Alpine: cups: security update to 2.4.2-r3

high Tenable Self-Hosted Container Security Plugin ID 403941

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like
operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to
the logging service AFTER the connection has been closed, when it should have logged the data right
before. This is a use-after-free bug that impacts the entire cupsd process. The exact cause of this issue
is the function `httpClose(con->http)` being called in `scheduler/client.c`. The problem is that httpClose
always, provided its argument is not null, frees the pointer at the end of the call, only for
cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function `cupsdAcceptClient`
if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address
(HostNameLookups Double is set in `cupsd.conf`) which fails to resolve, or if CUPS is compiled with TCP
wrappers and the connection is refused by rules from `/etc/hosts.allow` and `/etc/hosts.deny`. Version
2.4.6 has a patch for this issue. (CVE-2023-34241)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-34241

Plugin Details

Severity: High

ID: 403941

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.9

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:C

CVSS Score Source: CVE-2023-34241

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/22/2023

Reference Information

CVE: CVE-2023-34241