CVE-2017-18190 (retired)

Priority
Description
A localhost.localdomain whitelist entry in valid_host() in
scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute
arbitrary IPP commands by sending POST requests to the CUPS daemon in
conjunction with DNS rebinding. The localhost.localdomain name is often
resolved via a DNS server (neither the OS nor the web browser is
responsible for ensuring that localhost.localdomain is 127.0.0.1).
Assigned-to
chrisccoulson
Package
Source: cups (LP Ubuntu Debian)
Upstream:released (2.2.2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):released (1.7.2-0ubuntu1.9)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.1.3-4ubuntu0.4)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (2.2.6-5)
Patches:
Upstream:https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41
More Information

Updated: 2019-03-26 12:25:28 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)