Author: Bin Li
Revision Date: 2017-03-07 06:11:18 UTC

Init version from 16.04

Author: Didier Raboud
Revision Date: 2014-01-03 18:42:39 UTC

* New 1.7.0 upstream release

[ Till Kamppeter ]
* Refresh most patches with quilt
* Removed usb-backend-do-not-crash-if-usb-disabled-in-bios and
  cupsd-no-crash-on-avahi-threaded-poll-shutdown patches as they got
  applied upstream
* Removed drop-arch-specifics-from-doc patch as it is not needed
  anymore
* Updated drop_unnecessary_dependencies, manpage-hyphen-minus,
  manpage-translations and ppd-poll-with-client-conf patches manually
  to apply to the new CUPS version
* Added error counting exception from
  usb-backend-do-not-crash-if-usb-disabled-in-bios to
  tests-ignore-warnings
* Install the newly added ippfind utility and its manpage in
  cups-client
* Added pwg.h to libcups2-dev package
* Call dh_auto_clean only if the file Makedefs is present, to avoid a
  FTBFS
* Added color management extensions from Joe Simon's GSoC 2013
  project.
* Patch cups-files.conf to activate CUPS daemon syncing of files when
  closing, so that config files (like printers.conf) do not
  mysteriously disappear (LP: #1157972)
* In the AppArmor profile, allow execution of programs in
  /etc/cups/interfaces/, needed to make CUPS working with queues based
  on System V interface scripts, especially PPD-less queues
  auto-generated by cups-browsed from cups-filters 1.0.41 on.
* Silenced AppArmor noise from udev.conf in syslog (LP: #1229766)

[ Steve Langasek ]
* Add cups-filters (>= 1.0.42) as alternative to foomatic-filters
  (which is deprecated) in package relationships

[ Didier Raboud ]
* Remove Roger Leigh from uploaders on his request with thanks for his
  past work!
* Switch avahi LSB Should-Start dependency to be avahi-daemon; also
  bump package relationship to >= 0.6.31-3~ (Closes: #731608)
* Refresh the manpage translation files
* Move the USB backend quirk rules file to cups-server-common
* Add 38 new 1.7.0 libcups2 symbols
* Mark one C++ libcupsppdc1 symbol as optional as it isn't exported in
  1.7.0 anymore
* Import Fedora patches:
  - to avoid sign-extending CRCs in gz decompression
  - to build with full read-only relocations
  - to fix job history logging (upstream patch)
  - to set the internal default for SyncOnClose to Yes, instead of
    only configuring it to Yes
  - to fix a stringpool corruption issue
  - to prevent USB timeouts causing incorrect print output
* Import Fedora patch updates:
  - to dont-use-dbus-from-two-threads patch so it removes a call to
    avahi_threaded_poll_stop()
  - to avoid_stale_lockfile_in_dbus_notifier patch to call _exit when
    handling SIGTERM
* Move manpage-translations patch at the very end of the patch series
  to have it include all our patches

Author: Didier Raboud
Revision Date: 2014-01-03 18:42:39 UTC

* New 1.7.0 upstream release

[ Till Kamppeter ]
* Refresh most patches with quilt
* Removed usb-backend-do-not-crash-if-usb-disabled-in-bios and
  cupsd-no-crash-on-avahi-threaded-poll-shutdown patches as they got
  applied upstream
* Removed drop-arch-specifics-from-doc patch as it is not needed
  anymore
* Updated drop_unnecessary_dependencies, manpage-hyphen-minus,
  manpage-translations and ppd-poll-with-client-conf patches manually
  to apply to the new CUPS version
* Added error counting exception from
  usb-backend-do-not-crash-if-usb-disabled-in-bios to
  tests-ignore-warnings
* Install the newly added ippfind utility and its manpage in
  cups-client
* Added pwg.h to libcups2-dev package
* Call dh_auto_clean only if the file Makedefs is present, to avoid a
  FTBFS
* Added color management extensions from Joe Simon's GSoC 2013
  project.
* Patch cups-files.conf to activate CUPS daemon syncing of files when
  closing, so that config files (like printers.conf) do not
  mysteriously disappear (LP: #1157972)
* In the AppArmor profile, allow execution of programs in
  /etc/cups/interfaces/, needed to make CUPS working with queues based
  on System V interface scripts, especially PPD-less queues
  auto-generated by cups-browsed from cups-filters 1.0.41 on.
* Silenced AppArmor noise from udev.conf in syslog (LP: #1229766)

[ Steve Langasek ]
* Add cups-filters (>= 1.0.42) as alternative to foomatic-filters
  (which is deprecated) in package relationships

[ Didier Raboud ]
* Remove Roger Leigh from uploaders on his request with thanks for his
  past work!
* Switch avahi LSB Should-Start dependency to be avahi-daemon; also
  bump package relationship to >= 0.6.31-3~ (Closes: #731608)
* Refresh the manpage translation files
* Move the USB backend quirk rules file to cups-server-common
* Add 38 new 1.7.0 libcups2 symbols
* Mark one C++ libcupsppdc1 symbol as optional as it isn't exported in
  1.7.0 anymore
* Import Fedora patches:
  - to avoid sign-extending CRCs in gz decompression
  - to build with full read-only relocations
  - to fix job history logging (upstream patch)
  - to set the internal default for SyncOnClose to Yes, instead of
    only configuring it to Yes
  - to fix a stringpool corruption issue
  - to prevent USB timeouts causing incorrect print output
* Import Fedora patch updates:
  - to dont-use-dbus-from-two-threads patch so it removes a call to
    avahi_threaded_poll_stop()
  - to avoid_stale_lockfile_in_dbus_notifier patch to call _exit when
    handling SIGTERM
* Move manpage-translations patch at the very end of the patch series
  to have it include all our patches

Author: Didier Raboud
Revision Date: 2014-01-03 18:42:39 UTC

* New 1.7.0 upstream release

[ Till Kamppeter ]
* Refresh most patches with quilt
* Removed usb-backend-do-not-crash-if-usb-disabled-in-bios and
  cupsd-no-crash-on-avahi-threaded-poll-shutdown patches as they got
  applied upstream
* Removed drop-arch-specifics-from-doc patch as it is not needed
  anymore
* Updated drop_unnecessary_dependencies, manpage-hyphen-minus,
  manpage-translations and ppd-poll-with-client-conf patches manually
  to apply to the new CUPS version
* Added error counting exception from
  usb-backend-do-not-crash-if-usb-disabled-in-bios to
  tests-ignore-warnings
* Install the newly added ippfind utility and its manpage in
  cups-client
* Added pwg.h to libcups2-dev package
* Call dh_auto_clean only if the file Makedefs is present, to avoid a
  FTBFS
* Added color management extensions from Joe Simon's GSoC 2013
  project.
* Patch cups-files.conf to activate CUPS daemon syncing of files when
  closing, so that config files (like printers.conf) do not
  mysteriously disappear (LP: #1157972)
* In the AppArmor profile, allow execution of programs in
  /etc/cups/interfaces/, needed to make CUPS working with queues based
  on System V interface scripts, especially PPD-less queues
  auto-generated by cups-browsed from cups-filters 1.0.41 on.
* Silenced AppArmor noise from udev.conf in syslog (LP: #1229766)

[ Steve Langasek ]
* Add cups-filters (>= 1.0.42) as alternative to foomatic-filters
  (which is deprecated) in package relationships

[ Didier Raboud ]
* Remove Roger Leigh from uploaders on his request with thanks for his
  past work!
* Switch avahi LSB Should-Start dependency to be avahi-daemon; also
  bump package relationship to >= 0.6.31-3~ (Closes: #731608)
* Refresh the manpage translation files
* Move the USB backend quirk rules file to cups-server-common
* Add 38 new 1.7.0 libcups2 symbols
* Mark one C++ libcupsppdc1 symbol as optional as it isn't exported in
  1.7.0 anymore
* Import Fedora patches:
  - to avoid sign-extending CRCs in gz decompression
  - to build with full read-only relocations
  - to fix job history logging (upstream patch)
  - to set the internal default for SyncOnClose to Yes, instead of
    only configuring it to Yes
  - to fix a stringpool corruption issue
  - to prevent USB timeouts causing incorrect print output
* Import Fedora patch updates:
  - to dont-use-dbus-from-two-threads patch so it removes a call to
    avahi_threaded_poll_stop()
  - to avoid_stale_lockfile_in_dbus_notifier patch to call _exit when
    handling SIGTERM
* Move manpage-translations patch at the very end of the patch series
  to have it include all our patches

