CUPS STR at http://www.cups.org/str.php?L920
"Device URIs containning username & password end up in error_log"
Fixed in CVS and patch available at the STR.
Gary Smith has reported a vulnerability in CUPS, which can be exploited by malicious, local users to gain knowledge of sensitive information.
The problem is that user credentials are stored in the error_log log file when printing to a shared printer via Samba.
printing herd, please patch/bump as needed
fedora already patched (upgraded) packages
applied the patch to cups-1.1.20-r3 and cups-1.1.21-r1
arches pls test and mark stable
current KEYWORDS="x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"
target KEYWORDS="x86 ppc sparc mips alpha arm hppa amd64 ia64 s390 ppc64"
cups-1.1.21-r1 already has
current/target KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~s390 ~ppc64"
forgot to add ppc64, pls also test cups-1.1.20-r3 and mark stable if possible
Stable on alpha.
arm/hppa/ia64/s390 is all set
Ready for a GLSA decision. I would say one is needed, it discloses exploitable passwords to local users, and that's bad.
mips and ppc64 don't forget to mark stable to benefit from the GLSA
already stable on ppc64, .. thanks!
Stable on mips.