RHBA-2015:1346 - Bug Fix Advisory

Topic

Updated cups packages that fix several bugs and add two enhancements are now
available for Red Hat Enterprise Linux 6.

Description

The Common UNIX Printing System (CUPS) provides a portable printing layer for
Linux, UNIX, and similar operating systems.

This update fixes the following bugs:

• Incorrect reference for PageLogFormat in HTML documentation has been

corrected, and PageLogFormat documentation is now accessible. (BZ#951553)

• Documentation for the operation of the CUPS Line Printer Daemon back-end

"sanitize_title" option has been amended and now describes the option clearly.
(BZ#988062)

• Due to a problem with HTTP multipart handling in the CUPS scheduler, some

browsers did not work as expected when attempting to add a printer using the web
interface. A change from a later version has been backported enabling adding
printers in all browsers without problems. (BZ#1145064, BZ#1178370)

• It was not possible to disable Secure Sockets Layer (SSLv3) and keep other

secure protocols enabled in CUPS. This left CUPS users vulnerable to the POODLE
attack (CVE-2014-3566), and needing to deploy the stunnel utility for
mitigation. This update disables SSLv3 support by default. For users who need to
continue using SSLv3, an SSLOptions configuration directive has been added to
the cupsd.conf file for the cupsd service and to the client.conf file for the
client programs. (BZ#1161171)

• When the BrowsePoll configuration directive was used and the remote server

configured for polling forbade access, the cups-polld process retried accessing
immediately in a busy loop. The process consumed all processor time and
increased network traffic. With this update, a mandatory delay of ten seconds
has been introduced to prevent that. Affected users should also fix their
configuration by removing the BrowsePoll line for the server, or adjusting the
server to allow remote queries. (BZ#1164854)

• The CUPS scheduler incorrectly assumed the print queue still existed when

there were only implicit classes with all members deleted due to being
unresponsive. When sending a job using separate Create-Job and Send-Document
requests to an implicit class whose members were being deleted, the CUPS
scheduler terminated unexpectedly with a NULL dereference. The scheduler has
been amended to respond with an error instead of crashing in this case.
(BZ#1170002)

• A missing NULL check in job processing code caused the CUPS scheduler to

terminate unexpectedly when a job with more than one file aborted due to a
filter failure. This update adds the check to prevent the CUPS scheduler from
crashing in the described situation. (BZ#1187840)

• The ErrorPolicy configuration directive was not validated on startup, and an

unintended default error policy could be used without a warning. The directive
is now validated on startup and reset to the default if the configured value is
incorrect. The intended policy is used, or a warning message is logged.
(BZ#1196217)

• Due to an incomplete fix in a prior update, some environment variables were

not correctly set on startup, which led to SELinux denials. The remainder of the
original fix has been added, and the variables are now set correctly on startup.
(BZ#1198394)

In addition, this update adds these enhancements:

• It is now possible to direct jobs to a single printer with failover to other

printers instead of using load balancing among printers that is built into CUPS.
Jobs can be directed to the first working printer of a set, the preferred
printer, with other printers used only if the preferred one is unavailable.
(BZ#1115219)

• Description of the ErrorPolicy directive with supported values has been added

to the cupsd.conf(5) man page. The ErrorPolicy directive defines the default
policy used when a back end is unable to send a print job to the printer.
(BZ#1120587)

Users of CUPS are advised to upgrade to these updated packages, which fix these
bugs and add these enhancements. After installing this update, the cupsd service
will be restarted automatically.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Users affected by BZ#1164854 should additionally fix their configuration by
removing the BrowsePoll line for their remote server configured for polling, or
by adjusting the server to allow remote queries.

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 988062 - CUPS LPD backend sanitize_title does not operate as documented
• BZ - 1145064 - CUPS Web UI "Administration" Drop down does not function in Google Chrome
• BZ - 1161171 - cups can't disable SSLv3
• BZ - 1164854 - When access is restricted, cups-polld retries polling multiple times per second
• BZ - 1196217 - Global "ErrorPolicy" option does not get validate by cups

CVEs

(none)

References

(none)