PublicDateAtUSN: 2009-11-09
Candidate: CVE-2009-2820
PublicDate: 2009-11-10 19:30:00 UTC
References: 
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2820
 https://ubuntu.com/security/notices/USN-856-1
Description:
 The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before
 10.6.2 and other platforms, does not properly handle (1) HTTP headers and
 (2) HTML templates, which allows remote attackers to conduct cross-site
 scripting (XSS) attacks and HTTP response splitting attacks via vectors
 related to (a) the product's web interface, (b) the configuration of the
 print system, and (c) the titles of printed jobs, as demonstrated by an XSS
 attack that uses the kerberos parameter to the admin program, and leverages
 attribute injection and HTTP Parameter Pollution (HPP) issues.
Ubuntu-Description: 
Notes: 
Bugs: 
Priority: medium
Discovered-by:
Assigned-to: 
CVSS: 

Patches_cups:
upstream_cups: released (1.4.2)
dapper_cups: DNE
gutsy_cups: DNE
hardy_cups: DNE
intrepid_cups: released (1.3.9-2ubuntu9.3)
jaunty_cups: released (1.3.9-17ubuntu3.4)
karmic_cups: released (1.4.1-5ubuntu2.1)
devel_cups: not-affected (1.4.2-1git1)

Patches_cupsys:
upstream_cupsys: released (1.4.2)
dapper_cupsys: released (1.2.2-0ubuntu0.6.06.15)
gutsy_cupsys: needed
hardy_cupsys: released (1.3.7-1ubuntu3.6)
intrepid_cupsys: DNE
jaunty_cupsys: DNE
karmic_cupsys: DNE
devel_cupsys: DNE