upgrade.py in the hp-upgrade service in HP Linux Imaging and Printing
(HPLIP) 3.x through 3.13.11 launches a program from an http URL, which
allows man-in-the-middle attackers to execute arbitrary code by gaining
control over the client-server data stream.
mdeslaur> Precise and earlier don't have the upgrade.py file.
mdeslaur> In Quantal, Raring, Saucy and Trusty, upgrade.py actually bails
mdeslaur> out because the specific ubuntu version isn't marked as
mdeslaur> "supported" in distros.dat, so even if this script is run as
mdeslaur> root, it doesn't do anything, thankfully.
Updated: 2014-01-21 15:14:34 UTC (commit 7666)