Author: Didier Raboud
Revision Date: 2014-01-03 18:42:39 UTC

* New 1.7.0 upstream release

[ Till Kamppeter ]
* Refresh most patches with quilt
* Removed usb-backend-do-not-crash-if-usb-disabled-in-bios and
  cupsd-no-crash-on-avahi-threaded-poll-shutdown patches as they got
  applied upstream
* Removed drop-arch-specifics-from-doc patch as it is not needed
  anymore
* Updated drop_unnecessary_dependencies, manpage-hyphen-minus,
  manpage-translations and ppd-poll-with-client-conf patches manually
  to apply to the new CUPS version
* Added error counting exception from
  usb-backend-do-not-crash-if-usb-disabled-in-bios to
  tests-ignore-warnings
* Install the newly added ippfind utility and its manpage in
  cups-client
* Added pwg.h to libcups2-dev package
* Call dh_auto_clean only if the file Makedefs is present, to avoid a
  FTBFS
* Added color management extensions from Joe Simon's GSoC 2013
  project.
* Patch cups-files.conf to activate CUPS daemon syncing of files when
  closing, so that config files (like printers.conf) do not
  mysteriously disappear (LP: #1157972)
* In the AppArmor profile, allow execution of programs in
  /etc/cups/interfaces/, needed to make CUPS working with queues based
  on System V interface scripts, especially PPD-less queues
  auto-generated by cups-browsed from cups-filters 1.0.41 on.
* Silenced AppArmor noise from udev.conf in syslog (LP: #1229766)

[ Steve Langasek ]
* Add cups-filters (>= 1.0.42) as alternative to foomatic-filters
  (which is deprecated) in package relationships

[ Didier Raboud ]
* Remove Roger Leigh from uploaders on his request with thanks for his
  past work!
* Switch avahi LSB Should-Start dependency to be avahi-daemon; also
  bump package relationship to >= 0.6.31-3~ (Closes: #731608)
* Refresh the manpage translation files
* Move the USB backend quirk rules file to cups-server-common
* Add 38 new 1.7.0 libcups2 symbols
* Mark one C++ libcupsppdc1 symbol as optional as it isn't exported in
  1.7.0 anymore
* Import Fedora patches:
  - to avoid sign-extending CRCs in gz decompression
  - to build with full read-only relocations
  - to fix job history logging (upstream patch)
  - to set the internal default for SyncOnClose to Yes, instead of
    only configuring it to Yes
  - to fix a stringpool corruption issue
  - to prevent USB timeouts causing incorrect print output
* Import Fedora patch updates:
  - to dont-use-dbus-from-two-threads patch so it removes a call to
    avahi_threaded_poll_stop()
  - to avoid_stale_lockfile_in_dbus_notifier patch to call _exit when
    handling SIGTERM
* Move manpage-translations patch at the very end of the patch series
  to have it include all our patches

Author: Didier Raboud
Revision Date: 2014-01-03 18:42:39 UTC

* New 1.7.0 upstream release

[ Till Kamppeter ]
* Refresh most patches with quilt
* Removed usb-backend-do-not-crash-if-usb-disabled-in-bios and
  cupsd-no-crash-on-avahi-threaded-poll-shutdown patches as they got
  applied upstream
* Removed drop-arch-specifics-from-doc patch as it is not needed
  anymore
* Updated drop_unnecessary_dependencies, manpage-hyphen-minus,
  manpage-translations and ppd-poll-with-client-conf patches manually
  to apply to the new CUPS version
* Added error counting exception from
  usb-backend-do-not-crash-if-usb-disabled-in-bios to
  tests-ignore-warnings
* Install the newly added ippfind utility and its manpage in
  cups-client
* Added pwg.h to libcups2-dev package
* Call dh_auto_clean only if the file Makedefs is present, to avoid a
  FTBFS
* Added color management extensions from Joe Simon's GSoC 2013
  project.
* Patch cups-files.conf to activate CUPS daemon syncing of files when
  closing, so that config files (like printers.conf) do not
  mysteriously disappear (LP: #1157972)
* In the AppArmor profile, allow execution of programs in
  /etc/cups/interfaces/, needed to make CUPS working with queues based
  on System V interface scripts, especially PPD-less queues
  auto-generated by cups-browsed from cups-filters 1.0.41 on.
* Silenced AppArmor noise from udev.conf in syslog (LP: #1229766)

