安全公告详情

NS-SA-2020-0067

2020-12-08 09:12:10

简介

moderate: cups/bash security update

严重级别

moderate

主题

An update for cups/bash is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

cups: CUPS printing system provides a portable printing layer for UNIX® operating systems. It has been developed by Apple Inc. to promote a standard printing solution for all UNIX vendors and users. CUPS provides the System V and Berkeley command-line interfaces.
bash: This package contains documentation files for bash.


Security Fix(es):
cups: It was discovered that CUPS allows non-root users to pass environment variables to CUPS backends. Affected backends use attacker-controlled environment variables without proper sanitization. A local attacker, who is part of one of the groups specified in the SystemGroups directive, could use the cupsctl binary to set SetEnv and PassEnv directives and potentially controls the flow of the affected backend, resulting in some cases in arbitrary code execution with root privileges.(CVE-2018-4180)
cups: In macOS High Sierra before 10.13.5, an issue existed in CUPS. This issue was addressed with improved access restrictions.(CVE-2018-4181)
cups: The session cookie generated by the CUPS web interface was easy to guess on Linux, allowing unauthorized scripted access to the web interface when the web interface is enabled. This issue affected versions prior to v2.2.10.(CVE-2018-4300)
cups: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-4300. Reason: This candidate is a duplicate of CVE-2018-4300. Notes: All CVE users should reference CVE-2018-4300 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.(CVE-2018-4700)
cups: bugfix
bash: rbash in Bash before 4.4-beta2 did not prevent the shell user from modifying BASH_CMDS, thus allowing the user to execute any command with the permissions of the shell.(CVE-2019-9924)
bash: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F25B5.

影响组件

  • cups
  • bash

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["cups-1.6.3-43.el7.x86_64.rpm","cups-client-1.6.3-43.el7.x86_64.rpm","cups-debuginfo-1.6.3-43.el7.x86_64.rpm","cups-devel-1.6.3-43.el7.x86_64.rpm","cups-filesystem-1.6.3-43.el7.noarch.rpm","cups-ipptool-1.6.3-43.el7.x86_64.rpm","cups-libs-1.6.3-43.el7.x86_64.rpm","cups-lpd-1.6.3-43.el7.x86_64.rpm"],"source":"cups-1.6.3-43.el7.src.rpm"},{"binary":["bash-4.2.46-34.el7.cgslv5.x86_64.rpm","bash-debuginfo-4.2.46-34.el7.cgslv5.x86_64.rpm","bash-doc-4.2.46-34.el7.cgslv5.x86_64.rpm"],"source":"bash-4.2.46-34.el7.cgslv5.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["cups-1.6.3-43.el7.x86_64.rpm","cups-client-1.6.3-43.el7.x86_64.rpm","cups-ipptool-1.6.3-43.el7.x86_64.rpm","cups-debuginfo-1.6.3-43.el7.x86_64.rpm","cups-devel-1.6.3-43.el7.x86_64.rpm","cups-filesystem-1.6.3-43.el7.noarch.rpm","cups-libs-1.6.3-43.el7.x86_64.rpm","cups-lpd-1.6.3-43.el7.x86_64.rpm"],"source":"cups-1.6.3-43.el7.src.rpm"},{"binary":["bash-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite.x86_64.rpm","bash-debuginfo-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite.x86_64.rpm","bash-doc-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite.x86_64.rpm","bash-lang-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite.x86_64.rpm"],"source":"bash-4.2.46-34.el7.cgslv5.0.1.g00226e8.lite.src.rpm"}]}]}

CVE

参考