Security update for cups

Announcement ID: SUSE-SU-2026:20229-1
Release Date: 2026-02-04T11:35:17Z
Rating: critical
References:
Cross-References:
CVSS scores:
  • CVE-2025-58060 ( SUSE ): 7.7 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-58060 ( SUSE ): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2025-58060 ( NVD ): 8.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
  • CVE-2025-58364 ( SUSE ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2025-58364 ( NVD ): 6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2025-58436 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-58436 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2025-58436 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2025-58436 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2025-61915 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2025-61915 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
  • CVE-2025-61915 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
  • CVE-2025-61915 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:
  • SUSE Linux Micro 6.2

An update that solves four vulnerabilities, contains two features and has one fix can now be installed.

Description:

This update for cups fixes the following issues:

Update to version 2.4.16.

Security issues fixed:

  • CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).
  • CVE-2025-58436: slow client communication leads to a possible DoS attack (bsc#1244057).
  • CVE-2025-58364: unsafe deserialization and validation of printer attributes can cause a null dereference (bsc#1249128).
  • CVE-2025-58060: authentication bypass with AuthType Negotiate (bsc#1249049).

Other updates and bugfixes:

  • Version upgrade to 2.4.16:

  • 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences, potentially reading past the end of the source string (Issue #1438)

  • The web interface did not support domain usernames fully (Issue #1441)
  • Fixed an infinite loop issue in the GTK+ print dialog (Issue #1439 boo#1254353)
  • Fixed stopping scheduler on unknown directive in configuration (Issue #1443)

  • Fixed packages for Immutable Mode (jsc#PED-14775 from epic jsc#PED-14688)

  • Version upgrade to 2.4.15:

  • Fixed potential crash in 'cups-driverd' when there are duplicate PPDs (Issue #1355)

  • Fixed error recovery when scanning for PPDs in 'cups-driverd' (Issue #1416)

  • Version upgrade to 2.4.14.

  • Version upgrade to 2.4.13:

  • Added 'print-as-raster' printer and job attributes for forcing rasterization (Issue #1282)

  • Updated documentation (Issue #1086)
  • Updated IPP backend to try a sanitized user name if the printer/server does not like the value (Issue #1145)
  • Updated the scheduler to send the "printer-added" or "printer-modified" events whenever an IPP Everywhere PPD is installed (Issue #1244)
  • Updated the scheduler to send the "printer-modified" event whenever the system default printer is changed (Issue #1246)
  • Fixed a memory leak in 'httpClose' (Issue #1223)
  • Fixed missing commas in 'ippCreateRequestedArray' (Issue #1234)
  • Fixed subscription issues in the scheduler and D-Bus notifier (Issue #1235)
  • Fixed media-default reporting for custom sizes (Issue #1238)
  • Fixed support for IPP/PPD options with periods or underscores (Issue #1249)
  • Fixed parsing of real numbers in PPD compiler source files (Issue #1263)
  • Fixed scheduler freezing with zombie clients (Issue #1264)
  • Fixed support for the server name in the ErrorLog filename (Issue #1277)
  • Fixed job cleanup after daemon restart (Issue #1315)
  • Fixed handling of buggy DYMO USB printer serial numbers (Issue #1338)
  • Fixed unreachable block in IPP backend (Issue #1351)

  • Fixed memory leak in _cupsConvertOptions (Issue #1354)

  • Version upgrade to 2.4.12:

  • GnuTLS follows system crypto policies now (Issue #1105)

  • Added NoSystem SSLOptions value (Issue #1130)
  • Now we raise alert for certificate issues (Issue #1194)
  • Added Kyocera USB quirk (Issue #1198)
  • The scheduler now logs a job's debugging history if the backend fails (Issue #1205)
  • Fixed a potential timing issue with cupsEnumDests (Issue #1084)
  • Fixed a potential "lost PPD" condition in the scheduler (Issue #1109)
  • Fixed a compressed file error handling bug (Issue #1070)
  • Fixed a bug in the make-and-model whitespace trimming code (Issue #1096)
  • Fixed a removal of IPP Everywhere permanent queue if installation failed (Issue #1102)
  • Fixed ServerToken None in scheduler (Issue #1111)
  • Fixed invalid IPP keyword values created from PPD option names (Issue #1118)
  • Fixed handling of "media" and "PageSize" in the same print request (Issue #1125)
  • Fixed client raster printing from macOS (Issue #1143)
  • Fixed the default User-Agent string.
  • Fixed a recursion issue in ippReadIO.
  • Fixed handling incorrect radix in scan_ps() (Issue #1188)
  • Fixed validation of dateTime values with time zones more than UTC+11 (Issue #1201)
  • Fixed attributes returned by the Create-Xxx-Subscriptions requests (Issue #1204)
  • Fixed ippDateToTime when using a non GMT/UTC timezone (Issue #1208)
  • Fixed job-completed event notifications for jobs that are cancelled before started (Issue #1209)
  • Fixed DNS-SD discovery with ippfind (Issue #1211)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.2
    zypper in -t patch SUSE-SL-Micro-6.2-242=1

Package List:

  • SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    • cups-debugsource-2.4.16-160000.1.1
    • cups-debuginfo-2.4.16-160000.1.1
    • cups-config-2.4.16-160000.1.1
    • libcups2-debuginfo-2.4.16-160000.1.1
    • libcups2-2.4.16-160000.1.1

References: