The cupsDoAuthentication function in auth.c in the client in CUPS before
1.4.4, when HAVE_GSSAPI is omitted, does not properly handle a demand for
authorization, which allows remote CUPS servers to cause a denial of
service (infinite loop) via HTTP_UNAUTHORIZED responses.
mdeslaur> hardy and more recent are compiled with HAVE_GSSAPI support, so
mdeslaur> we're not affected by this. Dapper doesn't seem to bail out
mdeslaur> after a certain number of renegotiation attempts. This may be
mdeslaur> a problem, need to investigate.
Updated: 2015-07-29 20:38:43 UTC (commit 9756)