Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/cups: security bump to v2.4.17
@ 2026-04-20 19:55 Thomas Perale via buildroot
  2026-04-20 20:57 ` Julien Olivain via buildroot
  2026-05-04 14:47 ` Thomas Perale via buildroot
  0 siblings, 2 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-04-20 19:55 UTC (permalink / raw)
  To: buildroot; +Cc: Angelo Compagnucci, Olivier Schonken

For more information about the release, see:

- https://github.com/OpenPrinting/cups/releases/tag/v2.4.17
- https://github.com/OpenPrinting/cups/blob/2.4.x/CHANGES.md

The new release 2.4.17 contains the following security fixes:

- CVE-2026-27447: The scheduler treated local user and group names as
  case-insensitive.
  https://www.cve.org/CVERecord?id=CVE-2026-27447

- CVE-2026-34978: The RSS notifier could write outside the scheduler's
  RSS directory.
  https://www.cve.org/CVERecord?id=CVE-2026-34978

- CVE-2026-34979: The scheduler did not always allocate enough memory
  for a job's options string.
  https://www.cve.org/CVERecord?id=CVE-2026-34979

- CVE-2026-34980: The scheduler did not filter control characters from
  option values.
  https://www.cve.org/CVERecord?id=CVE-2026-34980

- CVE-2026-34990: The scheduler incorrectly allowed local certificates
  over the loopback interface.
  https://www.cve.org/CVERecord?id=CVE-2026-34990

- CVE-2026-39314: Fixed the range check for job password strings.
  https://www.cve.org/CVERecord?id=CVE-2026-39314

- CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
  https://www.cve.org/CVERecord?id=CVE-2026-39316

- CVE-2026-41079: Fixed a SNMP string conversion bug in the backends.
  https://www.cve.org/CVERecord?id=CVE-2026-41079

Also updated patch offsets.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch | 2 +-
 package/cups/0004-Remove-PIE-flags-from-the-build.patch        | 2 +-
 package/cups/cups.hash                                         | 2 +-
 package/cups/cups.mk                                           | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch b/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
index 30c3ddb48f..3c00bb1b49 100644
--- a/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
+++ b/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
@@ -18,7 +18,7 @@ diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4
 index 613f01ddf..6f1bcb07e 100644
 --- a/config-scripts/cups-common.m4
 +++ b/config-scripts/cups-common.m4
-@@ -462,7 +462,7 @@ LIBHEADERS="\$(COREHEADERS) \$(DRIVERHEADERS)"
+@@ -467,7 +467,7 @@ LIBHEADERS="\$(COREHEADERS) \$(DRIVERHEADERS)"
  LIBHEADERSPRIV="\$(COREHEADERSPRIV) \$(DRIVERHEADERSPRIV)"
  
  AS_CASE(["$COMPONENTS"], [all], [
diff --git a/package/cups/0004-Remove-PIE-flags-from-the-build.patch b/package/cups/0004-Remove-PIE-flags-from-the-build.patch
index e4081d0e07..82251d0fec 100644
--- a/package/cups/0004-Remove-PIE-flags-from-the-build.patch
+++ b/package/cups/0004-Remove-PIE-flags-from-the-build.patch
@@ -23,7 +23,7 @@ diff --git a/Makedefs.in b/Makedefs.in
 index 0d8df733b..2560c0c36 100644
 --- a/Makedefs.in
 +++ b/Makedefs.in
-@@ -156,7 +156,7 @@ ALL_CXXFLAGS	=	-I.. -D_CUPS_SOURCE $(CXXFLAGS) \
+@@ -154,7 +154,7 @@ ALL_CXXFLAGS	=	-I.. -D_CUPS_SOURCE $(CXXFLAGS) \
  			$(ONDEMANDFLAGS) $(OPTIONS)
  ALL_DSOFLAGS	=	-L../cups @ARCHFLAGS@ @RELROFLAGS@ $(DSOFLAGS) $(OPTIM)
  ALL_LDFLAGS	=	-L../cups @LDARCHFLAGS@ @RELROFLAGS@ $(LDFLAGS)  \
diff --git a/package/cups/cups.hash b/package/cups/cups.hash
index 7c08a68c10..e421c6457b 100644
--- a/package/cups/cups.hash
+++ b/package/cups/cups.hash
@@ -1,4 +1,4 @@
 # Locally calculated:
-sha256  0339587204b4f9428dd0592eb301dec0bf9ea6ea8dce5d9690d56be585aba92d  cups-2.4.16-source.tar.gz
+sha256  89c703238de210d4f4f4e5d4269e3d60c4b2f487aad75a8a1eaecd659e4d0b77  cups-2.4.17-source.tar.gz
 sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
 sha256  977206f041b9a6f47ac00531e1242c0fab7063da71178f8d868b167b70866b6d  NOTICE
diff --git a/package/cups/cups.mk b/package/cups/cups.mk
index d3e6094c67..f79e3846df 100644
--- a/package/cups/cups.mk
+++ b/package/cups/cups.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-CUPS_VERSION = 2.4.16
+CUPS_VERSION = 2.4.17
 CUPS_SOURCE = cups-$(CUPS_VERSION)-source.tar.gz
 CUPS_SITE = https://github.com/OpenPrinting/cups/releases/download/v$(CUPS_VERSION)
 CUPS_LICENSE = Apache-2.0 with GPL-2.0/LGPL-2.0 exception
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/cups: security bump to v2.4.17
  2026-04-20 19:55 [Buildroot] [PATCH] package/cups: security bump to v2.4.17 Thomas Perale via buildroot
@ 2026-04-20 20:57 ` Julien Olivain via buildroot
  2026-05-04 14:47 ` Thomas Perale via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Julien Olivain via buildroot @ 2026-04-20 20:57 UTC (permalink / raw)
  To: Thomas Perale; +Cc: buildroot, Angelo Compagnucci, Olivier Schonken

