Your submission was sent successfully! Close

CVE-2010-2432

Published: 22 June 2010

The cupsDoAuthentication function in auth.c in the client in CUPS before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand for authorization, which allows remote CUPS servers to cause a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses.

Priority

Low

Status

Package Release Status
cups
Launchpad, Ubuntu, Debian
Upstream
Released (1.4.4)
cupsys
Launchpad, Ubuntu, Debian
Upstream
Released (1.4.4)

Notes

AuthorNote
mdeslaur
hardy and more recent are compiled with HAVE_GSSAPI support, so
we're not affected by this. Dapper doesn't seem to bail out
after a certain number of renegotiation attempts. This may be
a problem, need to investigate.

References

Bugs