Oracle Linux Local Security Checks : Oracle: Security Advisory (ELSA-2014-1388)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.123288

Category: Oracle Linux Local Security Checks

Title: Oracle: Security Advisory (ELSA-2014-1388)

Summary: The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory.

Description: Summary:
The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory.

Vulnerability Insight:
[1:1.4.2-67]
- Revert change to whitelist /rss/ resources, as this was not used
upstream.

[1:1.4.2-66]
- More STR #4461 fixes from upstream: make rss feeds world-readable,
but cachedir private.
- Fix icon display in web interface during server restart (STR #4475).

[1:1.4.2-65]
- Fixes for upstream patch for STR #4461: allow /rss/ requests for
files we created.

[1:1.4.2-64]
- Use upstream patch for STR #4461.

[1:1.4.2-63]
- Applied upstream patch to fix CVE-2014-5029 (bug #1122600),
CVE-2014-5030 (bug #1128764), CVE-2014-5031 (bug #1128767).
- Fix conf/log file reading for authenticated users (STR #4461).

[1:1.4.2-62]
- Fix CGI handling (STR #4454, bug #1120419).

[1:1.4.2-61]
- fix patch for CVE-2014-3537 (bug #1117794)

[1:1.4.2-60]
- CVE-2014-2856: cross-site scripting flaw (bug #1117798)
- CVE-2014-3537: insufficient checking leads to privilege escalation (bug #1117794)

[1:1.4.2-59]
- Removed package description changes.

[1:1.4.2-58]
- Applied patch to fix 'Bad request' errors as a result of adding in
httpSetTimeout (STR #4440, also part of svn revision 9967).

[1:1.4.2-57]
- Fixed timeout issue with cupsd reading when there is no data ready
(bug #1110045).

[1:1.4.2-56]
- Fixed synconclose patch to avoid 'too many arguments for format' warning.
- Fixed settimeout patch to include math.h for fmod declaration.

[1:1.4.2-55]
- Fixed typo preventing web interface from changing driver (bug #1104483,
STR #3601).
- Fixed SyncOnClose patch (bug #984883).

[1:1.4.2-54]
- Use upstream patch to avoid replaying GSS credentials (bug #1040293).

[1:1.4.2-53]
- Prevent BrowsePoll problems across suspend/resume (bug #769292):
- Eliminate indefinite wait for response (svn revision 9688).
- Backported httpSetTimeout API function from CUPS 1.5 and use it in
the ipp backend so that we wait indefinitely until the printer
responds, we get a hard error, or the job is cancelled.
- cups-polld: reconnect on error.
- Added new SyncOnClose directive to use fsync() after altering
configuration files: defaults to 'Yes'. Adjust in cupsd.conf (bug #984883).
- Fix cupsctl man page typo (bug #1011076).
- Use more portable rpm specfile syntax for conditional php building
(bug #988598).
- Fix SetEnv directive in cupsd.conf (bug #986495).
- Fix 'collection' attribute sending (bug #978387).
- Prevent format_log segfault (bug #971079).
- Prevent stringpool corruption (bug #884851).
- Don't crash when job queued for printer that times out (bug #855431).
- Upstream patch for broken multipart handling (bug #852846).
- Install /etc/cron.daily/cups with correct permissions (bug #1012482).

Affected Software/OS:
'cups' package(s) on Oracle Linux 6.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-2856
BugTraq ID: 66788
http://www.securityfocus.com/bid/66788
http://www.mandriva.com/security/advisories?name=MDVSA-2015:108
http://www.openwall.com/lists/oss-security/2014/04/14/2
http://www.openwall.com/lists/oss-security/2014/04/15/3
RedHat Security Advisories: RHSA-2014:1388
http://rhn.redhat.com/errata/RHSA-2014-1388.html
http://secunia.com/advisories/57880
http://www.ubuntu.com/usn/USN-2172-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-3537
1030611
http://www.securitytracker.com/id/1030611
59945
http://secunia.com/advisories/59945
60273
http://secunia.com/advisories/60273
60787
http://secunia.com/advisories/60787
68788
http://www.securityfocus.com/bid/68788
APPLE-SA-2014-10-16-1
http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html
FEDORA-2014-8351
http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html
MDVSA-2015:108
RHSA-2014:1388
USN-2293-1
http://www.ubuntu.com/usn/USN-2293-1
http://advisories.mageia.org/MGASA-2014-0313.html
http://www.cups.org/blog.php?L724
http://www.cups.org/str.php?L4450
https://bugzilla.redhat.com/show_bug.cgi?id=1115576
https://support.apple.com/kb/HT6535
Common Vulnerability Exposure (CVE) ID: CVE-2014-5029
Debian Security Information: DSA-2990 (Google Search)
http://www.debian.org/security/2014/dsa-2990
http://www.openwall.com/lists/oss-security/2014/07/22/2
http://www.openwall.com/lists/oss-security/2014/07/22/13
http://secunia.com/advisories/60509
http://www.ubuntu.com/usn/USN-2341-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-5030
Common Vulnerability Exposure (CVE) ID: CVE-2014-5031

