[Oraclevm-errata] OVMSA-2014-0035 Moderate: Oracle VM 3.3 cups security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Tue Nov 4 09:38:04 PST 2014

Oracle VM Security Advisory OVMSA-2014-0035

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Revert change to whitelist /rss/ resources, as this was not used

- More STR #4461 fixes from upstream: make rss feeds world-readable,
   but cachedir private.
- Fix icon display in web interface during server restart (STR #4475).

- Fixes for upstream patch for STR #4461: allow /rss/ requests for
   files we created.

- Use upstream patch for STR #4461.

- Applied upstream patch to fix CVE-2014-5029 (bug #1122600),
   CVE-2014-5030 (bug #1128764), CVE-2014-5031 (bug #1128767).
- Fix conf/log file reading for authenticated users (STR #4461).

- Fix CGI handling (STR #4454, bug #1120419).

- fix patch for CVE-2014-3537 (bug #1117794)

- CVE-2014-2856: cross-site scripting flaw (bug #1117798)
- CVE-2014-3537: insufficient checking leads to privilege escalation 
(bug #1117794)

- Removed package description changes.

- Applied patch to fix 'Bad request' errors as a result of adding in
   httpSetTimeout (STR #4440, also part of svn revision 9967).

- Fixed timeout issue with cupsd reading when there is no data ready
   (bug #1110045).

- Fixed synconclose patch to avoid 'too many arguments for format' warning.
- Fixed settimeout patch to include math.h for fmod declaration.

- Fixed typo preventing web interface from changing driver (bug #1104483,
   STR #3601).
- Fixed SyncOnClose patch (bug #984883).

- Use upstream patch to avoid replaying GSS credentials (bug #1040293).

- Prevent BrowsePoll problems across suspend/resume (bug #769292):
   - Eliminate indefinite wait for response (svn revision 9688).
   - Backported httpSetTimeout API function from CUPS 1.5 and use it in
     the ipp backend so that we wait indefinitely until the printer
     responds, we get a hard error, or the job is cancelled.
   - cups-polld: reconnect on error.
- Added new SyncOnClose directive to use fsync() after altering
   configuration files: defaults to "Yes". Adjust in cupsd.conf (bug 
- Fix cupsctl man page typo (bug #1011076).
- Use more portable rpm specfile syntax for conditional php building
   (bug #988598).
- Fix SetEnv directive in cupsd.conf (bug #986495).
- Fix 'collection' attribute sending (bug #978387).
- Prevent format_log segfault (bug #971079).
- Prevent stringpool corruption (bug #884851).
- Don't crash when job queued for printer that times out (bug #855431).
- Upstream patch for broken multipart handling (bug #852846).
- Install /etc/cron.daily/cups with correct permissions (bug #1012482).

- Fixes for jobs with multiple files and multiple formats (bug #972242).

- Applied patch to fix CVE-2012-5519 (privilege escalation for users
   in SystemGroup or with equivalent polkit permission).  This prevents
   HTTP PUT requests with paths under /admin/conf/ other than that for
   cupsd.conf, and also prevents such requests altering certain
   configuration directives such as PageLog and FileDevice (bug #875898).

More information about the Oraclevm-errata mailing list