Oracle Linux 6 : cups (ELSA-2014-1388)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing one or more security updates.

Description :

From Red Hat Security Advisory 2014:1388 :

Updated cups packages that fix multiple security issues and several
bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

CUPS provides a portable printing layer for Linux, UNIX, and similar
operating systems.

A cross-site scripting (XSS) flaw was found in the CUPS web interface.
An attacker could use this flaw to perform a cross-site scripting
attack against users of the CUPS web interface. (CVE-2014-2856)

It was discovered that CUPS allowed certain users to create symbolic
links in certain directories under /var/cache/cups/. A local user with
the 'lp' group privileges could use this flaw to read the contents of
arbitrary files on the system or, potentially, escalate their
privileges on the system. (CVE-2014-3537, CVE-2014-5029,
CVE-2014-5030, CVE-2014-5031)

The CVE-2014-3537 issue was discovered by Francisco Alonso of Red Hat
Product Security.

These updated cups packages also include several bug fixes. Space
precludes documenting all of these changes in this advisory. Users are
directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked
to in the References section, for information on the most significant
of these changes.

All cups users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing
this update, the cupsd daemon will be restarted automatically.

See also :

https://oss.oracle.com/pipermail/el-errata/2014-October/004527.html

Solution :

Update the affected cups packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 78522 ()

Bugtraq ID: 66788
68788
68842
68846
68847

CVE ID: CVE-2014-2856
CVE-2014-3537
CVE-2014-5029
CVE-2014-5030
CVE-2014-5031

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now