CUPS STR at http://www.cups.org/str.php?L920 "Device URIs containning username & password end up in error_log" Fixed in CVS and patch available at the STR. also http://secunia.com/advisories/12736/ Description: Gary Smith has reported a vulnerability in CUPS, which can be exploited by malicious, local users to gain knowledge of sensitive information. The problem is that user credentials are stored in the error_log log file when printing to a shared printer via Samba.
printing herd, please patch/bump as needed
fedora already patched (upgraded) packages http://secunia.com/advisories/12737/
applied the patch to cups-1.1.20-r3 and cups-1.1.21-r1
arches pls test and mark stable cups-1.1.20-r3: current KEYWORDS="x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64" target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64" __ cups-1.1.21-r1 already has current/target KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"
forgot to add ppc64, pls also test cups-1.1.20-r3 and mark stable if possible
sparc stable.
ppc stable
Stable on alpha.
arm/hppa/ia64/s390 is all set
stable amd64
Ready for a GLSA decision. I would say one is needed, it discloses exploitable passwords to local users, and that's bad.
GLSA needed.
GLSA 200410-06 mips and ppc64 don't forget to mark stable to benefit from the GLSA
already stable on ppc64, .. thanks!
Stable on mips.