Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted cups 2.4.17-1 (source) into unstable
Date: Sun, 19 Apr 2026 18:05:20 +0000
Signed by: Thorsten Alteholz <alteholz@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 Apr 2026 10:46:38 +0200
Source: cups
Architecture: source
Version: 2.4.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 1060378 1066044 1096002 1100755 1107877 1117347 1121563 1125990 1129212 1131868 1132502 1132716 1132961 1133183 1133184
Changes:
 cups (2.4.17-1) unstable; urgency=medium
 .
   [ Helge Kreutzmann ]
     * Update German man page (2229t). Closes: #1117347, #1121563
 .
   [ Thorsten Alteholz ]
   * Update to new upstream version 2.4.17.
   * CVE-2026-39314 (Closes: #1133184)
     fix integer underflow in `_ppdCreateFromIPP` causes root cupsd crash
     via negative `job-password-supported`
   * CVE-2026-39316 (Closes: #1133183)
     fix use-after-free in `cupsdDeleteTemporaryPrinters` via dangling
     subscription pointer
   * CVE-2026-34990 (Closes: #1132716)
     fix local print admin token disclosure using temporary printers
   * CVE-2026-34980 (Closes: #1132716)
     fix shared PostScript queue lets anonymous Print-Job requests
     reach `lp` code execution over the network
   * CVE-2026-34979 (Closes: #1132716)
     fix heap overflow in `get_options()`
   * CVE-2026-34978 (Closes: #1132716)
     fix path traversal in RSS notify-recipient-uri enables file write outside
     CacheDir/rss (and clobbering of job.cache)
   * CVE-2026-27447 (Closes: #1132716)
     fix authorization bypass via case-insensitive group-member lookup
   * no known CVE yet, requested from Github
     fix heap out-of-bounds read in SNMP supply-level polling leaks
     stack memory to authenticated users
   * debian/*links: adapt path to libcups2t64 (Closes: #1066044)
   * debian/local/apparmor-profile:
     - allow read access to /etc/shells (Closes: #1107877)
     - allow read access to / (Closes: #1129212)
                              (Closes: #1132502)
                              (Closes: #1125990)
     - allow read access to /etc/paperspecs (Closes: #1096002)
                                            (Closes: #1131868)
                                            (Closes: #1100755)
     - allow read access to /etc/magic (Closes: #1100755)
     - add capability net_admin (Closes: #1132961)
                                (Closes: #1060378)
     - Thanks a lot to everybody who helped debugging these issues!
   * Thanks to Vincent Blut and Jérémy Lal who provided merge requests
     on salsa to one or the other issue above.
   * group lpadmin is now handled by systemd-sysusers
     (thanks to Luca Boccassi for adding this)
Checksums-Sha1:
 996efa8f1e85ebe2d3bcf7adbcf10d36c2fbe2e0 3445 cups_2.4.17-1.dsc
 df7b18ec92ffcd48e598b60d4501f2dc8a6eb9f6 8161554 cups_2.4.17.orig.tar.gz
 bb14edc8a0c8314a43cc08b2f8ee5ce2b7a77239 228 cups_2.4.17.orig.tar.gz.asc
 be22834d1f846164bae73acb0fde0057050fff58 387924 cups_2.4.17-1.debian.tar.xz
 28e7ee9583aaf68c196ddb0d8df883c37ce79464 13693 cups_2.4.17-1_amd64.buildinfo
Checksums-Sha256:
 4c879c6e1ea5fdce491a78f9e8ed1fb6fd7c5f5534b0d6c3cf9902522c58631d 3445 cups_2.4.17-1.dsc
 89c703238de210d4f4f4e5d4269e3d60c4b2f487aad75a8a1eaecd659e4d0b77 8161554 cups_2.4.17.orig.tar.gz
 d17416aae8a630bd048839422d35d2e7649c8df2a75348b911315e3b09236bdc 228 cups_2.4.17.orig.tar.gz.asc
 3b43a7d1ef84dfa2a96ffd2491b86fa96d09306a82b7d979387f1fb3963c1759 387924 cups_2.4.17-1.debian.tar.xz
 abde7de345e1106c9701a68ac7869ee9362a578663f0ed9a880e855644f57dd2 13693 cups_2.4.17-1_amd64.buildinfo
Files:
 4e443e7433107a1db7999e187b1d08fb 3445 net optional cups_2.4.17-1.dsc
 173b05aaa9f7aac593934ae452aa56b3 8161554 net optional cups_2.4.17.orig.tar.gz
 e179855035fea6c780ab511e10530488 228 net optional cups_2.4.17.orig.tar.gz.asc
 a2a2d4425f9243e6b79c23036f50b7eb 387924 net optional cups_2.4.17-1.debian.tar.xz
 07a278aa36e6e5fb3bfb3f121820883b 13693 net optional cups_2.4.17-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmnlFTJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR+GiD/wNK/pkf3HolYXkk2Yea59LYYr4HZ3Z
grVyWlyChum5Vt/QYtl1/1jnzX35oHsK4fEMRRRkQQQFdxAlePgLZ5c9N2/10jPG
cq20KChuPDk/vSe0eatMQa3BowFoAhSE3alSYshzuJRK4Czf+Guwq4gL551sTsGF
C2bMo6TxYWHCtiZSDesYOmdMc1qlAWbYdY8bSzX31pKfgXVnDqBSYt6ifv2gKK44
0H0esnU6c4IU3QHX7iDsS5K34GLJfUbIRYrSBCgXhgMUJMskYtu6Za/OJkQhnYCa
6xFf0f4llbDVqhz0jE/Gz2mThvyIWTuZIdXLyjtl+TVglXB6cdOrsC6AhplS5IDb
B0zVQo/KxWa9dXbp+cDc06uARvkWiUWWBK0DBaKRB7MeXP3xEUKROpgiU0hdBgCZ
lVfDkjL1IRCejBTJA6mDtfcxcRkN2jzNlP25/AIh/N2xeB1OEZQlyoAsLtsDfXyI
fRO/uP5m765AlHW/P+15LLWWOk+99Y5PizHjWPfMBnizzm6FF4mZGE29N7B+mJ1p
r0MGwKWLZffNuGQgSfDYpeNWuTl4Kd0ge5c8Yyion+Z9gm/KzSbVzsJmuTi0zV3y
pFOdj3X4Yu0GzvoY+t/5zmXSvj+6rNzcsbF1LolZOfnw3rupmsRe6+mpDWnwl49R
RmRtuJo36TkiKQ==
=vKnf
-----END PGP SIGNATURE-----
News for package cups