On 20/04/2026 21:55, Thomas Perale via buildroot wrote:
> For more information about the release, see:
> 
> - https://github.com/OpenPrinting/cups/releases/tag/v2.4.17
> - https://github.com/OpenPrinting/cups/blob/2.4.x/CHANGES.md
> 
> The new release 2.4.17 contains the following security fixes:
> 
> - CVE-2026-27447: The scheduler treated local user and group names as
>   case-insensitive.
>   https://www.cve.org/CVERecord?id=CVE-2026-27447
> 
> - CVE-2026-34978: The RSS notifier could write outside the scheduler's
>   RSS directory.
>   https://www.cve.org/CVERecord?id=CVE-2026-34978
> 
> - CVE-2026-34979: The scheduler did not always allocate enough memory
>   for a job's options string.
>   https://www.cve.org/CVERecord?id=CVE-2026-34979
> 
> - CVE-2026-34980: The scheduler did not filter control characters from
>   option values.
>   https://www.cve.org/CVERecord?id=CVE-2026-34980
> 
> - CVE-2026-34990: The scheduler incorrectly allowed local certificates
>   over the loopback interface.
>   https://www.cve.org/CVERecord?id=CVE-2026-34990
> 
> - CVE-2026-39314: Fixed the range check for job password strings.
>   https://www.cve.org/CVERecord?id=CVE-2026-39314
> 
> - CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
>   https://www.cve.org/CVERecord?id=CVE-2026-39316
> 
> - CVE-2026-41079: Fixed a SNMP string conversion bug in the backends.
>   https://www.cve.org/CVERecord?id=CVE-2026-41079
> 
> Also updated patch offsets.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to master, thanks.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/cups: security bump to v2.4.17
  2026-04-20 19:55 [Buildroot] [PATCH] package/cups: security bump to v2.4.17 Thomas Perale via buildroot
  2026-04-20 20:57 ` Julien Olivain via buildroot
@ 2026-05-04 14:47 ` Thomas Perale via buildroot
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Perale via buildroot @ 2026-05-04 14:47 UTC (permalink / raw)
  To: Thomas Perale; +Cc: buildroot

In reply of:
> For more information about the release, see:
> 
> - https://github.com/OpenPrinting/cups/releases/tag/v2.4.17
> - https://github.com/OpenPrinting/cups/blob/2.4.x/CHANGES.md
> 
> The new release 2.4.17 contains the following security fixes:
> 
> - CVE-2026-27447: The scheduler treated local user and group names as
>   case-insensitive.
>   https://www.cve.org/CVERecord?id=CVE-2026-27447
> 
> - CVE-2026-34978: The RSS notifier could write outside the scheduler's
>   RSS directory.
>   https://www.cve.org/CVERecord?id=CVE-2026-34978
> 
> - CVE-2026-34979: The scheduler did not always allocate enough memory
>   for a job's options string.
>   https://www.cve.org/CVERecord?id=CVE-2026-34979
> 
> - CVE-2026-34980: The scheduler did not filter control characters from
>   option values.
>   https://www.cve.org/CVERecord?id=CVE-2026-34980
> 
> - CVE-2026-34990: The scheduler incorrectly allowed local certificates
>   over the loopback interface.
>   https://www.cve.org/CVERecord?id=CVE-2026-34990
> 
> - CVE-2026-39314: Fixed the range check for job password strings.
>   https://www.cve.org/CVERecord?id=CVE-2026-39314
> 
> - CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
>   https://www.cve.org/CVERecord?id=CVE-2026-39316
> 
> - CVE-2026-41079: Fixed a SNMP string conversion bug in the backends.
>   https://www.cve.org/CVERecord?id=CVE-2026-41079
> 
> Also updated patch offsets.
> 
> Signed-off-by: Thomas Perale <thomas.perale@mind.be>

