Headline
Red Hat Security Advisory 2022-4990-01
Red Hat Security Advisory 2022-4990-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: cups security update
Advisory ID: RHSA-2022:4990-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:4990
Issue date: 2022-06-15
CVE Names: CVE-2022-26691
=====================================================================
- Summary:
An update for cups is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives
a detailed severity rating, is available for each vulnerability from the
CVE
link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
Red Hat Enterprise Linux BaseOS (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
The Common UNIX Printing System (CUPS) provides a portable printing layer
for
Linux, UNIX, and similar operating systems.
Security Fix(es):
- cups: authorization bypass when using “local” authorization
(CVE-2022-26691)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
- Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2084321 - CVE-2022-26691 cups: authorization bypass when using “local” authorization
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
aarch64:
cups-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-client-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-client-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-devel-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-ipptool-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-lpd-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-printerapp-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
noarch:
cups-filesystem-2.3.3op2-13.el9_0.1.noarch.rpm
ppc64le:
cups-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-client-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-client-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-devel-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-ipptool-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-lpd-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-printerapp-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
s390x:
cups-2.3.3op2-13.el9_0.1.s390x.rpm
cups-client-2.3.3op2-13.el9_0.1.s390x.rpm
cups-client-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.s390x.rpm
cups-devel-2.3.3op2-13.el9_0.1.s390x.rpm
cups-ipptool-2.3.3op2-13.el9_0.1.s390x.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-lpd-2.3.3op2-13.el9_0.1.s390x.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-printerapp-2.3.3op2-13.el9_0.1.s390x.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
x86_64:
cups-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-client-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-client-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-client-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.i686.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-devel-2.3.3op2-13.el9_0.1.i686.rpm
cups-devel-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-ipptool-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-lpd-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-printerapp-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
Red Hat Enterprise Linux BaseOS (v. 9):
Source:
cups-2.3.3op2-13.el9_0.1.src.rpm
aarch64:
cups-client-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-libs-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.aarch64.rpm
ppc64le:
cups-client-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-libs-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.ppc64le.rpm
s390x:
cups-client-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.s390x.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-libs-2.3.3op2-13.el9_0.1.s390x.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.s390x.rpm
x86_64:
cups-client-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-client-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.i686.rpm
cups-debugsource-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-ipptool-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-libs-2.3.3op2-13.el9_0.1.i686.rpm
cups-libs-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-libs-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-lpd-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.i686.rpm
cups-printerapp-debuginfo-2.3.3op2-13.el9_0.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-26691
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYqpyONzjgjWX9erEAQivKA//a6QQWxm7i+NbhcVKNCvCXKtVa8aPt04Z
mtAojP0b59ifL1QjXr1Kr+pbW/oCP2fxdB2kN1L38mMo/u2pbM3DH4xVA709RgT0
ZHrnryfYjSyRq52/y9PNfUch6tOQAYIlfq7fdLGwSp94xTX+duvkDiyH30RHPlay
glx/yjQvJzzbmClvl8oTU3qQngWmfrdVQlTjf9nUu3YiAfm8DkEE/wYEksOuKaRF
xXVLSHXf3KVoMIidsEJPSBxFzxrbvT5Ggk7E2A7bRrmk67s7XUuFnATq9eypVXBu
CGd00xIIvDHXtgqoHFPuBexqf9PLiIJ+I4XNT/2SCAMoqr6Csw2cZ+WrHMuIN2Uy
Tf7RwazB7FUEf/7+YYE1o66UGFHs19lX24r2pixgFQI5PW7WKNLNVqfkuHogACnP
CmiNoV/WHwDisuqi1jaT+JB+Yy3aRsCY+gVM0T6PzOKIgUptOKnbGnGexTak1qar
NMT73SOTIeh7fL3cBd3I8ZK/ZX+0PdglxCpiEJbhIKnmQwSJIkdl+gSU/6078TdO
tyDqBJgn8YyoFhAliaNq42T6kIVObtHwqpHwlgTPcKkiVWS5YHzdDBrykS+Z9/Eq
DDpvi2UJn6AMaRk8Gs/RRWaaTiALNIRI5ipb6fM8TRYgW/Z9lKH+rjyInN48sMRJ
ZFVu8coCFgE=
=V3ej
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202402-17 - Multiple vulnerabilities have been discovered in CUPS, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 2.4.7 are affected.
Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.
Red Hat Security Advisory 2022-6430-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.0.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1705: golang: net/http: improper sanitization of Transfer-Encoding header * CVE-2022-1962: golang: go/parser: stack exhaustion in all Parse* functions * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-30629: golang: crypto/tls: session ti...
Red Hat Security Advisory 2022-6290-01 - OpenShift API for Data Protection enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. Issues addressed include a denial of service vulnerability.
OpenShift API for Data Protection (OADP) 1.1.0 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-24675: golang: encoding/pem: fix stack overflow in Decode * CVE-2022-28327: golang: crypto/elliptic: panic caused by oversized scalar * CVE-2022-30629: golang: crypto/tls: session tickets lack random ticket_age_add * CVE-2022-30631: golang: compress/gzip: stack exhaus...
Red Hat Security Advisory 2022-5069-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.0. Issues addressed include code execution, cross site scripting, denial of service, information leakage, and traversal vulnerabilities.
Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23566: nanoid: Information disclosure via valueOf() function * CVE-2021-23648: sanitize-url: XSS * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion * CVE-2021-44906:...
Red Hat Security Advisory 2022-5556-01 - Logging Subsystem 5.4.3 has security updates. Issues addressed include denial of service and out of bounds read vulnerabilities.
Red Hat Security Advisory 2022-5483-01 - The Migration Toolkit for Containers enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Issues addressed include a denial of service vulnerability.
The Migration Toolkit for Containers (MTC) 1.7.2 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2022-0235: node-fetch: exposure of sensitive information to an unauthorized actor * CVE-2022-0536: follow-redirects: Exposure of Sensitive Information via Authorization Header leak
Red Hat Security Advisory 2022-5054-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5056-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5057-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-5055-01 - The Common UNIX Printing System provides a portable printing layer for Linux, UNIX, and similar operating systems. Issues addressed include a bypass vulnerability.
An update for cups is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
An update for cups is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
An update for cups is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
An update for cups is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-26691: cups: authorization bypass when using "local" authorization
Ubuntu Security Notice 5454-2 - USN-5454-1 fixed several vulnerabilities in CUPS. This update provides the corresponding update for Ubuntu 16.04 ESM. Joshua Mason discovered that CUPS incorrectly handled the secret key used to access the administrative web interface. A remote attacker could possibly use this issue to open a session as an administrator and execute arbitrary code.
Ubuntu Security Notice 5454-1 - Joshua Mason discovered that CUPS incorrectly handled the secret key used to access the administrative web interface. A remote attacker could possibly use this issue to open a session as an administrator and execute arbitrary code. It was discovered that CUPS incorrectly handled certain memory operations when handling IPP printing. A remote attacker could possibly use this issue to cause CUPS to crash, leading to a denial of service, or obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
A memory corruption issue was addressed with improved state management. This issue is fixed in watchOS 8.5, iOS 15.4 and iPadOS 15.4, macOS Big Sur 11.6.5, macOS Monterey 12.3. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.