Security update for cups SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0618-1 Final 1 1 2018-03-06T19:20:31Z current 2018-03-06T19:20:31Z 2018-03-06T19:20:31Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cups This update for cups fixes the following issues: - CVE-2017-18190: Removed localhost.localdomain from list of trustworthy hosts in scheduler/client.c to avoid arbitrary IPP command execution in conjunction with DNS rebinding. (bsc#1081557) This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00026.html E-Mail link for openSUSE-SU-2018:0618-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 cups-1.7.5-12.3.1 cups-client-1.7.5-12.3.1 cups-ddk-1.7.5-12.3.1 cups-devel-1.7.5-12.3.1 cups-libs-1.7.5-12.3.1 cups-libs-32bit-1.7.5-12.3.1 cups-1.7.5-12.3.1 as a component of openSUSE Leap 42.3 cups-client-1.7.5-12.3.1 as a component of openSUSE Leap 42.3 cups-ddk-1.7.5-12.3.1 as a component of openSUSE Leap 42.3 cups-devel-1.7.5-12.3.1 as a component of openSUSE Leap 42.3 cups-libs-1.7.5-12.3.1 as a component of openSUSE Leap 42.3 cups-libs-32bit-1.7.5-12.3.1 as a component of openSUSE Leap 42.3 A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1). CVE-2017-18190 openSUSE Leap 42.3:cups-1.7.5-12.3.1 openSUSE Leap 42.3:cups-client-1.7.5-12.3.1 openSUSE Leap 42.3:cups-ddk-1.7.5-12.3.1 openSUSE Leap 42.3:cups-devel-1.7.5-12.3.1 openSUSE Leap 42.3:cups-libs-1.7.5-12.3.1 openSUSE Leap 42.3:cups-libs-32bit-1.7.5-12.3.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2018-03/msg00026.html https://www.suse.com/security/cve/CVE-2017-18190.html CVE-2017-18190 https://bugzilla.suse.com/1081557 SUSE Bug 1081557