cups (2.4.10-3+deb13u2) trixie; urgency=high
* add 0018-cgi-Fix-checkbox-support-fixes.patch
Thanks to Elena ``of Valhalla'' for finding the upstream commit
and asking Simone Piccardi to confirm that it works now.
(Closes: #1109471)
-- Thorsten Alteholz <debian@alteholz.de> Wed, 05 Nov 2025 15:45:05 +0100
cups (2.4.10-3+deb13u1) trixie-security; urgency=high
* CVE-2025-58060
fix authentication bypass with AuthType Negotiate
* CVE-2025-58364
fix remote DoS via null dereference
-- Thorsten Alteholz <debian@alteholz.de> Sun, 07 Sep 2025 19:45:05 +0200
cups (2.4.10-3) unstable; urgency=medium
* Fix FTBFS with huge file limit due to testsuite timeouts after
changes in systemd (Closes: #1073046)
-- Thorsten Alteholz <debian@alteholz.de> Sun, 01 Jun 2025 13:45:05 +0200
cups (2.4.10-2) unstable; urgency=medium
[ Helge Kreutzmann ]
* Update German man page (2219t)
[ Thorsten Alteholz ]
* CVE-2024-47175
Fix CVE and upstream also added some extra hardening to patch
- validate URIs, attribute names, and capabilities
in cups/ppd-cache.c, scheduler/ipp.c
- sanitize make and model in cups/ppd-cache.c
- PPDize preset and template names in cups/ppd-cache.c
- quote PPD localized strings in cups/ppd-cache.c
- fix warnings in cups/ppd-cache.c
-- Thorsten Alteholz <debian@alteholz.de> Thu, 26 Sep 2024 23:45:05 +0200
cups (2.4.10-1) unstable; urgency=medium
* Update to new upstream version 2.4.10.
(Closes: #1073852) regression of fix for CVE-2024-35235
(Closes: #1074074) regression of fix for CVE-2024-35235
* /usr-merge fix (Closes: #1061245)
(Thanks a lot to Michael Biebl for the MR/patch)
-- Thorsten Alteholz <debian@alteholz.de> Sun, 23 Jun 2024 00:42:27 +0200
cups (2.4.7-3) unstable; urgency=medium
[ Helge Kreutzmann ]
* Update German man page (2220t)
[ Thorsten Alteholz ]
* reintroduce time_t changes that were accidentally deleted
with last upload
(thanks to Michael Hudson-Doyle for this work)
* debian/rules: no test on riscv64 (Closes: #1073046)
-- Thorsten Alteholz <debian@alteholz.de> Sat, 15 Jun 2024 22:16:49 +0200
cups (2.4.7-2) unstable; urgency=medium
* CVE-2024-35235 (Closes: #1073002)
fix domain socket handling
-- Thorsten Alteholz <debian@alteholz.de> Tue, 11 Jun 2024 22:16:49 +0200
cups (2.4.7-1) unstable; urgency=medium
* Update to new upstream version 2.4.7.
(Closes: #1039983 this should have been fixed in 2.4.3)
(Closes: #1041466 this should have been fixed in 2.4.3)
(Closes: #1043331 this should have been fixed in 2.4.3)
(Closes: #998004 this should have been fixed in 2.4.3)
(Closes: #1008053 this should have been fixed in 2.4.3)
(Closes: #1009146 this should have been fixed in 2.4.3)
(Closes: #1009147 this should have been fixed in 2.4.3)
* debian/watch: update watch file (Closes: #1043470)
(thanks a lot to t3b4in+2gxh764v647us@cs.email)
* debian/rules: switch on testing again
* debian/control: bump standard to 4.6.2 (no changes)
* debian/cups-daemon.NEWS: reword last entry (Closes: #1052419)
(thanks to IOhannes m zmoelnig)
* debian/local/apparmor-profile: add drop-in for cups-pdf as well
(Closes: #954974)
* Provide a cups.pc file. (Closes: #971625)
(thanks a lot to Helmut Grohne for the patch)
* update debian/*.lintian-overrides and use new syntax
-- Thorsten Alteholz <debian@alteholz.de> Fri, 06 Oct 2023 20:16:49 +0200
cups (2.4.2-6) unstable; urgency=medium
* CVE-2023-4504
Postscript parsing heap-based buffer overflow
* CVE-2023-32360 (Closes: #1051953)
authentication issue
-- Thorsten Alteholz <debian@alteholz.de> Tue, 19 Sep 2023 21:20:27 +0200
cups (2.4.2-5) unstable; urgency=medium
* CVE-2023-34241 (Closes: #1038885)
use-after-free in cupsdAcceptClient()
-- Thorsten Alteholz <debian@alteholz.de> Wed, 21 Jun 2023 22:30:27 +0200
cups (2.4.2-4) unstable; urgency=medium
* CVE-2023-32324
A heap buffer overflow vulnerability would allow a remote attacker to
lauch a dos attack.
-- Thorsten Alteholz <debian@alteholz.de> Wed, 31 May 2023 21:30:27 +0200
cups (2.4.2-3) unstable; urgency=medium
[ Helge Kreutzmann ]
* update translations (Closes: #1032833)
* add more translated man pages to binary packages (Closes: #1032621)
[ Thorsten Alteholz]
* fix typo in French translation
* debian/rules: remove link handling for manpages of cups-ipp-utils
-- Thorsten Alteholz <debian@alteholz.de> Sun, 26 Mar 2023 10:54:05 +0200
cups (2.4.2-2) unstable; urgency=medium
[ Helge Kreutzmann ]
* Update German man page (2220t)
[ Thorsten Alteholz]
* debian/control: add Recommends: avahi-daemon to cups-ipp-utils
(Closes: #904605)
* debian/manpage-po4a: add Portuguese translation
(Closes: #1001890)
* add ippevepcl and ippeveps (and manpages) to cups-ipp-utils
(Closes: #990410)
-- Thorsten Alteholz <debian@alteholz.de> Sun, 26 Feb 2023 12:54:05 +0100
cups (2.4.2-1) unstable; urgency=medium
* Update to new upstream version 2.4.2.
* debian/rules: temporarily deactivate tests
(one test fails due to only generating 4 of 14 expected warnings)
-- Thorsten Alteholz <debian@alteholz.de> Thu, 26 May 2022 12:54:05 +0200
cups (2.4.1op1-2) unstable; urgency=medium
* debian/rules: in latest cups version, root is no longer automatically
added to SystemGroup in cups-files.conf, so add
--with-system-groups="root lpadmin"
to configure step
(Closes: #1006849 #1006727 #876207)
-- Thorsten Alteholz <debian@alteholz.de> Mon, 07 Mar 2022 22:08:09 +0100
cups (2.4.1op1-1) unstable; urgency=medium
* new upstream release
* debian/patches/*: update and rebase
* debian/control: add myself to Uploaders:
* debian/copyright: remove unused BSD-3 license
* exlucde some newly generated files
* update symbols files
* move back to gbp based workflow
(git debrebase and dgit do not work in my world)
-- Thorsten Alteholz <debian@alteholz.de> Sun, 20 Feb 2022 20:08:09 +0100
cups (2.3.3op2-7) unstable; urgency=medium
[ Didier Raboud ]
* Remove myself from Uploaders
[ Roger Lynn ]
* Apparmor: allow CUPS to read /etc/letsencrypt/archive/ (Closes: #992378)
-- Didier Raboud <odyx@debian.org> Mon, 06 Sep 2021 12:08:09 +0200
cups (2.3.3op2-6) unstable; urgency=medium
* Migrate to unstable
* Packaging cleanup
- Update S-V to 4.6.0 without changes needed
- Remove 3 obsolete maintscript entries
-- Didier Raboud <odyx@debian.org> Tue, 24 Aug 2021 15:38:05 +0200
cups (2.3.3op2-5) experimental; urgency=low
* Backport 2 upstream USB backend fixes:
- Revert enforcing read limits (caused a regression with Lexmark filters)
- Use 60s timeout (instead of 250ms) for reading at backchannel, as some
older models malfunction if timeout is too short (Closes: #989073)
-- Didier Raboud <odyx@debian.org> Thu, 27 May 2021 09:07:26 +0200
cups (2.3.3op2-4) experimental; urgency=medium
[ Helge Kreutzmann ]
* Update German man page (2212t)
[ Didier Raboud ]
* Reorder and cleanup patch queue by replacing some by upstream's
* Drop ancient symlink handling in preinsts (Closes: #986165)
-- Didier Raboud <odyx@debian.org> Wed, 31 Mar 2021 08:56:11 +0200
cups (2.3.3op2-3+deb11u1) unstable; urgency=medium
* Backport 2 upstream USB backend fixes:
- Revert enforcing read limits (caused a regression with Lexmark filters)
- Use 60s timeout (instead of 250ms) for reading at backchannel, as some
older models malfunction if timeout is too short (Closes: #989073)
-- Didier Raboud <odyx@debian.org> Thu, 27 May 2021 08:49:36 +0200
cups (2.3.3op2-3) unstable; urgency=medium
[ Helge Kreutzmann ]
* Update German man page (2212t)
[ Didier Raboud ]
* Wrap-and-sort -baskt, keep comments
* Let cups.1 point to client.conf.5, not client.conf.7 (Closes: #982303)
* Make CUPS reproducible by patching it to;
- skip the httpAddrGetHostname() test (that fails under reprotest)
- skip the stp tests if ran as root, without aborting
- run testlang for each provided CUPS locale only
-- Didier Raboud <odyx@debian.org> Fri, 12 Feb 2021 14:09:29 +0100
cups (2.3.3op2-2) unstable; urgency=medium
* Bump debhelper compat to 13, document not-installed files
-- Didier Raboud <odyx@debian.org> Wed, 03 Feb 2021 13:13:18 +0100
cups (2.3.3op2-1) unstable; urgency=medium
* New OpenPrinting 2.3.3op2 release
- CVE-2020-10001: Fixed a buffer (read) overflow in the `ippReadIO`
function
- Drop 4 patches merged upstream
* Update d/copyright authors and years
-- Didier Raboud <odyx@debian.org> Tue, 02 Feb 2021 21:20:06 +0100
cups (2.3.3op1-7) unstable; urgency=medium
[ Helmut Grohne ]
* Reduce Build-Depends, move dh_apparmor to B-D-A (Closes: #980104)
-- Didier Raboud <odyx@debian.org> Fri, 15 Jan 2021 12:11:30 +0100
cups (2.3.3op1-6) unstable; urgency=medium
[ Till Kamppeter ]
* In the AppArmor profile, allow cupsd to write to /run/systemd/notify to
notify that it is up and running (systemd service type "notify")
-- Didier Raboud <odyx@debian.org> Mon, 11 Jan 2021 08:31:58 +0100
cups (2.3.3op1-5) unstable; urgency=medium
* Update Homepage and Source fields to point
https://github.com/OpenPrinting/cups/ as Debian's using the OpenPrinting
(friendly) fork (Closes: #979461)
-- Didier Raboud <odyx@debian.org> Fri, 08 Jan 2021 11:35:18 +0100
cups (2.3.3op1-4) unstable; urgency=medium
* Drop ancient manual link-doc setting in cups-bsd.postinst
* Let cups.service start after nslcd.service (Closes: #977198)
-- Didier Raboud <odyx@debian.org> Wed, 23 Dec 2020 14:53:09 +0100
cups (2.3.3op1-3) unstable; urgency=medium
[ Helge Kreutzmann ]
* Update German man page (2211t)
[ Didier Raboud ]
* Patch configure scripts to fix FTBFS on freebsd-gnu systems
-- Didier Raboud <odyx@debian.org> Fri, 04 Dec 2020 10:32:55 +0100
cups (2.3.3op1-2) unstable; urgency=medium
* Backport upstream "Force a 5 second sleep to wait for the job control file
to be written" patch, to address s390x test suite timing issue
-- Didier Raboud <odyx@debian.org> Sat, 28 Nov 2020 16:50:59 +0100
cups (2.3.3op1-1) unstable; urgency=medium
* Use OpenPrinting CUPS fork instead of Apple's codebase
- Update d/upstream/metadata, d/watch
- d/upstream/signing-key.asc: Swap Apple's with Michael R Sweet's
* Large patch-suite cleanup thanks to lots of Debian proposals merged
upstream; from 40 to 9;
- Reorder (upstream-mergeable first, Debian-specific later)
- Reword and refresh metadata for the last patches
* Set Debian customizations in d/rules instead of patches;
- Set --with-max-log-size=0
- Set --enable-sync-on-close
- Set --with-error-policy=retry-job
* Packaging cleanup;
- Drop the Debian-specific systemd units' renaming, now upstream
- Drop pre-oldstable postinst ConfigFilePerm handling
- Add missing BSD-2-Clause block in debian/copyright
- Convert debian/po files to UTF-8
- Drop --as-needed as it's now default in Debian
- Drop Ubuntu-specific patch handling, in favour of compile-time option
for --disable-browsing
- Bump S-V to 4.5.1 without changes needed
- Use debian/main as head branch; update d/gbp.conf accordingly
- Drop outdated d/source/options
* Refresh manpage translation pofiles for 2.3.3op1
-- Didier Raboud <odyx@debian.org> Fri, 27 Nov 2020 17:27:21 +0100
cups (2.3.3-4) unstable; urgency=medium
* Drop Ubuntu "Make lpoptions list a printer's options correctly also when
CUPS is running on an alternative port" patch, refused upstream
(Closes: #970725)
* Use upstream-merged patches for fax numbers' fix and rastertopwg rounding
-- Didier Raboud <odyx@debian.org> Tue, 24 Nov 2020 08:49:46 +0100
cups (2.3.3-3) unstable; urgency=medium
[ Didier Raboud ]
* Set lintian overrides for non-changeable upstream choices
* Add missing Build-Depends-Package in symbols' files
[ Till Kamppeter ]
* Resolve DNS-SD-service-name-based URIs correctly also if they are
from a service from localhost (like IPP-over-USB, Printer
Application, ...)
