- cups
-
- Version upgrade to 2.4.19:
See https://github.com/openprinting/cups/releases
Release 2.4.19 contains another hotfix after CVE-2026-27447 fix:
* Fixed a regression in shared printing from non-local accounts
(Issue #1557)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.19
- Added 'Michael R Sweet' key to cups.keyring
because cups-2.4.19-source.tar.gz.sig belongs to him.
- Version upgrade to 2.4.18:
See https://github.com/openprinting/cups/releases
The new release 2.4.18 contains hotfix after CVE-2026-27447 fix:
* Fixed cupsd crash if user does not exist (Issue #1555)
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.18
- Version upgrade to 2.4.17:
See https://github.com/openprinting/cups/releases
The new release 2.4.17 contains the following security fixes:
* CVE-2026-27447: The scheduler treated local user
and group names as case-insensitive (bsc#1261572)
* CVE-2026-34978: The RSS notifier could write outside
the scheduler's RSS directory (bsc#1261571)
* CVE-2026-34980: The scheduler did not filter control
characters from option values (bsc#1261569)
* CVE-2026-34979: The scheduler did not always allocate
enough memory for a job's options string (bsc#1261570)
* CVE-2026-34990: The scheduler incorrectly allowed
local certificates over the loopback interface (bsc#1261568)
* CVE-2026-39314: Fixed the range check for
job password strings (bsc#1261743)
* CVE-2026-39316: Fixed a printer subscription bug
in the scheduler (bsc#1261742)
* CVE-2026-41079: Fixed a SNMP string conversion bug
in the backends (bsc#1263116)
- The release includes other fixes as well, listed in CHANGES.md.
Issues are those at https://github.com/OpenPrinting/cups/issues
Detailed list (from CHANGES.md):
* The scheduler followed symbolic links when cleaning out
its temporary directory (Issue #1448)
* Updated `cupsFileGetConf` and `cupsFilePutConf` to escape
more characters.
* Updated man page `cancel` (Issue #984)
* Updated `cupsRasterReadHeader` to validate more of the
page header values (Issue #1501)
* Fixed an issue with the class/printer CGI name checking.
* Fixed infinite loop in `http_write()` on busy print servers
(Issue #827)
* Fixed potential TLS blocking issues (Issue #1128)
* Fixed a job history bug in the scheduler (Issue #1440)
* Fixed notifier logging bug that would result in nul bytes
getting into the log (Issue #1450)
* Fixed possible use-after-free in `cupsdReadClient()`
(Issue #1454)
* Fixed a document format bug in the IPP backend (Issue #1457)
* Fixed DRAIN_OUTPUT race condition (Issue #1461)
* Fixed a bug when then `ippFindXxx` and `ippSetXxx` functions
were mixed.
* Fixed the mapping of supply type keywords to SNMP names.
* Fixed a bug in the IPP backend when SNMP was disabled.
* Fixed a crash bug in the rastertoepson filter.
* Fixed a bug in cgiCheckVariables.
* Fixed handling read/write errors with OpenSSL (Issue #1506)
* Fixed handling rehandshake error in `_httpTLSRead`
(Issue #1508)
* Fixed a debug printf bug on Windows (Issue #1529)
* Fixed a recursion issue with encoding of nested collections
(Issue #1539)
* Fixed parsing of the `LimitRequestBody`, `MaxLogSize`,
and `MaxRequestSize` directives in "cupsd.conf" (Issue #1540)
* Fixed a parsing bug in `ipptool` (Issue #1542)
* Fixed blank line detection in the `rastertolabel` filter
(Issue #1545)
* Fixed `httpPeek` edge case on compressed streams
Issues are those at https://github.com/OpenPrinting/cups/issues
- Adapted downgrade-autoconf-requirement.patch for CUPS 2.4.17
- google-osconfig-agent
-
- Add CVE-2026-33186.patch to fix authorization bypass in grpc-go due to improper
validation of the HTTP/2 :path pseudo-header (bsc#1260264, CVE-2026-33186)
- google-sdk-container
-
n/a
- xz
-
- Fix buffer overflow in lzma_index_append (bsc#1261280, CVE-2026-34743)
* CVE-2026-34743.patch