Your submission was sent successfully! Close

CVE-2009-0164

Published: 24 April 2009

The web interface for CUPS before 1.3.10 does not validate the HTTP Host header in a client request, which makes it easier for remote attackers to conduct DNS rebinding attacks.

Priority

Low

Status

Package Release Status
cups
Launchpad, Ubuntu, Debian 		Upstream
Released (1.3.10)
cupsys
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Notes

AuthorNote
kees 
cups/CVE-2009-0164.patch
jdstrand 
patch is large, could break existing configurations if the
auto-discovery of alternate names does not work (eg, with CNAMES), and
requires a coordinated attack. The vulnerability appears to be mostly
information leakage, but might also allow starting and stopping of
printers. An attacker trying to perform actions via the web interface should
be challenged by the authentication system. The new ServerAlias directive
will be a part of 1.3.10.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading