oss-security - Re: Multiple CVEs disclosed in CUPS

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID:
 <MEAPR01MB365475EE9DC8CA57A14D5B12EE5BA@MEAPR01MB3654.ausprd01.prod.outlook.com>
Date: Wed, 8 Apr 2026 01:40:13 +0000
From: Peter Gutmann <pgut001@...auckland.ac.nz>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: Multiple CVEs disclosed in CUPS

Alan Coopersmith <alan.coopersmith@...cle.com> writes:

>https://heyitsas.im/posts/cups/ discloses:
>[...]

Hopefully not too off-topic but a related issue with CUPS is that it's
incredibly difficult to remove in order to harden a system.  Under Ubuntu it's
installed by default and deeply embedded into things (some packages can't be
removed at all, try a 'sudo apt purge libcups*' but whatever you do don't hit
'y'), and keeps re-enabling and re-installing itself via different mechanisms
(release-upgrade, snap, etc) once removed.  So the easy mitigation of "don't
do that, then" isn't really available unless you're prepared to spend some
time recursively removing, disabling, and locking out everything involved.

Peter.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.