EOS forum wrote:
to check if you have it enabled
Code: Select all
sudo systemctl disable --now cups-browsed
to stop/disable.
Is it
and
on Sysvinit? (Not using it b/c of sound issues)
Do you have ufw/gufw installed and running as a service?
You can close port 631 with this firewall. It will protect this and all other ports by default.
ufw deny 631/tcp >> Please check https://docs.e2enetworks.com/guides/ufw.html, this is for system.d however.
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 5:50 am
by karlchen
Hello, LinuxSpring1.
LinuxSpring1 wrote: ↑Mon Sep 30, 2024 12:41 am
So if the service cups-browsed is disabled or the package is uninstalled then will not the printing and scanning be impacted? Because the RedHat article refers to the case where printing is not needed. Many of us are using Desktops and there printing and scanning is required.
The answer to this question is: well, it depends.
In case your network MFP printer has been added to your system through cups-browsed only, then switching off cup-browsed will indeed make the device disappear from the system again. So, the answer in this case would be: yes.
In case, however, your network MFP device has been set up manually e.g. through HPLIP like my HP Color Laserjet Pro MFP M277dw, then during this setup the MFP's IP address has been added to the relevant configuration files. As a consequence the system will not depend on cups-browsed in order to connect to the MFP. Printing and scanning will work without cups-browsed.
Note:
HPLIP is only used for HP printers and scanners. For printers of other producers you will have to install their appropriate driver software instead.
Hope my explanation was not too confusing.
Karl
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 5:59 am
by karlchen
Hell, mxethernut-
mxethernut wrote: ↑Mon Sep 30, 2024 5:18 amDo you have ufw/gufw installed and running as a service? You can close port 631 with this firewall.
Closing TCP port 631 is closing the CUPS port. I suspect this will prevent you from printing completely.
In order to prevent connecting to
cups-browsed from outside you have to
close UDP port 631.
In the most simple scenario you simply switch on
ufw by executing
This will tell the MX software firewall to reject any incoming connection requests, including UDP port 631.
Karl
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 7:44 am
by operadude
mxethernut wrote: ↑Mon Sep 30, 2024 5:18 am
@operadude: Looks like you do not want to disable the system.d cups-browsed service because you need your printers:
joekamprad @EOS forum wrote:
to check if you have it enabled
Code: Select all
sudo systemctl disable --now cups-browsed
to stop/disable.
Is it
and
on Sysvinit? (Not using it b/c of sound issues)
Do you have ufw/gufw installed and running as a service?
You can close port 631 with this firewall. It will protect this and all other ports by default.
ufw deny 631/tcp >> Please check https://docs.e2enetworks.com/guides/ufw.html, this is for system.d however.
Yeah, I am not changing anything until I hear that I really should!
Thanks for the command snippets, but I am using sysVinit, and thus no "systctl":
Code: Select all
$ systemctl status cups-browsed
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
And:
Code: Select all
$ systemctl status cups-browsed.service
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
Good to Know:
Do you have ufw/gufw installed and running as a service? You can close port 631 with this firewall. It will protect this and all other ports by default.
My ufw status:
Code: Select all
$ sudo ufw status
[sudo] password for opera-dude:
Status: active
Assuming for now that I'm OK.
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 7:50 am
by operadude
karlchen wrote: ↑Mon Sep 30, 2024 5:59 am
Hell, mxethernut-
mxethernut wrote: ↑Mon Sep 30, 2024 5:18 amDo you have ufw/gufw installed and running as a service? You can close port 631 with this firewall.
Closing TCP port 631 is closing the CUPS port. I suspect this will prevent you from printing completely.
In order to prevent connecting to
cups-browsed from outside you have to
close UDP port 631.
In the most simple scenario you simply switch on
ufw by executing
This will tell the MX software firewall to reject any incoming connection requests, including UDP port 631.
Karl
Feeling better that I have "ufw" enabled (I think it's the default now)
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 9:34 am
by aika
mxethernut wrote: ↑Sun Sep 29, 2024 1:41 pm
Thank you MX/Debian for getting updates out quickly!
Code: Select all
Start-Date: 2024-09-30 01:10:34
Commandline: apt dist-upgrade
Requested-By: aika (1000)
Upgrade: libcups2:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-filters:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-bsd:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-common:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-client:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-ppdc:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-daemon:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), libfontembed1:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-filters-core-drivers:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-ipp-utils:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-browsed:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3), cups-core-drivers:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), cups-server-common:amd64 (2.3.3op2-3+deb11u8, 2.3.3op2-3+deb11u9), libcupsfilters1:amd64 (1.28.7-1+deb11u2, 1.28.7-1+deb11u3)
End-Date: 2024-09-30 01:11:20
My firewall was activated beforehand anyway:
Code: Select all
sudo ufw status verbose
[sudo] Passwort für aika:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
5060/udp ALLOW IN Anywhere
1720/tcp ALLOW IN Anywhere
39275/udp ALLOW IN Anywhere
...
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 10:18 am
by mxethernut
Feeling better that I have "ufw" enabled (I think it's the default now)
Unsure, it might be.
Is it?
I remember Manjaro had it off by default
Re: Linux Vulnerability Announced, Details Kept Secret
Posted: Mon Sep 30, 2024 10:22 am
by mxethernut
operadude wrote: ↑Mon Sep 30, 2024 7:44 am
Thanks for the command snippets, but I am using sysVinit, and thus no "systctl":
Assuming for now that I'm OK.
Yes you probably are.
Can you try:
or