My impression so far is that the risk to "leaf nodes" of the internet
(ones behind routers provided by ISPs, and including firewalls and
NATting) ***should*** be minimal - as UDP port 631 should be blocked by
default (if not, the ISP needs kicking), and no one in their right mind
would expose it via a port-forwarding hole through the firewall. At
least, I can't imagine a valid reason for doing so.
I'll bet that there was a lot of frantic disabling and removing of
cups-browsed last night, by the admins of servers in the guts of the
internet. (So glad I retired last year :) )
It occurs to me that the biggest risk to internet end-users would be if
a hacker managed to log in as a non-privileged user. This hole would
probably be a relatively easy way to escalate privileges.
It's certainly a very big and nasty hole. It'll be very interesting to
see what can be done to patch it. Presumably it will involve making
cups-browsed be much more picky about verifying the nature of things
that connect to it.
On Fri, 2024-09-27 at 11:38 -0300, altoid via Dng wrote:
> Hello:
>
> On 27 Sep 2024 at 14:40, Johan Helsingius via Dng wrote:
>
> > In view of the CUPS vulnerability ...
> For the moment (and from what *I* have undesrtood) it would seem that
> disabling / uninstalling [cups-browsed] would be enough.
>
> Yes?
>
> Also, you may want to consider a 'wait and see' period till Linuxland
> can evaluate what the eventual fix/patch brings along.
>
> Of course, the above if you *need* network printing, but if not ...
> ... does CUPS actually represent a problem?
>
> Best,
>
> A.
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng