Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 293865 (CVE-2009-2820)

Summary: <net-print/cups-1.3.11-r1 Several XSS flaws in forms processed by CUPS web interface (CVE-2009-2820)
Product: Gentoo Security Reporter: Timo Gurr (RETIRED) <tgurr>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: pacho, printing
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=529833
Whiteboard: A4 [noglsa]
Package list:
Runtime testing required: ---

Description Timo Gurr (RETIRED) gentoo-dev 2009-11-20 16:53:41 UTC 
Several cross-site scripting (XSS) flaws were found in the way CUPS web
server interface used to process HTML form(s) content. A remote attacker
could provide a specially-crafted HTML page(s), which once visited, by
a local, unsuspecting user could lead to intended client-side security
mechanisms bypass or, potentially, to injecting of malicious scripts into
web pages, processed by CUPS web interface.

Credit:
-------
Aaron Sigel of Apple Product Security


Suggestion (tgurr):
-------
Stabilize =net-print/cups-1.3.11-r1 which has the security patches provided by upstream applied.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-20 17:02:59 UTC 
Arches, please test and mark stable:
=net-print/cups-1.3.11-r1
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 2 Timo Gurr (RETIRED) gentoo-dev 2009-11-20 17:04:05 UTC 
*** Bug 287480 has been marked as a duplicate of this bug. ***
Comment 3 nixnut (RETIRED) gentoo-dev 2009-11-21 19:35:57 UTC 
ppc stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2009-11-22 11:47:57 UTC 
Stable on alpha.
Comment 5 Markus Meier gentoo-dev 2009-11-23 13:25:05 UTC 
amd64/arm/x86 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2009-11-23 15:54:49 UTC 
ia64/m68k/s390/sh/sparc stable
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-11-23 17:16:19 UTC 
ppc64 done
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-24 04:02:33 UTC 
Stable for HPPA.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:09:24 UTC 
GLSA vote: no.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-12-18 08:17:29 UTC 
no too, closing