Copyright Copyright (C) 2015 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.123288
Category:	Oracle Linux Local Security Checks
Title:	Oracle: Security Advisory (ELSA-2014-1388)
Summary:	The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory.
Description:	Summary: The remote host is missing an update for the 'cups' package(s) announced via the ELSA-2014-1388 advisory. Vulnerability Insight: [1:1.4.2-67] - Revert change to whitelist /rss/ resources, as this was not used upstream. [1:1.4.2-66] - More STR #4461 fixes from upstream: make rss feeds world-readable, but cachedir private. - Fix icon display in web interface during server restart (STR #4475). [1:1.4.2-65] - Fixes for upstream patch for STR #4461: allow /rss/ requests for files we created. [1:1.4.2-64] - Use upstream patch for STR #4461. [1:1.4.2-63] - Applied upstream patch to fix CVE-2014-5029 (bug #1122600), CVE-2014-5030 (bug #1128764), CVE-2014-5031 (bug #1128767). - Fix conf/log file reading for authenticated users (STR #4461). [1:1.4.2-62] - Fix CGI handling (STR #4454, bug #1120419). [1:1.4.2-61] - fix patch for CVE-2014-3537 (bug #1117794) [1:1.4.2-60] - CVE-2014-2856: cross-site scripting flaw (bug #1117798) - CVE-2014-3537: insufficient checking leads to privilege escalation (bug #1117794) [1:1.4.2-59] - Removed package description changes. [1:1.4.2-58] - Applied patch to fix 'Bad request' errors as a result of adding in httpSetTimeout (STR #4440, also part of svn revision 9967). [1:1.4.2-57] - Fixed timeout issue with cupsd reading when there is no data ready (bug #1110045). [1:1.4.2-56] - Fixed synconclose patch to avoid 'too many arguments for format' warning. - Fixed settimeout patch to include math.h for fmod declaration. [1:1.4.2-55] - Fixed typo preventing web interface from changing driver (bug #1104483, STR #3601). - Fixed SyncOnClose patch (bug #984883). [1:1.4.2-54] - Use upstream patch to avoid replaying GSS credentials (bug #1040293). [1:1.4.2-53] - Prevent BrowsePoll problems across suspend/resume (bug #769292): - Eliminate indefinite wait for response (svn revision 9688). - Backported httpSetTimeout API function from CUPS 1.5 and use it in the ipp backend so that we wait indefinitely until the printer responds, we get a hard error, or the job is cancelled. - cups-polld: reconnect on error. - Added new SyncOnClose directive to use fsync() after altering configuration files: defaults to 'Yes'. Adjust in cupsd.conf (bug #984883). - Fix cupsctl man page typo (bug #1011076). - Use more portable rpm specfile syntax for conditional php building (bug #988598). - Fix SetEnv directive in cupsd.conf (bug #986495). - Fix 'collection' attribute sending (bug #978387). - Prevent format_log segfault (bug #971079). - Prevent stringpool corruption (bug #884851). - Don't crash when job queued for printer that times out (bug #855431). - Upstream patch for broken multipart handling (bug #852846). - Install /etc/cron.daily/cups with correct permissions (bug #1012482). Affected Software/OS: 'cups' package(s) on Oracle Linux 6. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-2856 BugTraq ID: 66788 http://www.securityfocus.com/bid/66788 http://www.mandriva.com/security/advisories?name=MDVSA-2015:108 http://www.openwall.com/lists/oss-security/2014/04/14/2 http://www.openwall.com/lists/oss-security/2014/04/15/3 RedHat Security Advisories: RHSA-2014:1388 http://rhn.redhat.com/errata/RHSA-2014-1388.html http://secunia.com/advisories/57880 http://www.ubuntu.com/usn/USN-2172-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-3537 1030611 http://www.securitytracker.com/id/1030611 59945 http://secunia.com/advisories/59945 60273 http://secunia.com/advisories/60273 60787 http://secunia.com/advisories/60787 68788 http://www.securityfocus.com/bid/68788 APPLE-SA-2014-10-16-1 http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html FEDORA-2014-8351 http://lists.fedoraproject.org/pipermail/package-announce/2014-July/135528.html MDVSA-2015:108 RHSA-2014:1388 USN-2293-1 http://www.ubuntu.com/usn/USN-2293-1 http://advisories.mageia.org/MGASA-2014-0313.html http://www.cups.org/blog.php?L724 http://www.cups.org/str.php?L4450 https://bugzilla.redhat.com/show_bug.cgi?id=1115576 https://support.apple.com/kb/HT6535 Common Vulnerability Exposure (CVE) ID: CVE-2014-5029 Debian Security Information: DSA-2990 (Google Search) http://www.debian.org/security/2014/dsa-2990 http://www.openwall.com/lists/oss-security/2014/07/22/2 http://www.openwall.com/lists/oss-security/2014/07/22/13 http://secunia.com/advisories/60509 http://www.ubuntu.com/usn/USN-2341-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-5030 Common Vulnerability Exposure (CVE) ID: CVE-2014-5031
Copyright	Copyright (C) 2015 Greenbone AG