Applied to 2025.02.x & 2026.02.x. Thanks

> ---
>  package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch | 2 +-
>  package/cups/0004-Remove-PIE-flags-from-the-build.patch        | 2 +-
>  package/cups/cups.hash                                         | 2 +-
>  package/cups/cups.mk                                           | 2 +-
>  4 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch b/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
> index 30c3ddb48f..3c00bb1b49 100644
> --- a/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
> +++ b/package/cups/0001-Remove-man-from-BUILDDIRS-in-configure.patch
> @@ -18,7 +18,7 @@ diff --git a/config-scripts/cups-common.m4 b/config-scripts/cups-common.m4
>  index 613f01ddf..6f1bcb07e 100644
>  --- a/config-scripts/cups-common.m4
>  +++ b/config-scripts/cups-common.m4
> -@@ -462,7 +462,7 @@ LIBHEADERS="\$(COREHEADERS) \$(DRIVERHEADERS)"
> +@@ -467,7 +467,7 @@ LIBHEADERS="\$(COREHEADERS) \$(DRIVERHEADERS)"
>   LIBHEADERSPRIV="\$(COREHEADERSPRIV) \$(DRIVERHEADERSPRIV)"
>   
>   AS_CASE(["$COMPONENTS"], [all], [
> diff --git a/package/cups/0004-Remove-PIE-flags-from-the-build.patch b/package/cups/0004-Remove-PIE-flags-from-the-build.patch
> index e4081d0e07..82251d0fec 100644
> --- a/package/cups/0004-Remove-PIE-flags-from-the-build.patch
> +++ b/package/cups/0004-Remove-PIE-flags-from-the-build.patch
> @@ -23,7 +23,7 @@ diff --git a/Makedefs.in b/Makedefs.in
>  index 0d8df733b..2560c0c36 100644
>  --- a/Makedefs.in
>  +++ b/Makedefs.in
> -@@ -156,7 +156,7 @@ ALL_CXXFLAGS	=	-I.. -D_CUPS_SOURCE $(CXXFLAGS) \
> +@@ -154,7 +154,7 @@ ALL_CXXFLAGS	=	-I.. -D_CUPS_SOURCE $(CXXFLAGS) \
>   			$(ONDEMANDFLAGS) $(OPTIONS)
>   ALL_DSOFLAGS	=	-L../cups @ARCHFLAGS@ @RELROFLAGS@ $(DSOFLAGS) $(OPTIM)
>   ALL_LDFLAGS	=	-L../cups @LDARCHFLAGS@ @RELROFLAGS@ $(LDFLAGS)  \
> diff --git a/package/cups/cups.hash b/package/cups/cups.hash
> index 7c08a68c10..e421c6457b 100644
> --- a/package/cups/cups.hash
> +++ b/package/cups/cups.hash
> @@ -1,4 +1,4 @@
>  # Locally calculated:
> -sha256  0339587204b4f9428dd0592eb301dec0bf9ea6ea8dce5d9690d56be585aba92d  cups-2.4.16-source.tar.gz
> +sha256  89c703238de210d4f4f4e5d4269e3d60c4b2f487aad75a8a1eaecd659e4d0b77  cups-2.4.17-source.tar.gz
>  sha256  cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30  LICENSE
>  sha256  977206f041b9a6f47ac00531e1242c0fab7063da71178f8d868b167b70866b6d  NOTICE
> diff --git a/package/cups/cups.mk b/package/cups/cups.mk
> index d3e6094c67..f79e3846df 100644
> --- a/package/cups/cups.mk
> +++ b/package/cups/cups.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -CUPS_VERSION = 2.4.16
> +CUPS_VERSION = 2.4.17
>  CUPS_SOURCE = cups-$(CUPS_VERSION)-source.tar.gz
>  CUPS_SITE = https://github.com/OpenPrinting/cups/releases/download/v$(CUPS_VERSION)
>  CUPS_LICENSE = Apache-2.0 with GPL-2.0/LGPL-2.0 exception
> -- 
> 2.53.0
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-04 14:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-20 19:55 [Buildroot] [PATCH] package/cups: security bump to v2.4.17 Thomas Perale via buildroot
2026-04-20 20:57 ` Julien Olivain via buildroot
2026-05-04 14:47 ` Thomas Perale via buildroot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox