Headline
Red Hat Security Advisory 2022-5057-01
Red Hat Security Advisory 2022-5057-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: cups security update
Advisory ID: RHSA-2022:5057-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:5057
Issue date: 2022-06-15
CVE Names: CVE-2022-26691
=====================================================================
- Summary:
An update for cups is now available for Red Hat Enterprise Linux 8.4
Extended Update Support.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream EUS (v.8.4) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS EUS (v.8.4) - aarch64, ppc64le, s390x, x86_64
- Description:
The Common UNIX Printing System (CUPS) provides a portable printing layer
for Linux, UNIX, and similar operating systems.
Security Fix(es):
- cups: authorization bypass when using “local” authorization
(CVE-2022-26691)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing this update, the cupsd service will be restarted
automatically.
- Bugs fixed (https://bugzilla.redhat.com/):
2084321 - CVE-2022-26691 cups: authorization bypass when using “local” authorization
- Package List:
Red Hat Enterprise Linux AppStream EUS (v.8.4):
aarch64:
cups-2.2.6-38.el8_4.1.aarch64.rpm
cups-client-2.2.6-38.el8_4.1.aarch64.rpm
cups-client-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-debugsource-2.2.6-38.el8_4.1.aarch64.rpm
cups-devel-2.2.6-38.el8_4.1.aarch64.rpm
cups-ipptool-2.2.6-38.el8_4.1.aarch64.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-lpd-2.2.6-38.el8_4.1.aarch64.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
noarch:
cups-filesystem-2.2.6-38.el8_4.1.noarch.rpm
ppc64le:
cups-2.2.6-38.el8_4.1.ppc64le.rpm
cups-client-2.2.6-38.el8_4.1.ppc64le.rpm
cups-client-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-debugsource-2.2.6-38.el8_4.1.ppc64le.rpm
cups-devel-2.2.6-38.el8_4.1.ppc64le.rpm
cups-ipptool-2.2.6-38.el8_4.1.ppc64le.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-lpd-2.2.6-38.el8_4.1.ppc64le.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
s390x:
cups-2.2.6-38.el8_4.1.s390x.rpm
cups-client-2.2.6-38.el8_4.1.s390x.rpm
cups-client-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-debugsource-2.2.6-38.el8_4.1.s390x.rpm
cups-devel-2.2.6-38.el8_4.1.s390x.rpm
cups-ipptool-2.2.6-38.el8_4.1.s390x.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-lpd-2.2.6-38.el8_4.1.s390x.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
x86_64:
cups-2.2.6-38.el8_4.1.x86_64.rpm
cups-client-2.2.6-38.el8_4.1.x86_64.rpm
cups-client-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-client-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-debugsource-2.2.6-38.el8_4.1.i686.rpm
cups-debugsource-2.2.6-38.el8_4.1.x86_64.rpm
cups-devel-2.2.6-38.el8_4.1.i686.rpm
cups-devel-2.2.6-38.el8_4.1.x86_64.rpm
cups-ipptool-2.2.6-38.el8_4.1.x86_64.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-lpd-2.2.6-38.el8_4.1.x86_64.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
Red Hat Enterprise Linux BaseOS EUS (v.8.4):
Source:
cups-2.2.6-38.el8_4.1.src.rpm
aarch64:
cups-client-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-debugsource-2.2.6-38.el8_4.1.aarch64.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-libs-2.2.6-38.el8_4.1.aarch64.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.aarch64.rpm
ppc64le:
cups-client-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-debugsource-2.2.6-38.el8_4.1.ppc64le.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-libs-2.2.6-38.el8_4.1.ppc64le.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.ppc64le.rpm
s390x:
cups-client-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-debugsource-2.2.6-38.el8_4.1.s390x.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-libs-2.2.6-38.el8_4.1.s390x.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.s390x.rpm
x86_64:
cups-client-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-client-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-debugsource-2.2.6-38.el8_4.1.i686.rpm
cups-debugsource-2.2.6-38.el8_4.1.x86_64.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-ipptool-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-libs-2.2.6-38.el8_4.1.i686.rpm
cups-libs-2.2.6-38.el8_4.1.x86_64.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-libs-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.i686.rpm
cups-lpd-debuginfo-2.2.6-38.el8_4.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-26691
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYqod5tzjgjWX9erEAQjjNA//Z7M04b+Nkoijau9PVkZcXty1C50Y+8nY
s5e/P14N8xsiZNO+LWH1KYwESqyeOlmM6PebeMigm94/xH73vHlJe6ZAuC3FZhe9
pAYw6xAQXFvysUcqGdgzUk2NB0AXQ6hHlWN5P6/gAMOefxPhApW1L6EhsOBJdX/o
Ud0yqr2I9TSx12CroJ7TpjqRdrCcb7LbrD1njUlW05MHDk1GgGFCL9Jflvr/ugN3
YEvQx/7+49a4itSWM6nPhNsJM+MG9O5hyd4bwnbNA1zUJDpSufpqsW8xEhRBqNeA
kIlfbg9jyb4zPwifxjVJeRFMy+opA9m0L8olMF2Quebz6nJrYRqJVMeD4j/zksy4
rIktaPI3RTSEVw2ugL1oMvaRNosgpJ4gEumMgFfCgLt/YRlV519jf3HGEevhfUtm
nU8hFHShWG019bxLt6hwY6cKVB3z2gJHgQeXSbWkOuPL3s2r7rGSrQqDMsJRiZBR
cTaRDijA52MmUICn6E6THkXrdR0qQGJStl0F7gT8xufcxP+uXiJuD5c8eo29/O8Q
tXqp+0uAy0VoHz4sT9ZNM06o/zE4sIF6QCLQoc3W3G5Gf+B/FEUPyb5iK84gcqeB
/Zjxbb54aMOCnVALnMVim7HBoyLc5kYkRb/vDYw6SUFhzDlDSKpftEDQ9Obz+mqG
VDMNaiW9w24=
=+Qyt
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202402-17 - Multiple vulnerabilities have been discovered in CUPS, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 2.4.7 are affected.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...
Red Hat Security Advisory 2022-6290-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. Issues addressed include a denial of service vulnerability.
Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...
Red Hat Security Advisory 2022-5556-01 - Logging Subsystem 5.4.3 has security updates. Issues addressed include denial of service and out of bounds read vulnerabilities.
Logging Subsystem 5.4.3 - Red Hat OpenShift Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
Red Hat Security Advisory 2022-5483-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak
Red Hat Security Advisory 2022-4990-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5054-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5056-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5055-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
An update for cups is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
An update for cups is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
An update for cups is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
An update for cups is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
Ubuntu Security Notice 5454-2 - USN-5454-1 fixed several vulnerabilities in CUPS. This update provides the corresponding update for Ubuntu 16.04 ESM. Joshua Mason discovered that CUPS incorrectly handled the secret key used to access the administrative web interface. A remote attacker could possibly use this issue to open a session as an administrator and execute arbitrary code.
Ubuntu Security Notice 5454-1 - Joshua Mason discovered that CUPS incorrectly handled the secret key used to access the administrative web interface. A remote attacker could possibly use this issue to open a session as an administrator and execute arbitrary code. It was discovered that CUPS incorrectly handled certain memory operations when handling IPP printing. A remote attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.