Detections
Analytics

Debian dla-3594 : cups - security update

high Nessus Plugin ID 182417

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3594 advisory.

 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3594-1 [email protected] https://www.debian.org/lts/security/ Thorsten Alteholz September 30, 2023 https://wiki.debian.org/LTS
 - -------------------------------------------------------------------------

 Package : cups Version : 2.2.10-6+deb10u9 CVE ID : CVE-2023-4504 CVE-2023-32360 Debian Bug : #1051953

 Two issues have been found in cups, the Common UNIX Printing System(tm).

 CVE-2023-4504

 Due to missing boundary checks a heap-based buffer overflow and code execution might be possible by using crafted postscript documents.

 CVE-2023-32360

 Unauthorized users might be allowed to fetch recently printed documents.

 Since this is a configuration fix, it might be that it does not reach you if you are updating the package.
 Please double check your /etc/cups/cupds.conf file, whether it limits the access to CUPS-Get-Document with something like the following > <Limit CUPS-Get-Document> > AuthType Default > Require user @OWNER @SYSTEM > Order deny,allow > </Limit> (The important line is the 'AuthType Default' in this section)


 For Debian 10 buster, these problems have been fixed in version 2.2.10-6+deb10u9.

 We recommend that you upgrade your cups packages.

 For the detailed security status of cups please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/cups

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the cups packages.

See Also

https://security-tracker.debian.org/tracker/source-package/cups

https://security-tracker.debian.org/tracker/CVE-2023-32360

https://security-tracker.debian.org/tracker/CVE-2023-4504

https://packages.debian.org/source/buster/cups

Plugin Details

Severity: High

ID: 182417

File Name: debian_DLA-3594.nasl

Version: 1.2

Type: local

Agent: unix

Published: 10/2/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.9

Vector: CVSS2#AV:L/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-4504

CVSS v3

Risk Factor: High

Base Score: 7

Temporal Score: 6.3

Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:cups-ipp-utils, p-cpe:/a:debian:debian_linux:cups, p-cpe:/a:debian:debian_linux:cups-daemon, p-cpe:/a:debian:debian_linux:cups-common, p-cpe:/a:debian:debian_linux:cups-client, p-cpe:/a:debian:debian_linux:cups-core-drivers, p-cpe:/a:debian:debian_linux:libcups2-dev, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:cups-ppdc, p-cpe:/a:debian:debian_linux:cups-bsd, p-cpe:/a:debian:debian_linux:libcups2, p-cpe:/a:debian:debian_linux:libcupsimage2-dev, p-cpe:/a:debian:debian_linux:libcupsimage2, p-cpe:/a:debian:debian_linux:cups-server-common

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/30/2023

Vulnerability Publication Date: 5/18/2023

Reference Information

CVE: CVE-2023-32360, CVE-2023-4504