A flaw was found in the CUPS printing server. Insufficient randomness makes session cookies predictable, breaking CSRF protection.
Patch: https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3
Created cups tracking bugs for this issue: Affects: fedora-all [bug 1657750]
Stefan, would you mind creating the bugzilla for RHEL 8 too?
*** Bug 1695929 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:1050 https://access.redhat.com/errata/RHSA-2020:1050
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-4700
Few notes on the history of CVE-2018-4700 vs. CVE-2018-4300. The CVE that was originally used for this issue was CVE-2018-4700. That CVE appeared in the upstream commit (see comment 8): https://github.com/apple/cups/commit/b9ff93ce913ff633a3f667317e5a81fa7fe0d5d3 and it was also used in the CHANGES file in the fixed cups version 2.2.10. This CVE was used in Red Hat advisory RHSA-2020:1050 - see comment 14. Some time later, Mitre made a query to upstream if CVE-2018-4700 was the right one to use here, or if CVE-2018-4300 should have been used instead: https://github.com/apple/cups/issues/5561 which led to upstream amending CHANGES file to list CVE-2018-4300 instead: https://github.com/apple/cups/commit/35064a25961c2d874ce6e1e90d947ad59e9a78d6 This change was first included in version 2.2.12. Release announcement on github for version 2.2.10 was retroactively updated to list CVE-2018-4300 as well: https://github.com/apple/cups/releases/tag/v2.2.10 Note that the Release Notes page cups.org currently lists CVE-2018-4700: https://www.cups.org/doc/relnotes.html#020210 Mitre marked CVE-2018-4700 as rejected as duplicate of CVE-2018-4300.
Statement: This vulnerability was originally assigned CVE-2018-4700, but after the publication of security errata the identifier was changed to CVE-2018-4300. Both identifiers refer to the same vulnerability. Since some sources use CVE-2018-4700 and others use CVE-2018-4300, Red Hat security advisories for this vulnerability have been amended to include both identifiers.