Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2022-5056-01

Red Hat Security Advisory 2022-5056-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.

Packet Storm
#vulnerability#windows#linux#red_hat#js#auth

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: cups security and bug fix update
Advisory ID: RHSA-2022:5056-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5056
Issue date: 2022-06-15
CVE Names: CVE-2022-26691
=====================================================================

  1. Summary:

An update for cups is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64

  1. Description:

The Common UNIX Printing System (CUPS) provides a portable printing layer
for Linux, UNIX, and similar operating systems.

Security Fix(es):

  • cups: authorization bypass when using “local” authorization
    (CVE-2022-26691)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

  • 30-second delays printing to Windows 2016 server via HTTPS (BZ#2073531)
  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the cupsd service will be restarted
automatically.

  1. Bugs fixed (https://bugzilla.redhat.com/):

2084321 - CVE-2022-26691 cups: authorization bypass when using “local” authorization

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

aarch64:
cups-2.2.6-45.el8_6.2.aarch64.rpm
cups-client-2.2.6-45.el8_6.2.aarch64.rpm
cups-client-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-debugsource-2.2.6-45.el8_6.2.aarch64.rpm
cups-devel-2.2.6-45.el8_6.2.aarch64.rpm
cups-ipptool-2.2.6-45.el8_6.2.aarch64.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-lpd-2.2.6-45.el8_6.2.aarch64.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm

noarch:
cups-filesystem-2.2.6-45.el8_6.2.noarch.rpm

ppc64le:
cups-2.2.6-45.el8_6.2.ppc64le.rpm
cups-client-2.2.6-45.el8_6.2.ppc64le.rpm
cups-client-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-debugsource-2.2.6-45.el8_6.2.ppc64le.rpm
cups-devel-2.2.6-45.el8_6.2.ppc64le.rpm
cups-ipptool-2.2.6-45.el8_6.2.ppc64le.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-lpd-2.2.6-45.el8_6.2.ppc64le.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm

s390x:
cups-2.2.6-45.el8_6.2.s390x.rpm
cups-client-2.2.6-45.el8_6.2.s390x.rpm
cups-client-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-debugsource-2.2.6-45.el8_6.2.s390x.rpm
cups-devel-2.2.6-45.el8_6.2.s390x.rpm
cups-ipptool-2.2.6-45.el8_6.2.s390x.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-lpd-2.2.6-45.el8_6.2.s390x.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.s390x.rpm

x86_64:
cups-2.2.6-45.el8_6.2.x86_64.rpm
cups-client-2.2.6-45.el8_6.2.x86_64.rpm
cups-client-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-client-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-debugsource-2.2.6-45.el8_6.2.i686.rpm
cups-debugsource-2.2.6-45.el8_6.2.x86_64.rpm
cups-devel-2.2.6-45.el8_6.2.i686.rpm
cups-devel-2.2.6-45.el8_6.2.x86_64.rpm
cups-ipptool-2.2.6-45.el8_6.2.x86_64.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-lpd-2.2.6-45.el8_6.2.x86_64.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
cups-2.2.6-45.el8_6.2.src.rpm

aarch64:
cups-client-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-debugsource-2.2.6-45.el8_6.2.aarch64.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-libs-2.2.6-45.el8_6.2.aarch64.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.aarch64.rpm

ppc64le:
cups-client-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-debugsource-2.2.6-45.el8_6.2.ppc64le.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-libs-2.2.6-45.el8_6.2.ppc64le.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.ppc64le.rpm

s390x:
cups-client-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-debugsource-2.2.6-45.el8_6.2.s390x.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-libs-2.2.6-45.el8_6.2.s390x.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.s390x.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.s390x.rpm

