cups-filters: remove support for legacy CUPS browsing and for LDAP
Fixes CVE-2024-47176 and CVE-2024-47850. NixOS is not affected by these security issues by default because we do not ship the default configuration file so it fallbacks to `BrowseRemoteProtocols dnssd`. 631/udp is removed from the open firewall ports, it was by the CUPS browsing protocol.
This commit is contained in:
parent
5edc9a24b0
commit
16caf1231b
@ -494,6 +494,8 @@
|
||||
|
||||
- The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.
|
||||
|
||||
- Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed.
|
||||
|
||||
- The `services.trust-dns` module has been renamed to `services.hickory-dns`.
|
||||
|
||||
- The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since
|
||||
|
@ -184,8 +184,8 @@ in
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to open the firewall for TCP/UDP ports specified in
|
||||
listenAdrresses option.
|
||||
Whether to open the firewall for TCP ports specified in
|
||||
listenAddresses option.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -493,7 +493,6 @@ in
|
||||
listenPorts = parsePorts cfg.listenAddresses;
|
||||
in mkIf cfg.openFirewall {
|
||||
allowedTCPPorts = listenPorts;
|
||||
allowedUDPPorts = listenPorts;
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -18,6 +18,7 @@
|
||||
, liblouis
|
||||
, libpng
|
||||
, makeWrapper
|
||||
, autoreconfHook
|
||||
, mupdf
|
||||
, perl
|
||||
, pkg-config
|
||||
@ -53,9 +54,14 @@ stdenv.mkDerivation rec {
|
||||
url = "https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018.patch";
|
||||
hash = "sha256-MXWllrdWt8n7zqvumQNg34dBgWMwMTwf9lrD+ZZP8Wk=";
|
||||
})
|
||||
(fetchpatch {
|
||||
name = "remove-cups-ldap-browse-protocols_CVE-2024-47176_CVE-2024-47850.patch";
|
||||
url = "https://github.com/OpenPrinting/cups-filters/commit/6fd2bdfbdce76149af531ce9fca9062304238451.patch";
|
||||
hash = "sha256-XS1ODy7i7ilgEjsKuEvOUiRN9pqsj+bOktKoshKcg8Q=";
|
||||
})
|
||||
];
|
||||
|
||||
nativeBuildInputs = [ pkg-config makeWrapper ];
|
||||
nativeBuildInputs = [ pkg-config makeWrapper autoreconfHook ];
|
||||
|
||||
buildInputs = [
|
||||
cups
|
||||
|
Loading…
Reference in New Issue
Block a user