[Pkg-cups-devel] cups stable update for CVE-2009-0164
Martin Pitt
mpitt at debian.org
Sun May 3 13:12:58 UTC 2009
Hello,
Nico Golde [2009-04-26 15:43 +0200]:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for cups some time ago.
>
> CVE-2009-0164[0]:
> | The web interface for CUPS before 1.3.10 does not validate
> | the HTTP Host header in a client request, which makes it
> | easier for remote attackers to conduct DNS rebinding
> | attacks.
>
> Unfortunately the vulnerability described above is not important enough
> to get it fixed via regular security update in Debian stable. It does
> not warrant a DSA.
>
> However it would be nice if this could get fixed via a regular point update[1].
The reason why I didn't include it in the recent DSA in the first
place was that the rationale is dubious, and that the changed
behaviour could cause regressions. Now that the patch is in unstable
(through the new upstream version 1.3.10) I very much suspect that bug
525910 is one such regression.
Thus I will not ever propose to upload this patch to stable-updates
either.
Does anyone think that this is serious enough?
Thanks,
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cups-devel/attachments/20090503/f79cb5e5/attachment.pgp>
More information about the Pkg-cups-devel
mailing list