x86_64:
cups-client-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-client-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-debugsource-2.2.6-45.el8_6.2.i686.rpm
cups-debugsource-2.2.6-45.el8_6.2.x86_64.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-ipptool-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-libs-2.2.6-45.el8_6.2.i686.rpm
cups-libs-2.2.6-45.el8_6.2.x86_64.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-libs-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.i686.rpm
cups-lpd-debuginfo-2.2.6-45.el8_6.2.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2022-26691
https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYqod69zjgjWX9erEAQiQ3A/+LM9m2kXeWz8N2fXRG00WuByQeTpYA3wO
InBeSzoVT+hb82gPL2BLGVdHQlVfXo/wYN64e33Llkd/X8EEJ139Hn+Unjh0zdUR
5lL8qmhx3SIujq/F8nHnCsvodBMDtwdbRH70AHrFFlUWYtmyPb5ZmlrUUp/q0gF4
VQ6oTMRK1RxL71R1ltRAQIu/V/+J8N3j461JSfbI4Y1jzYScChQ2C2p/sKzYJHzn
qwOHjGqExXDQb0MsSBk3RNreuIlMHU6e4Q6nFNwkJQR6Jfdcwm4iR58i9YAMannx
/s/OXDn8UoSKqJF4TlD1rMDgWapoKtbtVlRR1fE8BhZ/QUAKPa8ky9HKY+0lSeBu
xgDuP7UKwFcLV33d1hJd+HgXXj7GspXcrYkE9+VqXAMYh6RVJR/FDpif9kIg3buO
+yaGEa0wLE4cdykMMk5yDK7dnm59a8GcIZPjLBroC4u2TlTShphoiiyFfjogaPC1
ZEj2zCLF4nJARYe/m//Sn8Gjg2S/14of7Gr8z1Kehw/0BT+HCzlx/oMh/jJM0PEm
ExyULWcsmLRrP3VUM8beBCE86Brdq934SpRc8H2QP6Pjj/GxHG9SR6TMZkkMTaNt
jQcsKd7igS3Q7oEXLNcaNXG31b7eNvWVuJtLL3PMTucSEqSlyXjEXMSDcTrP5aeR
Zk1KcaJsJpQ=
=ONyE
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Gentoo Linux Security Advisory 202402-17

Gentoo Linux Security Advisory 202402-17 - Multiple vulnerabilities have been discovered in CUPS, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 2.4.7 are affected.

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

RHSA-2022:6430: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update

OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...

Red Hat Security Advisory 2022-6290-01

Red Hat Security Advisory 2022-6290-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. Issues addressed include a denial of service vulnerability.

RHSA-2022:6290: Red Hat Security Advisory: OpenShift API for Data Protection (OADP) 1.1.0 security and bug fix update

OpenShift API for Data Protection (OADP) 1.1.0 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30631: golang: compress/gzip: stack exhaus...

Red Hat Security Advisory 2022-5069-01

Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.

RHSA-2022:5069: Red Hat Security Advisory: OpenShift Container Platform 4.11.0 bug fix and security update

Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...

Red Hat Security Advisory 2022-5556-01

Red Hat Security Advisory 2022-5556-01 - Logging Subsystem 5.4.3 has security updates. Issues addressed include denial of service and out of bounds read vulnerabilities.

RHSA-2022:5556: Red Hat Security Advisory: Logging Subsystem 5.4.3 - Red Hat OpenShift security update

Logging Subsystem 5.4.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS

Red Hat Security Advisory 2022-5483-01

Red Hat Security Advisory 2022-5483-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.

RHSA-2022:5483: Red Hat Security Advisory: Migration Toolkit for Containers (MTC) 1.7.2 security and bug fix update

The Migration Toolkit for Containers (MTC) 1.7.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak

Red Hat Security Advisory 2022-4990-01

Red Hat Security Advisory 2022-4990-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-5054-01

Red Hat Security Advisory 2022-5054-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-5057-01

Red Hat Security Advisory 2022-5057-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2022-5055-01

Red Hat Security Advisory 2022-5055-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.

RHSA-2022:4990: Red Hat Security Advisory: cups security update

An update for cups is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization

RHSA-2022:5056: Red Hat Security Advisory: cups security and bug fix update

An update for cups is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization

RHSA-2022:5057: Red Hat Security Advisory: cups security update

An update for cups is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization

RHSA-2022:5055: Red Hat Security Advisory: cups security update

An update for cups is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization

Ubuntu Security Notice USN-5454-2

Ubuntu Security Notice 5454-2 - USN-5454-1 fixed several vulnerabilities in CUPS. This update provides the corresponding update for Ubuntu 16.04 ESM. Joshua Mason discovered that CUPS incorrectly handled the secret key used to access the administrative web interface. A remote attacker could possibly use this issue to open a session as an administrator and execute arbitrary code.

Ubuntu Security Notice USN-5454-1

Ubuntu Security Notice 5454-1 - Joshua Mason discovered that CUPS incorrectly handled the secret key used to access the administrative web interface. A remote attacker could possibly use this issue to open a session as an administrator and execute arbitrary code. It was discovered that CUPS incorrectly handled certain memory operations when handling IPP printing. A remote attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.

CVE-2022-22633: About the security content of macOS Big Sur 11.6.5

A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution