A denial of service issue has been found in CUPS browsing. The CUPS BTS has decent information. http://www.cups.org/str.php?L863 This issue is supposed to be fixed in the release candidate which is to go out on 20040824
This issue should also affect FC1
So is this embargoed, or do we just need to get packages out as soon after 1.1.21rc2 as possible? Do we know what upstream patch has been applied? The STR attachment was rejected by Mike Sweet wasn't it?
This affects: Red Hat Enterprise Linux 3 Fedora Core 1 Fedora Core 2
This issue is embargoed until Sep 06.
Removing embargo
Not sure if this is the same issue but fc3test3's cupsd loads the cpu after being scanned with nessus 2.2.0. PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2195 root 25 0 7812 2124 6152 R 96.8 0.8 27:14.96 cupsd Maybe irrelevant but log says: E [05/Nov/2004:14:31:45 -0800] Bad request line "^V^C^A" from localhost! E [05/Nov/2004:14:31:45 -0800] Bad request line "^V^C" from localhost! I [05/Nov/2004:14:32:08 -0800] Started "/usr/lib/cups/cgi-bin/classes.cgi" (pid= 3620) I [05/Nov/2004:14:32:12 -0800] Started "/usr/lib/cups/cgi-bin/jobs.cgi" (pid=362 3) I [05/Nov/2004:14:32:13 -0800] Started "/usr/lib/cups/cgi-bin/printers.cgi" (pid =3624) E [05/Nov/2004:14:32:20 -0800] Bad URI "c:\boot.ini" in request! E [05/Nov/2004:14:32:22 -0800] Bad request line "Secure * Secure-HTTP/1.4" from localhost! E [05/Nov/2004:14:32:24 -0800] Bad URI "?osCsid=%22%3E%3Ciframe%20src=foo%3E%3C/ iframe%3E" in request! E [05/Nov/2004:14:32:25 -0800] Bad operation "get"! E [05/Nov/2004:14:32:25 -0800] Bad URI "HTTP/1.1" in request!
This was actually fixed by FEDORA-2004-275