Security update for cups SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0638-1 Final 1 1 2021-04-30T19:23:03Z current 2021-04-30T19:23:03Z 2021-04-30T19:23:03Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cups This update for cups fixes the following issues: - CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-638 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7GKB5OH3W4MLNXHW3ZQK7GEVLAEMXZ7C/ E-Mail link for openSUSE-SU-2021:0638-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184161 SUSE Bug 1184161 https://www.suse.com/security/cve/CVE-2021-25317/ SUSE CVE CVE-2021-25317 page openSUSE Leap 15.2 cups-2.2.7-lp152.9.9.1 cups-client-2.2.7-lp152.9.9.1 cups-config-2.2.7-lp152.9.9.1 cups-ddk-2.2.7-lp152.9.9.1 cups-devel-2.2.7-lp152.9.9.1 cups-devel-32bit-2.2.7-lp152.9.9.1 libcups2-2.2.7-lp152.9.9.1 libcups2-32bit-2.2.7-lp152.9.9.1 libcupscgi1-2.2.7-lp152.9.9.1 libcupscgi1-32bit-2.2.7-lp152.9.9.1 libcupsimage2-2.2.7-lp152.9.9.1 libcupsimage2-32bit-2.2.7-lp152.9.9.1 libcupsmime1-2.2.7-lp152.9.9.1 libcupsmime1-32bit-2.2.7-lp152.9.9.1 libcupsppdc1-2.2.7-lp152.9.9.1 libcupsppdc1-32bit-2.2.7-lp152.9.9.1 cups-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 cups-client-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 cups-config-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 cups-ddk-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 cups-devel-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 cups-devel-32bit-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcups2-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcups2-32bit-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupscgi1-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupscgi1-32bit-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupsimage2-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupsimage2-32bit-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupsmime1-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupsmime1-32bit-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupsppdc1-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 libcupsppdc1-32bit-2.2.7-lp152.9.9.1 as a component of openSUSE Leap 15.2 A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. CVE-2021-25317 openSUSE Leap 15.2:cups-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:cups-client-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:cups-config-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:cups-ddk-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:cups-devel-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:cups-devel-32bit-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcups2-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcups2-32bit-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupscgi1-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupscgi1-32bit-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupsimage2-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupsimage2-32bit-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupsmime1-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupsmime1-32bit-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupsppdc1-2.2.7-lp152.9.9.1 openSUSE Leap 15.2:libcupsppdc1-32bit-2.2.7-lp152.9.9.1 low 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7GKB5OH3W4MLNXHW3ZQK7GEVLAEMXZ7C/ https://www.suse.com/security/cve/CVE-2021-25317.html CVE-2021-25317 https://bugzilla.suse.com/1184161 SUSE Bug 1184161 https://bugzilla.suse.com/1192358 SUSE Bug 1192358