This update for cups fixes the following issues:
Update to version 2.4.16.
Security issues fixed:
- CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).
- CVE-2025-58436: slow client communication leads to a possible DoS attack (bsc#1244057).
- CVE-2025-58364: unsafe deserialization and validation of printer attributes can cause a null dereference (bsc#1249128).
- CVE-2025-58060: authentication bypass with AuthType Negotiate (bsc#1249049).
Other updates and bugfixes:
-
Version upgrade to 2.4.16:
- 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences,
potentially reading past the end of the source string
(Issue #1438)
- The web interface did not support domain usernames fully
(Issue #1441)
- Fixed an infinite loop issue in the GTK+ print dialog
(Issue #1439 boo#1254353)
- Fixed stopping scheduler on unknown directive in
configuration (Issue #1443)
- Fixed packages for Immutable Mode (jsc#PED-14775
from epic jsc#PED-14688)
-
Version upgrade to 2.4.15:
- Fixed potential crash in 'cups-driverd' when there are
duplicate PPDs (Issue #1355)
- Fixed error recovery when scanning for PPDs
in 'cups-driverd' (Issue #1416)
-
Version upgrade to 2.4.14.
-
Version upgrade to 2.4.13:
- Added 'print-as-raster' printer and job attributes
for forcing rasterization (Issue #1282)
- Updated documentation (Issue #1086)
- Updated IPP backend to try a sanitized user name if the
printer/server does not like the value (Issue #1145)
- Updated the scheduler to send the "printer-added"
or "printer-modified" events whenever an IPP Everywhere PPD
is installed (Issue #1244)
- Updated the scheduler to send the "printer-modified" event
whenever the system default printer is changed (Issue #1246)
- Fixed a memory leak in 'httpClose' (Issue #1223)
- Fixed missing commas in 'ippCreateRequestedArray'
(Issue #1234)
- Fixed subscription issues in the scheduler...