Linux Vulnerability Announced, Details Kept Secret [Solved]

[CharlesV]

But, yes, it looks like blocking UDP port 631 will be the best stop for this.

@CharlesV Silly(?) Question:

I am not (to the best of my knowledge) in a hostile environment, and I occasionally use port 631 (localhost) to login, via my password-protected router, into "CUPS", so as to maintain and/or change my printers (drivers, names, etc), that are all (Network) shared on my Local Network (router).

Given all of the previous comments, should I NOT be using port 631?

I do not know of any other way to login to CUPS.

Oh...I'm not sure if I'm using UDP, or some other protocol. I guess I'm using whatever the defaults are for all MX distros (KDE, Fluxbox, Xfce)-- I use all of them.

Awaiting precious explication...

Closing port 631 in your firewall will NOT stop you from loading cups on http://localhost:631 You can still get to the interface and run CUPS.

It WILL prevent anyone else from coming into cups from a machine on your network . AND if your printer is shared on the network, it *will* stop anyone from printing to your printer ***IF*** your using the 631port (IPP printers ) .

But closing port 631 will NOT stop YOU from printing to your local printer. It also will NOT stop you from printing to a shared printer ON your network.

[CharlesV]

There is a lot of incorrect information running on this topic, so lets get some cleared up!

First, there are 3 scenarios that your computer will be running:
a) Your computer is INSIDE on a private network. (ie you have a firewall and router that takes you to the internet and prevents anyone from coming in. You have a private IP, and you do NOT have any hostile machines (or potentially hostile machines) in your network. This is most home networking - 99.99% of the time, something like this CUPS issue will NOT be a problem

b) Your computer is inside a private network, but there are hostile, (or potentially hostile ) computers also in it. An example of this: Wifi at hotel, food court, coffee house, etc etc. Or, a friends house where they have computers that *might* be hacked. This is the place you want your firewall up and port 631 denied. ( Which by default unless you have shared your printer... 631 IS denied already.)

c) Your computer is 'on the internet' . And what this means is that YOUR computer has an external IP directly onto the internet. ( you can check your IP using the ifconfig command in a terminal. ) You should always have a firewall on and be VERY careful with this one!

If your unsure if you have a private IP or are on the internet ... read this:
https://www.geeksforgeeks.org/differenc ... addresses/

Now, having said ALL that... If your running MX23, then your firewall should be on by default. (Double check that!). AND, by default, access to your machine is denied, including port 631 - UNLESS you have shared your printer. (And on the machines I checked, just sharing your printer did NOT mean that port 631 was opened up!! I had to open it to get an IPP printer working.)

*** IF YOU DISABLE THE CUPS SERVICE *** then yes, you WILL break your printing - unless your printing is NOT using cups.

Updates just came in yesterday for MX21 & MX23 that resolved this printing issue. There is still one remaining issue of the four that needs to be resolved still.

[operadude]

@CharlesV



I wholeheartedly accept, as per usual, your thorough explications (note the plural)



Post Script: I will not be closing port 631 on my home machine.

[dreamer]

Hello, LinuxSpring1.

So if the service cups-browsed is disabled or the package is uninstalled then will not the printing and scanning be impacted? Because the RedHat article refers to the case where printing is not needed. Many of us are using Desktops and there printing and scanning is required.

The answer to this question is: well, it depends.

In case your network MFP printer has been added to your system through cups-browsed only, then switching off cup-browsed will indeed make the device disappear from the system again. So, the answer in this case would be: yes.

In case, however, your network MFP device has been set up manually e.g. through HPLIP like my HP Color Laserjet Pro MFP M277dw, then during this setup the MFP's IP address has been added to the relevant configuration files. As a consequence the system will not depend on cups-browsed in order to connect to the MFP. Printing and scanning will work without cups-browsed.

Note:
HPLIP is only used for HP printers and scanners. For printers of other producers you will have to install their appropriate driver software instead.

Hope my explanation was not too confusing.

Karl

@LinuxSpring1
I didn't bother to reply to your question, because I think karlchen did a good job. The only thing I might add is that Red Hat is likely referring to "driverless" printing (IPP). So yes, if you use "driverless" printing, then keep the cups-browsed package installed. I have never used IPP myself. One reason is that I have seen complaints on Linux Mint forum (Mint is set up to use IPP by default even if you connect through USB) that IPP doesn't provide all the printer settings since many settings are in the driver. So some people end up with a subset of printer settings when switching to IPP.

[mxethernut]

https://www.youtube.com/watch?v=bLr5M1ijbbQ

The BIGGEST Linux CVE Ever Is A Printer Bug
Brodie Robertson
87.3K subscribers

12K views 2 days ago




Moderator: all bold removed, please don't bold text an entire post.

[AK-47]

I think it is rather rude to be dropping links without any context, description, rhyme or reason, as if the forum is one's personal link farm. I suggest, can you please describe its contents or explain what the link is about, in the same post, so that people don't have to waste their time and bandwidth clicking on stuff they have probably seen before.

[Jerry3904]

+1