From ${URL} : The CUPS 1.7.2 release fixes a possible cross-site scripting issue in the CUPS web interface. An attacker could use this flaw to perform a cross-site scripting attack against users of the CUPS web interface. Patch for is_absolute_path(): http://www.cups.org/strfiles.php/3268/str4356.patch I was unable to reproduce this issue in Fedora 19 and 20. References: http://www.cups.org/blog.php?L717 http://www.cups.org/str.php?L4356 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Since cups 1.7.2 fails to build without avahi (which likely hits quite some Gentoo users), I've added this patch in net-print/cups-1.7.1-r1. Please stabilize net-print/cups-1.7.1-r1
Arches, please test and mark stable: =net-print/cups-1.7.1-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
Stable for HPPA.
alpha stable
arm stable
CVE-2014-2856 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2856): Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
Maintainer(s), Thank you for cleanup! Security please Vote!
Closing no GLSA for Cross Site Scripting
