Debian Security Advisory

DLA-1288-1 cups -- LTS security update

Date Reported:
22 Feb 2018
Affected Packages:
cups
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2017-18190.
More information:

It was discovered that there was an issue in the CUPS printer framework where remote attackers could execute arbitrary commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding.

This was caused by a whitelisted localhost.localdomain entry.

For Debian 7 Wheezy, this issue has been fixed in cups version 1.5.3-5+deb7u7.

We recommend that you upgrade your cups packages.