system-config-printer security update
system-config-printer used an unauthenticated connection
when downloading printer drivers from openprinting.org
(CVE-2011-4405). This update disables the printer driver
download feature.
system-config-printer did not properly quote shell meta
characters in SMB server or workgroup names when passing
them to the shell (CVE-2011-2899).
-
Submitted by
Adrian Schröter (adrianSuSE)
- Version 5530
Fixed bugs
bnc#733542
VUL-0: CVE-2011-4405: system-config-printer: possible MITM due to use of insecure connections
bnc#735322
VUL-0: CVE-2011-2899: system-config-printer: improper escaping of hostnames
CVE#CVE-2011-4405
The cupshelpers scripts in system-config-printer in Ubuntu 11.04 and 11.10, as used by the automatic printer driver download service, uses an "insecure connection" for queries to the OpenPrinting database, which allows remote attackers to execute arbitrar
CVE#CVE-2011-2899
pysmb.py in system-config-printer 0.6.x and 0.7.x, as used in foomatic-gui and possibly other products, allows remote SMB servers to execute arbitrary commands via shell metacharacters in the (1) NetBIOS or (2) workgroup name, which are not properly handl
