Security update for cups SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:14712-1 Final 1 1 2021-04-30T07:17:38Z current 2021-04-30T07:17:38Z 2021-04-30T07:17:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for cups This update for cups fixes the following issues: - CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). sleposp3-cups-14712,slessp4-cups-14712 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-202114712-1/ Link for SUSE-SU-2021:14712-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008714.html E-Mail link for SUSE-SU-2021:14712-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1184161 SUSE Bug 1184161 https://www.suse.com/security/cve/CVE-2021-25317/ SUSE CVE CVE-2021-25317 page SUSE Linux Enterprise Point of Sale 11 SP3 SUSE Linux Enterprise Server 11 SP4-LTSS cups-1.3.9-8.46.56.18.1 cups-client-1.3.9-8.46.56.18.1 cups-libs-1.3.9-8.46.56.18.1 cups-libs-32bit-1.3.9-8.46.56.18.1 cups-1.3.9-8.46.56.18.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 cups-client-1.3.9-8.46.56.18.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 cups-libs-1.3.9-8.46.56.18.1 as a component of SUSE Linux Enterprise Point of Sale 11 SP3 cups-1.3.9-8.46.56.18.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS cups-client-1.3.9-8.46.56.18.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS cups-libs-1.3.9-8.46.56.18.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS cups-libs-32bit-1.3.9-8.46.56.18.1 as a component of SUSE Linux Enterprise Server 11 SP4-LTSS A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions. CVE-2021-25317 SUSE Linux Enterprise Point of Sale 11 SP3:cups-1.3.9-8.46.56.18.1 SUSE Linux Enterprise Point of Sale 11 SP3:cups-client-1.3.9-8.46.56.18.1 SUSE Linux Enterprise Point of Sale 11 SP3:cups-libs-1.3.9-8.46.56.18.1 SUSE Linux Enterprise Server 11 SP4-LTSS:cups-1.3.9-8.46.56.18.1 SUSE Linux Enterprise Server 11 SP4-LTSS:cups-client-1.3.9-8.46.56.18.1 SUSE Linux Enterprise Server 11 SP4-LTSS:cups-libs-1.3.9-8.46.56.18.1 SUSE Linux Enterprise Server 11 SP4-LTSS:cups-libs-32bit-1.3.9-8.46.56.18.1 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-202114712-1/ https://www.suse.com/security/cve/CVE-2021-25317.html CVE-2021-25317 https://bugzilla.suse.com/1184161 SUSE Bug 1184161 https://bugzilla.suse.com/1192358 SUSE Bug 1192358