Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2008-5184

Published: 21 November 2008

The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions.

Notes

AuthorNote
mdeslaur
Only 1.3.x has rss subscriptions, so dapper is not vulnerable

Priority

Low

Status

Package Release Status
cups
Launchpad, Ubuntu, Debian
upstream Needs triage

dapper Does not exist

gutsy Does not exist

hardy Does not exist

intrepid Not vulnerable
(1.3.9-2ubuntu6)
Patches:
upstream: http://www.cups.org/strfiles/2774/str2774.patch
cupsys
Launchpad, Ubuntu, Debian
upstream Needs triage

dapper Not vulnerable
(1.2.2-0ubuntu0.6.06.11)
gutsy
Released (1.3.2-1ubuntu7.9)
hardy
Released (1.3.7-1ubuntu3.3)
intrepid Does not exist