* Make lpoptions list a printer's options correctly also when CUPS is
running on an alternative port
* Fix fax numbers supplied via GTK print dialog, removing a "Custom."
prefix; do not choke if the GTK dialog sends "None" as phone number
or pre-dial prefix
* Let the rastertopwg filter check rounding errors when calculating
the page geometry
-- Didier Raboud <odyx@debian.org> Thu, 03 Sep 2020 09:27:04 +0200
cups (2.3.3-2) unstable; urgency=medium
* Add missing dh-strip-nondeterminism B-D
* cups-daemon: Add ipp-usb Recommends
-- Didier Raboud <odyx@debian.org> Thu, 03 Sep 2020 08:54:55 +0200
cups (2.3.3-1) unstable; urgency=medium
* New 2.3.3 upstream release, with the two -12 security patches
-- Didier Raboud <odyx@debian.org> Fri, 01 May 2020 15:28:22 +0200
cups (2.3.1-12) unstable; urgency=medium
* Backport two security patches
- CVE-2020-3898: heap-buffer-overflow in libcups’s ppdFindOption()
function in ppd-mark.c
- CVE-2019-8842: The `ippReadIO` function may under-read an extension
field
-- Didier Raboud <odyx@debian.org> Sat, 25 Apr 2020 16:13:13 +0200
cups (2.3.1-11) unstable; urgency=medium
* CI Tests: fix cups-basiccommands:
- swap awk with sed;
- filter stderr away from known errors
- add missing cups-bsd depends to test lpr commands
-- Didier Raboud <odyx@debian.org> Mon, 24 Feb 2020 19:40:39 +0100
cups (2.3.1-10) unstable; urgency=medium
* Add Requires=cups.socket to cups.service, to make sure they start in
the right order
* CI Tests: Add a test for all CUPS' basic commands, thanks to RedHat
* Add Pre-Depends: ${misc:Pre-Depends} to cups-daemon to fix
skip-systemd-native-flag-missing-pre-depends lintian flag
* Add patch proposal from RedHat to fix leakage of ppd (Issue: #5738)
-- Didier Raboud <odyx@debian.org> Mon, 24 Feb 2020 12:25:39 +0100
cups (2.3.1-9) unstable; urgency=medium
* CI Tests: Ensure the job files are non-empty; should detect more
regressions
-- Didier Raboud <odyx@debian.org> Sat, 22 Feb 2020 17:19:46 +0100
cups (2.3.1-8) unstable; urgency=medium
* Add patch to fix cupsctl when loading cupsd.conf (Issue: #5744)
-- Didier Raboud <odyx@debian.org> Sat, 22 Feb 2020 14:34:48 +0100
cups (2.3.1-7) unstable; urgency=medium
* Add patch to fix conversion of PPD InputSlot choice names; this should fix
printers ignoring the paper tray selection (Issue: #5740, Closes: #949315)
* lintian-brush:
- Set upstream metadata fields: Bug-Database, Repository, Repository-Browse
- Rewrap some d/changelog entries
-- Didier Raboud <odyx@debian.org> Mon, 17 Feb 2020 09:19:56 +0100
cups (2.3.1-6) unstable; urgency=medium
* Patch test suite to also ignore 'Job held' lines in error_log line
counting
-- Didier Raboud <odyx@debian.org> Sat, 08 Feb 2020 11:52:44 +0100
cups (2.3.1-5) unstable; urgency=medium
* Move towards driverless-centered installation:
- Drop all printer-driver-* and hplip recommends/suggests
* Cleanup all versions from pre- Debian stable
* Bump S-V to 4.5.0 without changes needed
-- Didier Raboud <odyx@debian.org> Fri, 07 Feb 2020 17:08:48 +0100
cups (2.3.1-4) unstable; urgency=medium
* Cleanup patch queue for cups' bts URLs and patch names
