Bug 96707 (CVE-2004-2154)

Summary: VUL-0: CVE-2004-2154: cups treats a Location directive as case sensitive
Product: [Novell Products] SUSE Security Incidents Reporter: Klaus Singvogel <kssingvo>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2004-2154: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Klaus Singvogel 2005-07-14 21:19:11 UTC 
I just noticed CAN-2004-2154, as it got fixed by RedHat today.  
I think, I never build any patches for this issue: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2154 
 
Please note, that this affects cups versions before 1.1.19rc1 only. 
This is the case for: SLES8, 8.2, 9.0 
 
So, I wonder, if we should really work on this issue, or include it later (= my favorite). 
 
For SLES8 we started to make CUPS the default printing system, but LPRng was often 
installed at customer instead. 
 
Security-Team: need decision, if I should work on this.
Comment 1 Ludwig Nussel 2005-07-15 09:34:19 UTC 
I guess you'd use those ACLs to restrict printing to trusted users/hosts. So 
since you can DoS the print system easily I'd vote for fixing it if it's 
simple to fix.
Comment 2 Klaus Singvogel 2005-07-18 18:23:32 UTC 
submitted fixed packages. 
 
security-team please handle rest of process. TIA 
 
Note for Security Summary Report: only 3 distributions are affected.
Comment 3 Ludwig Nussel 2005-07-19 07:32:29 UTC 
SM-Tracker-1816
Comment 4 Ludwig Nussel 2005-08-05 13:21:41 UTC 
updates released
Comment 5 Thomas Biege 2009-10-13 20:14:18 UTC 
CVE-2004-2154: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)