Hello community,
here is the log from the commit of package cups for openSUSE:Factory checked in at 2015-02-20 13:50:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cups (Old)
and /work/SRC/openSUSE:Factory/.cups.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cups"
Changes:
--------
--- /work/SRC/openSUSE:Factory/cups/cups.changes 2014-11-29 08:39:45.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.cups.new/cups.changes 2015-02-20 13:50:46.000000000 +0100
@@ -2 +2 @@
-Tue Nov 25 16:13:50 CET 2014 - jsmeix@suse.de
+Thu Feb 12 13:50:58 UTC 2015 - tchvatal@suse.com
@@ -4,15 +4 @@
-- Refresh and/or clean up the systemd units that belong to CUPS
- (cups.service cups.socket cups.path) via RPM posttrans scriplet
- in a generic way via "systemctl --force reenable" (bnc#904215).
- An enabled systemd unit may need a refresh via
- "systemctl --force reenable" after updating a package when
- the new package had installed a changed systemd unit file.
- A disabled systemd unit also may need a refresh via
- "systemctl --force reenable" but then it is again disabled.
- A systemd unit may become obsolete by updating a package when
- the new package does no longer provide a unit file. In this
- case "systemctl --force reenable" removes the unit.
- In any case currently running services are not stopped even
- when the new package does no longer provide the unit file
- because a RPM package update must not automatically disrupt
- (stop or restart) running services.
+- Add back the posttrans cleanup script as it is needed
@@ -21 +7 @@
-Tue Nov 4 13:26:04 CET 2014 - jsmeix@suse.de
+Thu Feb 12 09:22:30 UTC 2015 - tchvatal@suse.com
@@ -23,5 +9,2 @@
-- Also for SLE12 krb5-devel must be used for build
- (cf. the entry below dated "Wed Jun 26 10:39:30 CEST 2013")
- because in contrast to IBS where krb5-mini-devel is available
- for build in SUSE:SLE-12:GA in OBS it cannot build for SLE_12
- with "unresolvable: nothing provides krb5-mini-devel".
+- Add patch cups-systemd-socket.patch to fix socket activation
+ and to match socket approach Fedora has.
@@ -30 +13 @@
-Mon Oct 13 09:30:49 UTC 2014 - gber@opensuse.org
+Thu Feb 12 09:12:05 UTC 2015 - tchvatal@suse.com
@@ -32,2 +15,7 @@
-- use Settings;Printing;HardwareSettings desktop file category
- instead of System category in the desktop file
+- Version bump to 2.0.2:
+ * Security: cupsRasterReadPixels buffer overflow with invalid page header and
+ compressed raster data (STR #4551)
+ * Mapping of PPD keywords to IPP keywords did not work if the PPD keyword was
+ already an IPP keyword (rdar://problem/19121005)
+ * cupsGetPPD* sent bad requests (STR #4567)
+ * For detailed list see CHANGES.txt file
@@ -36 +24 @@
-Tue Sep 2 15:48:23 CEST 2014 - jsmeix@suse.de
+Thu Feb 12 09:10:09 UTC 2015 - tchvatal@suse.com
@@ -38,5 +26 @@
-- Let fdupes only create symlinks in /usr/share/cups/templates/ to
- avoid a symlink /usr/share/cups/webcontent/images/cups-icon.png
- because the cupsd web server does no longer follow symlinks
- to avoid the security issues mentioned in the previous entry
- below (fixes bnc#892587 a regression of bnc#887240).
+- Enable PIE for build
@@ -45 +29 @@
-Tue Sep 2 15:26:36 CEST 2014 - jsmeix@suse.de
+Fri Jan 30 10:44:47 UTC 2015 - tchvatal@suse.com
@@ -47,6 +31,2 @@
-- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
- fixes that the web interface incorrectly served symlinked files
- and files that were not world-readable, potentially leading to
- a disclosure of information (CVE-2014-3537 STR #4450 plus the
- subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455
- all in bnc#887240).
+- Remove legacy paralel-port support as it is not really needed
+ as most do not want it
@@ -55 +35 @@
-Thu May 22 10:16:17 UTC 2014 - werner@suse.de
+Fri Jan 30 10:39:41 UTC 2015 - tchvatal@suse.com
@@ -57,2 +37,6 @@
-- Add build require pkgconfig(libsystemd-daemon) to allow to move
- systemd.pc back to systemd package
+- Update descriptions to just state what changed and let user
+ find it out.
+- Add back comment about %fdupes
+- Remove exit 0 on scriptlets as it is provided by the %service bla
+ ones already
+- Fix the comment about openSUSE version on tmpfilesdir declaration
@@ -61 +45 @@
-Fri Apr 11 09:42:30 CEST 2014 - jsmeix@suse.de
+Fri Jan 16 16:00:20 UTC 2015 - tchvatal@suse.com
@@ -63,3 +47,33 @@
-- cups-1.5.4-strftime.patch fixes CUPS upstream STR #4388:
- no or malformed output from lpstat in charset other than utf-8
- (bnc#873030).
+- cups-2.0.1 update:
+ * lengthy list of changes see the upstream CHANGES.txt that is
+ distributed with the package
+ * Disabling of sslv3 to mitigate poodle
+- Use gnutls to provide SSLOPtions configuration directive
+ * openssl is no longer supported upstream
+ * Remove the with-openssl-exception from license
+- Remove cups.sysconfig as it is not used with systemd based distros
+- Purposely lose support for SLE11 as it doubles size of some of the
+ sections and keep suppor for openSUSE+SLE12
+ * even with the conditions we would have to go unencrypted only
+ as needs newer gnutls, so don't bother with keeping the compat
+- Use upstream service and socket files to allow more working tools
+- Removed patches:
+ * cups-0001-systemd-add-systemd-socket-activation-and-unit-files.patch
+ * cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch
+ * cups-0003-systemd-secure-cups.service-unit-file.patch
+ * cups-1.3.6-access_conf.patch
+ * cups-1.5-additional_policies.patch
+ * cups-1.5.4-CVE-2012-5519.patch
+ * cups-1.5.4-strftime.patch
+ * cups-move-everything-to-run.patch
+ * cups-polld_avoid_busy_loop.patch
+ * cups-provides-cupsd-service.patch
+ * str4190.patch
+ * str4351.patch
+ * str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
+- Refreshed patches:
+ * cups-1.3.9-desktop_file.patch
+ * cups-config-libs.patch
+- Added patches:
+ * cups-1.7-additional_policies.patch
+ * cups-systemd-socket.patch
@@ -68 +82 @@
-Thu Feb 20 13:57:24 CET 2014 - jsmeix@suse.de
+Tue Sep 23 13:57:31 CEST 2014 - ro@suse.de
@@ -70,15 +84,96 @@
-- Cautious clean up of systemd units via RPM scriptlets
- (see the entry below dated "Wed Feb 19 15:05:44 CET 2014")
- does not work reliable because it would leave a messsed up
- systemd setup for cupsd when YaST was used before
- to start/stop/enable/disable the cupsd, see
- https://bugzilla.novell.com/show_bug.cgi?id=857372#c115
- so that now cups.socket and cups.path are stopped and disabled
- in any case to ensure starting/stopping/enabling/disabling
- of the cupsd also works with YaST, see
- https://bugzilla.novell.com/show_bug.cgi?id=857372#c120
- (bnc#857372).
-- str4351.patch from CUPS upstream fixes
- https://www.cups.org/str.php?L4351
- "STR #4351 cups-lpd hugh jobs (>2G) fail"
- (bnc#864782).
+- change BuildRequires for systemd to pkgconfig(systemd)
+ and pkgconfig(libsystemd-daemon) to avoid build-cycles
+
+-------------------------------------------------------------------
+Mon Aug 25 13:19:19 CEST 2014 - jsmeix@suse.de
+
+- Version upgrade to 1.7.5:
+ CUPS 1.7.5 addresses some minor issues and expands upon the
+ symlink security protection. Changes include (excerpt):
+ * Security: Addressed some more situations where symlinked
+ files would be served by the web interface (CVE-2014-5029
+ CVE-2014-5030 CVE-2014-5031 STR #4455 and bnc#887240).
+ * The LPD backend did not work with some versions
+ of glibc (STR #4452)
+ * CGI scripts did not work (STR #4454)
+- str4455-1.7.patch (see the previous entry below)
+ is obsolete because it is fixed upstream since CUPS 1.7.5.
+- Let fdupes only create symlinks in /usr/share/cups/templates/ to
+ avoid a symlink /usr/share/cups/webcontent/images/cups-icon.png
+ because since CUPS 1.7.4/1.7.5 the cupsd web server does
+ no longer follow symlinks to avoid the security issues
+ mentioned in the previous two entries below
+ (fixes bnc#892587 a regression of bnc#887240).
+
+-------------------------------------------------------------------
+Tue Jul 29 16:41:10 CEST 2014 - jsmeix@suse.de
+
+- str4455-1.7.patch complements the incomplete fix for
+ CVE-2014-3537 STR#445 in the CUPS 1.7.4 sources
+ to fix the subsequent CVE-2014-5029 CVE-2014-5030
+ CVE-2014-5031 STR#4455 (bnc#887240).
+
+-------------------------------------------------------------------
+Tue Jul 15 11:13:14 CEST 2014 - jsmeix@suse.de
+
+- Version upgrade to 1.7.4:
+ CUPS 1.7.4 fixes several networking and build issues,
+ and addresses a symlink security issue CVE-2014-3537.
+ Changes since 1.7.3 include (excerpt):
+ * Security: The web interface incorrectly served symlinked files
+ and files that were not world-readable, potentially leading to
+ a disclosure of information (CVE-2014-3537, STR #4450,
+ and bnc#887240).
+ * The "snmp" option did not work with the network backends
+ (STR #4422).
+ * The User directive in client.conf did not override the USER
+ environment variable (STR #4426).
+ * The web interface now properly shows a "Go" button for
+ all text-based browsers (STR #4425).
+ * The MaxJobTime directive now properly supports time
+ values (STR #4434).
+ * Fixed an "IPP read error" race condition issue (STR #4440).
+
+-------------------------------------------------------------------
+Mon Jun 2 13:21:31 CEST 2014 - jsmeix@suse.de
+
+- Version upgrade to 1.7.3:
+ CUPS 1.7.3 includes a number of general bug fixes.
+ Changes since 1.7.2 include (excerpt):
+ * Fixed mapping of OutputBin values such as "Tray1".
+ * Several ippGet* functions incorrectly returned -1
++++ 499 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/cups/cups.changes
++++ and /work/SRC/openSUSE:Factory/.cups.new/cups.changes
Old:
----
PSLEVEL1.PPD.bz2
PSLEVEL2.PPD.bz2
cups-0001-systemd-add-systemd-socket-activation-and-unit-files.patch
cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch
cups-0003-systemd-secure-cups.service-unit-file.patch
cups-1.3.6-access_conf.patch
cups-1.5-additional_policies.patch
cups-1.5.4-CVE-2012-5519.patch
cups-1.5.4-source.tar.bz2
cups-1.5.4-strftime.patch
cups-move-everything-to-run.patch
cups-polld_avoid_busy_loop.patch
cups-provides-cupsd-service.patch
cups.init
cups.sysconfig
cups.xinetd
postscript.ppd.bz2
str4190.patch
str4351.patch
str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch
New:
----
Postscript-level1.ppd.gz
Postscript-level2.ppd.gz
Postscript.ppd.gz
cups-1.7-additional_policies.patch
cups-2.0.2-source.tar.bz2
cups-systemd-socket.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cups.spec ++++++
++++ 1097 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/cups/cups.spec
++++ and /work/SRC/openSUSE:Factory/.cups.new/cups.spec
++++++ cups-1.3.9-desktop_file.patch ++++++
--- /var/tmp/diff_new_pack.16NrQH/_old 2015-02-20 13:50:47.000000000 +0100
+++ /var/tmp/diff_new_pack.16NrQH/_new 2015-02-20 13:50:47.000000000 +0100
@@ -6,7 +6,7 @@
[Desktop Entry]
-Categories=System;Printing;HardwareSettings;X-Red-Hat-Base;
-Exec=@CUPS_HTMLVIEW@ http://localhost:631/
-+Categories=Settings;Printing;HardwareSettings;
++Categories=System;Printing;Settings;HardwareSettings;
+Exec=desktop-launch http://localhost:631/
+NotShowIn=GNOME;
Icon=cups
++++++ cups-1.5-additional_policies.patch -> cups-1.7-additional_policies.patch ++++++
--- /work/SRC/openSUSE:Factory/cups/cups-1.5-additional_policies.patch 2014-02-07 10:25:42.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.cups.new/cups-1.7-additional_policies.patch 2015-02-20 13:50:46.000000000 +0100
@@ -1,9 +1,12 @@
---- conf/cupsd.conf.in.orig 2014-01-29 14:31:32.000000000 +0100
-+++ conf/cupsd.conf.in 2014-01-29 15:20:30.000000000 +0100
-@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@
+Index: conf/cupsd.conf.in
+===================================================================
+--- conf/cupsd.conf.in.orig
++++ conf/cupsd.conf.in
+@@ -127,3 +127,36 @@ WebInterface @CUPS_WEBIF@
+ Order deny,allow
</Limit>
</Policy>
-
++
+# The policy below is added by SUSE during build of our cups package.
+# The policy 'allowallforanybody' is totally open and insecure and therefore
+# it can only be used within an internal network where only trused users exist
@@ -14,7 +17,7 @@
+# print jobs from an internal network to any external destination, see
+# http://en.opensuse.org/SDB:CUPS_in_a_Nutshell
+# For documentation regarding 'Managing Operation Policies' see
-+# http://www.cups.org/documentation.php/doc-1.5/policies.html
++# http://www.cups.org/documentation.php/doc-1.7/policies.html
+<Policy allowallforanybody>
+ # Allow anybody to access job's private values:
+ JobPrivateAccess all
@@ -36,7 +39,3 @@
+</Policy>
+# Explicitly set the CUPS 'default' policy to be used by default:
+DefaultPolicy default
-+
- #
- # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
- #
++++++ cups-1.5.4-source.tar.bz2 -> cups-2.0.2-source.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/cups/cups-1.5.4-source.tar.bz2 /work/SRC/openSUSE:Factory/.cups.new/cups-2.0.2-source.tar.bz2 differ: char 11, line 1
++++++ cups-client.conf ++++++
--- /var/tmp/diff_new_pack.16NrQH/_old 2015-02-20 13:50:47.000000000 +0100
+++ /var/tmp/diff_new_pack.16NrQH/_new 2015-02-20 13:50:47.000000000 +0100
@@ -1,77 +1,28 @@
-# Sample client configuration file for the Common UNIX Printing System
-# (CUPS).
-#
-# Copyright 1997-2005 by Easy Software Products, all rights reserved.
-# Klaus Singvogel