* Update README.Debian to remove leftover SystemdIdleExit references
-- Didier Raboud <odyx@debian.org> Thu, 30 Jan 2020 20:35:47 +0100
cups (2.3.1-2) unstable; urgency=medium
* Drop pwg-raster-attributes.patch
* Amend 2.3.1-1 changelog entry to add missing Ubuntu package drop and CVE
bug closure
-- Didier Raboud <odyx@debian.org> Sun, 26 Jan 2020 15:23:24 +0100
cups (2.3.1-1) unstable; urgency=medium
[ Didier Raboud ]
* New 2.3.1 upstream release:
- CVE-2019-2228: The `ippSetValuetag` function did not validate the
default language value (Closes: #946782)
[ Steve Langasek ]
* On Ubuntu i386, drop cups and cups-core-drivers (Closes: #947185)
[ Helge Kreutzmann ]
* Update German man page (2207t)
-- Didier Raboud <odyx@debian.org> Tue, 24 Dec 2019 13:02:06 +0100
cups (2.3.0-7) unstable; urgency=medium
* Packaging cleanup:
- Set upstream metadata fields: Repository
- Rely on pre-initialized dpkg-architecture variables
- Fix day-of-week for changelog entries 1.0.1-1
- Bump Standards-Version to 4.4.1 without changes needed
- Replace dh-exec usage with manual renaming in debian/rules
-- Didier Raboud <odyx@debian.org> Wed, 06 Nov 2019 08:57:40 +0100
cups (2.3.0-6) unstable; urgency=medium
[ Didier Raboud ]
* Tests-drivers: Cleanup output
[ intrigeri ]
* AppArmor: support cups-pdf "Out" directory pointing to almost anywhere
below $HOME (Closes: #940578)
-- Didier Raboud <odyx@debian.org> Thu, 31 Oct 2019 08:44:29 +0100
cups (2.3.0-5) unstable; urgency=medium
* Let the test-drivers script stop waiting when a filter is allegedly
failed, and give context
-- Didier Raboud <odyx@debian.org> Sat, 21 Sep 2019 09:41:44 +0200
cups (2.3.0-4) unstable; urgency=medium
[ Helge Kreutzmann ]
* Update German man page (2197t)
-- Didier Raboud <odyx@debian.org> Fri, 20 Sep 2019 15:03:47 +0200
cups (2.3.0-3) unstable; urgency=low
* Fix autopkgtests for real; refactor lpadmin stderr filtering
-- Didier Raboud <odyx@debian.org> Fri, 06 Sep 2019 09:32:07 +0200
cups (2.3.0-2) unstable; urgency=low
[ Helge Kreutzmann ]
* Update German man page (2100t58f39u)
[ Didier Raboud ]
* Fix autopkgtest by filtering away known stderr messages
-- Didier Raboud <odyx@debian.org> Thu, 05 Sep 2019 09:33:20 +0200
cups (2.3.0-1) unstable; urgency=low
* New 2.3.0 upstream release, to unstable
- CVE-2019-8696 and CVE-2019-8675: Fixed SNMP buffer overflows
- Fixed IPP buffer overflow
- Fixed memory disclosure and DoS issues in the scheduler
- CUPS is now provided under the Apache License, Version 2.0, with a
GPL2/LGPL2 exception
* Rewrite debian/copyright with the above license change, install the
NOTICE file
* Refresh manpage translations
* Refresh upstream metadata
* Bump S-V to 4.4 without changes needed
-- Didier Raboud <odyx@debian.org> Mon, 02 Sep 2019 13:19:18 +0200
cups (2.3~rc1-2) experimental; urgency=medium
* Merge 2.2.12-1 from unstable
* Add missing colon in closes line.
* Set upstream metadata fields: Contact, Name.
* Bump debhelper from old 11 to 12.
-- Didier Raboud <odyx@debian.org> Sun, 18 Aug 2019 16:58:09 +0200
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog libcups2t64`.
Generated by dwww version 1.16 on Tue Dec 16 11:18:21 CET 2025.