CVE-2009-0949 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0949): The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 does not properly initialize memory for IPP request packets, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a scheduler request with two consecutive IPP_TAG_UNSUPPORTED tags.
We seem to already have the patch (https://bugzilla.redhat.com/attachment.cgi?id=344106), but no bug for this as far as I can see, and a vulnerable version is still in tree. Printing: is it ok to remove it? If so, please do it.
Yes thanks, all versions <net-print/cups-1.3.10-r1 are gone now.
A glsa for all affected versions has been issued, 200904-20. It did not specifically cover this, but vulnerabilities with worse impact. [noglsa] for this issue thus.