[ Steve Langasek ]
* Add cups-filters (>= 1.0.42) as alternative to foomatic-filters
  (which is deprecated) in package relationships

[ Didier Raboud ]
* Remove Roger Leigh from uploaders on his request with thanks for his
  past work!
* Switch avahi LSB Should-Start dependency to be avahi-daemon; also
  bump package relationship to >= 0.6.31-3~ (Closes: #731608)
* Refresh the manpage translation files
* Move the USB backend quirk rules file to cups-server-common
* Add 38 new 1.7.0 libcups2 symbols
* Mark one C++ libcupsppdc1 symbol as optional as it isn't exported in
  1.7.0 anymore
* Import Fedora patches:
  - to avoid sign-extending CRCs in gz decompression
  - to build with full read-only relocations
  - to fix job history logging (upstream patch)
  - to set the internal default for SyncOnClose to Yes, instead of
    only configuring it to Yes
  - to fix a stringpool corruption issue
  - to prevent USB timeouts causing incorrect print output
* Import Fedora patch updates:
  - to dont-use-dbus-from-two-threads patch so it removes a call to
    avahi_threaded_poll_stop()
  - to avoid_stale_lockfile_in_dbus_notifier patch to call _exit when
    handling SIGTERM
* Move manpage-translations patch at the very end of the patch series
  to have it include all our patches

Author: Till Kamppeter
Revision Date: 2013-11-08 18:49:01 UTC

debian/patches/lpadmin-ppdname-fix.patch: The lpadmin command did not send
the PPD name from the "-m" option and also the web interface did not use
the selected PPD file (LP: #1248578).

Author: Till Kamppeter
Revision Date: 2013-11-08 18:49:01 UTC

debian/patches/lpadmin-ppdname-fix.patch: The lpadmin command did not send
the PPD name from the "-m" option and also the web interface did not use
the selected PPD file (LP: #1248578).

Author: Till Kamppeter
Revision Date: 2013-09-27 12:30:01 UTC

debian/local/cupsd-sync-files-on-close.patch: Corrected patch, the new
SyncOnClose directive needs to be in cups-files.conf (LP: #1157972,
Red Hat bug #984883).

Author: Till Kamppeter
Revision Date: 2013-04-23 12:12:12 UTC

debian/cups.logrotate: Do not remove CUPS' log files while the CUPS
daemon is running. Stop CUPS, move the files, and then start it again.
This avoids crashes during the log rotation process (LP: #1086019).

Author: Till Kamppeter
Revision Date: 2013-05-10 19:51:56 UTC

debian/patches/usb-backend-do-not-crash-if-usb-disabled-in-bios.patch:
Add patch to test suite to ignore the newly introduced warning message.
This message gets regularly issued on build servers which use virtual
machines without access to the host's USB and so the test suite fails due
to an extra warning. Due to this there was a FTBFS in the previous release
(LP: #1108719).

Author: Till Kamppeter
Revision Date: 2013-05-10 19:51:56 UTC

debian/patches/usb-backend-do-not-crash-if-usb-disabled-in-bios.patch:
Add patch to test suite to ignore the newly introduced warning message.
This message gets regularly issued on build servers which use virtual
machines without access to the host's USB and so the test suite fails due
to an extra warning. Due to this there was a FTBFS in the previous release
(LP: #1108719).

Author: Till Kamppeter
Revision Date: 2013-05-10 15:06:56 UTC

debian/patches/usb-backend-do-not-crash-if-usb-disabled-in-bios.patch:
Add patch to test suite to ignore the newly introduced warning message.
This message gets regularly issued on build servers which use virtual
machines without access to the host's USB and so the test suite fails due
to an extra warning. Due to this there was a FTBFS in the previous release
(LP: #1108719).

