http://bugzilla.novell.com/show_bug.cgi?id=516511
User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=516511#c3118
Summary: CUPS 1.3.10 DNS rebinding protection causes regression Classification: openSUSE Product: openSUSE 11.2 Version: Factory Platform: All OS/Version: SuSE Other Status: ASSIGNED Severity: Normal Priority: P5 - None Component: Printing AssignedTo: jsmeix@novell.com ReportedBy: jsmeix@novell.com QAContact: jsmeix@novell.com CC: mzugec@novell.com Found By: Development
CUPS 1.3.10 for which I have a pending submit-request for Factory has in its CHANGES.txt: --------------------------------------------------------------------- - SECURITY: The scheduler now protects against DNS rebinding attacks (STR #3118) --------------------------------------------------------------------- but the CUPS 1.3.10 fix causes the following regression:
In CUPS 1.3.9 the command lpoptions -h localhost -p <queue_name> -l works on my openSUSE 11.1 workstation.
But in CUPS 1.3.10 the command results a "lpoptions: Unable to get PPD file for lj1220: Bad Request" error message but the command lpoptions -p <queue_name> -l still works.
Setting "ServerAlias *" in /etc/cups/cupsd.conf does not help.
A consequence of this regression is that it would no longer work in YaST to change printer driver options because YaST runs "lpoptions -h localhost -p <queue_name> -l" to determine the current driver option settings for a queue.
http://bugzilla.novell.com/show_bug.cgi?id=516511
Johannes Meixner jsmeix@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High
http://bugzilla.novell.com/show_bug.cgi?id=516511
User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=516511#c1
--- Comment #1 from Johannes Meixner jsmeix@novell.com 2009-06-26 05:45:19 MDT --- Created an attachment (id=300601) --> (http://bugzilla.novell.com/attachment.cgi?id=300601) cups-1.3.10-fix-DNS-rebinding-protection.patch
The command lpoptions -h localhost -p <queue> -l results in /var/log/cups/error_log there is the warning W ... Request from "localhost" using invalid Host: field "::1" but "::1" is the IPv6 loopback IP address for "localhost".
The attached cups-1.3.10-fix-DNS-rebinding-protection.patch fixes the issue by adding "::1" to the whitelist of IP addresses for "localhost" which are allowed in any case for connections via the loopback inteface.
http://bugzilla.novell.com/show_bug.cgi?id=516511
User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=516511#c2
Johannes Meixner jsmeix@novell.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED
--- Comment #2 from Johannes Meixner jsmeix@novell.com 2009-06-26 05:47:43 MDT --- I have a pending submit-request for Factory with the fix included: --------------------------------------------------------------------- 13148 State:new Creator:jsmeix When:2009-06-26T13:40:21 submit: Printing/cups -> openSUSE:Factory Comment: 'fixed CUPS 1.3.10 DNS rebinding protection regression (bnc#516511)' ---------------------------------------------------------------------
http://bugzilla.novell.com/show_bug.cgi?id=516511
User jsmeix@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=516511#c3
--- Comment #3 from Johannes Meixner jsmeix@novell.com 2009-06-26 06:01:23 MDT --- The upstream bug report is http://www.cups.org/str.php?L3238
http://bugzilla.novell.com/show_bug.cgi?id=516511 http://bugzilla.novell.com/show_bug.cgi?id=516511#c5
--- Comment #5 from Bernhard Wiedemann bwiedemann@suse.com --- This is an autogenerated message for OBS integration: This bug (516511) was mentioned in https://build.opensuse.org/request/show/13297 Factory / cups