Published: 22 June 2010
The cupsDoAuthentication function in auth.c in the client in CUPS before 1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand for authorization, which allows remote CUPS servers to cause a denial of service (infinite loop) via HTTP_UNAUTHORIZED responses.
hardy and more recent are compiled with HAVE_GSSAPI support, so we're not affected by this. Dapper doesn't seem to bail out after a certain number of renegotiation attempts. This may be a problem, need to investigate.