Author: Till Kamppeter
Revision Date: 2013-04-23 12:12:12 UTC

debian/cups.logrotate: Do not remove CUPS' log files while the CUPS
daemon is running. Stop CUPS, move the files, and then start it again.
This avoids crashes during the log rotation process (LP: #1086019).

Author: Till Kamppeter
Revision Date: 2013-04-15 15:13:01 UTC

debian/patches/usb-backend-more-quirk-rules.patch: Added quirk rule for the
QinHeng CH340S USB->Parallel adapter (LP: #1000253).

Author: Marc Deslauriers
Revision Date: 2012-12-03 09:03:39 UTC

* SECURITY UPDATE: privilege escalation via config file editing
  - debian/patches/CVE-2012-5519.patch: split configuration file into
    two, to isolate options that have a security impact.
  - debian/cups.install: also install cups-files.conf
  - debian/patches/removecvstag.patch: updated to remove tag from
    cups-files.conf.
  - CVE-2012-5519

Author: Marc Deslauriers
Revision Date: 2012-12-03 09:05:49 UTC

* SECURITY UPDATE: privilege escalation via config file editing
  - debian/patches/CVE-2012-5519.patch: split configuration file into
    two, to isolate options that have a security impact.
  - debian/cups.install: also install cups-files.conf
  - debian/patches/removecvstag.patch: updated to remove tag from
    cups-files.conf.
  - CVE-2012-5519
* debian/control: remove libtiff5-dev alternate build-depends so this
  package can build in a schroot.
* NOTE: this package does _not_ include the changes from 1.5.3-0ubuntu5
  in precise-proposed.

Author: Marc Deslauriers
Revision Date: 2012-12-03 09:14:13 UTC

* SECURITY UPDATE: privilege escalation via config file editing
  - debian/patches/CVE-2012-5519.patch: split configuration file into
    two, to isolate options that have a security impact.
  - debian/cups.install: also install cups-files.conf
  - debian/patches/removecvstag.patch: updated to remove tag from
    cups-files.conf.
  - CVE-2012-5519
* NOTE: this package does _not_ include the changes from 1.5.0-8ubuntu7
  in oneiric-proposed.

Author: Marc Deslauriers
Revision Date: 2012-12-03 09:19:57 UTC

* SECURITY UPDATE: privilege escalation via config file editing
  - debian/patches/CVE-2012-5519.dpatch: split configuration file into
    two, to isolate options that have a security impact.
  - debian/cups.install: also install cups-files.conf
  - debian/patches/removecvstag.dpatch: updated to remove tag from
    cups-files.conf.
  - CVE-2012-5519

Author: Marc Deslauriers
Revision Date: 2012-12-03 09:19:57 UTC

* SECURITY UPDATE: privilege escalation via config file editing
  - debian/patches/CVE-2012-5519.dpatch: split configuration file into
    two, to isolate options that have a security impact.
  - debian/cups.install: also install cups-files.conf
  - debian/patches/removecvstag.dpatch: updated to remove tag from
    cups-files.conf.
  - CVE-2012-5519

Author: Marc Deslauriers
Revision Date: 2012-12-03 09:14:13 UTC

* SECURITY UPDATE: privilege escalation via config file editing
  - debian/patches/CVE-2012-5519.patch: split configuration file into
    two, to isolate options that have a security impact.
  - debian/cups.install: also install cups-files.conf
  - debian/patches/removecvstag.patch: updated to remove tag from
    cups-files.conf.
  - CVE-2012-5519
* NOTE: this package does _not_ include the changes from 1.5.0-8ubuntu7
  in oneiric-proposed.

Author: Till Kamppeter
Revision Date: 2012-10-15 19:43:30 UTC

debian/patches/cupsd-no-crash-on-avahi-threaded-poll-shutdown.patch:
Fixed crash which sometimes happens on shutdown of the CUPS daemom,
caused by a wrong shutdown sequence for shutting down the Avahi threaded
poll (LP: #1034045).

Author: Steve Langasek
Revision Date: 2012-04-09 15:26:40 UTC

releasing version 1.5.2-9ubuntu1

Author: Steve Langasek
Revision Date: 2012-04-09 08:24:48 UTC

Don't wait on udevtrigger before starting cups; the only reason this
is here is to let '/lib/udev/udev-configure-printer enumerate' work, but
if cups does start before we've cold-plugged everything, the udev rule
will call '/lib/udev/udev-configure-printer add' for each device it
discovers anyway, so this is redundant.

Author: Till Kamppeter
Revision Date: 2012-03-28 14:36:54 UTC

debian/patches/cupsd-fix-crash-on-sighup.dpatch: Fixed crash of the
scheduler (CUPS daemon) on the SIGHUP signal (sent on log rotation,
restart, ..., LP: #857663).

Author: Till Kamppeter
Revision Date: 2012-01-17 12:05:41 UTC

debian/patches/usb-backend-generate-device-uri-without-device-id.patch:
Make USB printers working independent of what gets reported as their
device ID, including random characters or nothing. This should especially
make all USB->Parallel adapters work (LP: #910272).

Author: Martin Pitt
Revision Date: 2011-09-27 14:10:26 UTC

* Urgency medium due to security fix. The previous version wasn't in testing
  yet, but already matured for half of the usual period, so it will still
  be 10 days in sum.
* Add 00svn_gif_overflow.patch: Fix heap overflow with broken/crafted GIF
  files. Patch taken from upstream svn. [CVE-2011-3170]

Author: Marc Deslauriers
Revision Date: 2011-09-12 09:02:13 UTC

* SECURITY UPDATE: arbitrary code execution via missing code words
  - debian/patches/CVE-2011-2896.dpatch: improve logic in
    filter/image-gif.c.
  - CVE-2011-2896
* SECURITY UPDATE: arbitrary code execution via incorrect code word
  handling
  - debian/patches/CVE-2011-3170.dpatch: don't overflow in
    filter/image-gif.c.
  - CVE-2011-3170

Author: Marc Deslauriers
Revision Date: 2011-09-12 09:20:08 UTC

* SECURITY UPDATE: arbitrary code execution via missing code words
  - debian/patches/CVE-2011-2896.dpatch: improve logic in
    filter/image-gif.c.
  - CVE-2011-2896
* SECURITY UPDATE: arbitrary code execution via incorrect code word
  handling
  - debian/patches/CVE-2011-3170.dpatch: don't overflow in
    filter/image-gif.c.
  - CVE-2011-3170

Author: Marc Deslauriers
Revision Date: 2011-09-12 09:20:08 UTC

* SECURITY UPDATE: arbitrary code execution via missing code words
  - debian/patches/CVE-2011-2896.dpatch: improve logic in
    filter/image-gif.c.
  - CVE-2011-2896
* SECURITY UPDATE: arbitrary code execution via incorrect code word
  handling
  - debian/patches/CVE-2011-3170.dpatch: don't overflow in
    filter/image-gif.c.
  - CVE-2011-3170

Author: Marc Deslauriers
Revision Date: 2011-09-12 09:02:13 UTC

* SECURITY UPDATE: arbitrary code execution via missing code words
  - debian/patches/CVE-2011-2896.dpatch: improve logic in
    filter/image-gif.c.
  - CVE-2011-2896
* SECURITY UPDATE: arbitrary code execution via incorrect code word
  handling
  - debian/patches/CVE-2011-3170.dpatch: don't overflow in
    filter/image-gif.c.
  - CVE-2011-3170

Author: Till Kamppeter
Revision Date: 2011-06-24 13:30:59 UTC

debian/patches/cups-avahi.dpatch: Updated Avahi patch to fix places in
the CUPS source code where libdns_sd is supported but not Avahi.
especially accept being called with a hostname with ".local" domain
so that AirPrint works without "ServerAlias *" in cupsd.conf (LP: #801306).

Author: Martin Pitt
Revision Date: 2011-04-19 20:14:13 UTC

Revert calling "convert" on the banner PNGs (r961); the file is already
correct in the source. The format conversion happens in Ubuntu's
pkgbinarymangler, so it does not affect Debian builds at all and also this
cannot be circumvented that way. Instead, blacklist this package from
pkgstripfiles. (LP: #710881)

Author: Steve Langasek
Revision Date: 2011-03-25 05:31:28 UTC

Build for multiarch.

