PublicDateAtUSN: 2014-04-18
Candidate: CVE-2014-2856
PublicDate: 2014-04-18 14:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2856
 http://www.openwall.com/lists/oss-security/2014/04/15
 https://ubuntu.com/security/notices/USN-2172-1
Description:
 Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common
 Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject
 arbitrary web script or HTML via the URL path, related to the
 is_path_absolute function.
Ubuntu-Description:
Notes:
 mdeslaur> successfully reproduced on lucid+
 mdeslaur> patch in bug is what's in 1.7.2
Bugs:
 http://www.cups.org/str.php?L4356
Priority: medium
Discovered-by: Alex Korobkin
Assigned-to: mdeslaur
CVSS: 

Patches_cups:
 upstream: http://www.cups.org/strfiles.php/3268/str4356.patch
upstream_cups: released (1.7.2)
lucid_cups: released (1.4.3-1ubuntu1.11)
precise_cups: released (1.5.3-0ubuntu8.2)
quantal_cups: released (1.6.1-0ubuntu11.6)
saucy_cups: released (1.7.0~rc1-0ubuntu5.3)
trusty_cups: released (1.7.2-0ubuntu1)
trusty/esm_cups: DNE (trusty was released [1.7.2-0ubuntu1])
devel_cups: released (1.7.2-0ubuntu1)