Author: Marc Deslauriers
Revision Date: 2010-11-02 11:10:37 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  invalid free
  - debian/patches/CVE-2010-2941.dpatch: skip over and reserve unused
    tags in cups/ipp.{c,h}.
  - CVE-2010-2941

Author: Marc Deslauriers
Revision Date: 2010-11-02 11:10:37 UTC

* SECURITY UPDATE: denial of service and possible code execution via
  invalid free
  - debian/patches/CVE-2010-2941.dpatch: skip over and reserve unused
    tags in cups/ipp.{c,h}.
  - CVE-2010-2941

Author: Till Kamppeter
Revision Date: 2010-10-15 13:04:33 UTC

debian/control: Added dependency on "cups-ppdc" package to the "cups"
package, so that the PPDs of the drivers which come with CUPS get built
(LP: #485383).

Author: Martin Pitt
Revision Date: 2010-09-29 11:01:42 UTC

ubuntu-upstart.dpatch: If D-BUS is not available, start on runlevels 2 to
5, so that this also works in server environments. Patch cherrypicked from
packaging trunk. (LP: #650893)

Author: Marc Deslauriers
Revision Date: 2010-06-18 10:26:08 UTC

* SECURITY UPDATE: cross-site request forgery in admin interface
  - debian/patches/CVE-2010-0540.dpatch: add unpredictable session token
    to cgi-bin/admin.c, cgi-bin/cgi.h, cgi-bin/ipp-var.c,
    cgi-bin/template.c, cgi-bin/var.c, scheduler/client.c,
    templates/*.tmpl.
  - CVE-2010-0540
* SECURITY UPDATE: denial of service or arbitrary code execution in
  texttops image filter
  - debian/patches/CVE-2010-0542.dpatch: make sure calloc succeeded in
    filter/texttops.c.
  - CVE-2010-0542
* SECURITY UPDATE: web interface memory disclosure
  - debian/patches/CVE-2010-1748.dpatch: validate data in cgi-bin/var.c.
  - CVE-2010-1748
* SECURITY UPDATE: file overwrite vulnerability
  - debian/patches/security-str3510.dpatch: introduce cups_open() in
    cups/file.c and use to make sure hard-linked or symlinked files don't
    get overwritten as root.
  - No CVE number

Author: Marc Deslauriers
Revision Date: 2010-06-18 10:26:08 UTC

* SECURITY UPDATE: cross-site request forgery in admin interface
  - debian/patches/CVE-2010-0540.dpatch: add unpredictable session token
    to cgi-bin/admin.c, cgi-bin/cgi.h, cgi-bin/ipp-var.c,
    cgi-bin/template.c, cgi-bin/var.c, scheduler/client.c,
    templates/*.tmpl.
  - CVE-2010-0540
* SECURITY UPDATE: denial of service or arbitrary code execution in
  texttops image filter
  - debian/patches/CVE-2010-0542.dpatch: make sure calloc succeeded in
    filter/texttops.c.
  - CVE-2010-0542
* SECURITY UPDATE: web interface memory disclosure
  - debian/patches/CVE-2010-1748.dpatch: validate data in cgi-bin/var.c.
  - CVE-2010-1748
* SECURITY UPDATE: file overwrite vulnerability
  - debian/patches/security-str3510.dpatch: introduce cups_open() in
    cups/file.c and use to make sure hard-linked or symlinked files don't
    get overwritten as root.
  - No CVE number

Author: Martin Pitt
Revision Date: 2010-04-09 15:20:51 UTC

[ Till Kamppeter ]
* debian/filters/pstopdf: Use "-dUseCIEColor" for the Ghostscript call in the
  pstopdf filter, to eliminate the warning "Set UseCIEColor for
  UseDeviceIndependentColor to work properly.".

[ Martin Pitt ]
* New upstream bug fix release. See http://www.cups.org/articles.php?L594
  for details.
* Drop CVE-2010-0393.dpatch, upstream now.
* Update usb-backend-both-usblp-and-libusb.dpatch for new version.
* select_use_after_free.dpatch: Add additional fix by Tim Waugh and Vincent
  Danen for CVE-2010-0302, and update tag header. (Closes: #572940)

Author: Evan Broder
Revision Date: 2010-03-03 20:29:00 UTC

debian/patches/fix-lpstat.dpatch: Fix lpstat to work correctly against
CUPS 1.4 servers. (LP: #497606)

Author: Marc Deslauriers
Revision Date: 2010-02-25 10:58:35 UTC

* SECURITY UPDATE: denial of service via use-after-free
  - debian/patches/CVE-2009-3553.dpatch: check fdptr->use and
    cupsd_inactive_fds in scheduler/select.c.
  - CVE-2009-3553
  - CVE-2010-0302
* SECURITY UPDATE: privilege escalation via lppasswd tool
  - debian/patches/CVE-2010-0393.dpatch: don't allow environment
    variables to override directories in cups/globals.c and
    systemv/lppasswd.c.
  - CVE-2010-0393

Author: Marc Deslauriers
Revision Date: 2010-02-25 10:58:35 UTC

* SECURITY UPDATE: denial of service via use-after-free
  - debian/patches/CVE-2009-3553.dpatch: check fdptr->use and
    cupsd_inactive_fds in scheduler/select.c.
  - CVE-2009-3553
  - CVE-2010-0302
* SECURITY UPDATE: privilege escalation via lppasswd tool
  - debian/patches/CVE-2010-0393.dpatch: don't allow environment
    variables to override directories in cups/globals.c and
    systemv/lppasswd.c.
  - CVE-2010-0393

Author: Till Kamppeter
Revision Date: 2010-01-26 12:10:20 UTC

* debian/local/filters/pdf-filters/filter/texttopdf.c: Workaround for
  bug in ttf-freefont which messed up the output of the texttopdf filter.
  Thanks to Hin-Tak Leung and Steve White to find this solution (LP: #447961).
* debian/local/filters/pdf-filters/pdftopdf/P2PDoc.cxx,
  debian/local/filters/pdf-filters/pdftopdf/P2PGfx.cxx,
  debian/local/filters/pdf-filters/pdftopdf/P2PGfx.h,
  debian/local/filters/pdf-filters/pdftopdf/P2PObject.h,
  debian/local/filters/pdf-filters/pdftopdf/P2POutput.cxx: Upstream
  fix from Koji Otani for the following: (1) Fixed some memory leak;
  (2) pdftopdf now delays fetching a referenced object until when it is
  written to the output. This fixes memory hogging with N-up output
  (N pages per sheet). The fix is mainly done by (2). This fixes
  LP: #508731.
* debian/local/filters/pdf-filters/pdftopdf/P2PGfx.cxx: Fixed segfault of
  the pdftopdf filter when the input PDF file has ICC-profile-based color
  space inline images. Thanks to Koji Otani for the fix. Fixes LP: #407344.
* debian/local/filters/cpdftocps: Fixed turning off duplex via command line
  (http://bugs.linux-foundation.org/show_bug.cgi?id=397, LP: #487902).

Author: Martin Pitt
Revision Date: 2009-10-15 20:58:29 UTC

debian/rules: Do not have a failing test suite break the build. This is a
temporary workaround for broken Ubuntu buildd chroots which cannot resolve
their own hostname (see LP #447919).

Author: Jamie Strandboge
Revision Date: 2009-04-15 09:33:56 UTC

* SECURITY UPDATE: fix integer overflow via large TIFF file (LP: #361866)
  - debian/patches/CVE-2009-0163.dpatch: adjust CUPS_IMAGE_MAX_HEIGHT in
    filter/image-private.h
  - CVE-2009-0163

Author: Till Kamppeter
Revision Date: 2009-03-26 11:56:14 UTC

[ Martin Pitt ]
* Add bzr-builddeb configuration (merge mode). This does not cause any
  change in the built packages, but makes package maintenance easier.

[ Till Kamppeter ]
* debian/local/filters/pdf-filters/pdftopdf/P2PResources.cxx: Fixed
  corruption of output when generating multiple copies of EOG or GIMP
  output files. (LP: #345183)

Author: Till Kamppeter
Revision Date: 2008-10-20 08:18:20 UTC

debian/local/filters/cpdftocps, debian/filters/pstopdf: Avoid duplicate
execution of the number of copies. Sending a PostScript job to a
non-PostScript printer produced n*n copies instead of n copies, also
sending a non-PostScript job to a PostScript printer. A PostScript job
sent to a PostScript printer could even produce n*n*n copies (LP: #286048).