Security update for cups

Announcement ID: SUSE-SU-2026:21836-1
Release Date: 2026-05-26T12:19:57Z
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2026-27447 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
  • CVE-2026-27447 ( NVD ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
  • CVE-2026-27447 ( NVD ): 4.8 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:N
  • CVE-2026-34978 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  • CVE-2026-34978 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
  • CVE-2026-34979 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2026-34979 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2026-34980 ( SUSE ): 6.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
  • CVE-2026-34980 ( NVD ): 6.1 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • CVE-2026-34980 ( NVD ): 7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2026-34990 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2026-34990 ( NVD ): 5.0 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • CVE-2026-34990 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2026-39314 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2026-39314 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-39314 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2026-39314 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-39316 ( SUSE ): 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • CVE-2026-39316 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-39316 ( NVD ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2026-39316 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2026-41079 ( SUSE ): 5.1 CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
  • CVE-2026-41079 ( SUSE ): 3.5 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CVE-2026-41079 ( NVD ): 4.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • CVE-2026-41079 ( NVD ): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Affected Products:
  • SUSE Linux Micro 6.2

An update that solves eight vulnerabilities can now be installed.

Description:

This update for cups fixes the following issues

  • CVE-2026-27447: Authorization bypass via case-insensitive group-member lookup (bsc#1261572).
  • CVE-2026-34978: Path traversal in RSS notify-recipient-uri enables file write outside CacheDir/rss (bsc#1261571).
  • CVE-2026-34979: Heap overflow in get_options() (bsc#1261570).
  • CVE-2026-34980: Shared PostScript queue lets anonymous Print-Job requests reach lp code execution over the network (bsc#1261569).
  • CVE-2026-34990: Local print admin token disclosure using temporary printers (bsc#1261568).
  • CVE-2026-39314: negative job-password-supported attribute can lead to a denial of service (bsc#1261743).
  • CVE-2026-39316: dangling subscription pointer can lead to a denial of service (bsc#1261742).
  • CVE-2026-41079: crafted SNMP response can lead to stack-based out-of-bounds read and sensitive memory disclosure (bsc#1263116).

Changes for cups:

  • Version upgrade to 2.4.19.

  • Version upgrade to 2.4.18.

  • Version upgrade to 2.4.17:

  • The scheduler followed symbolic links when cleaning out its temporary directory (Issue #1448)

  • Updated cupsFileGetConf and cupsFilePutConf to escape more characters.
  • Updated man page cancel (Issue #984)
  • Updated cupsRasterReadHeader to validate more of the page header values (Issue #1501)
  • Fixed an issue with the class/printer CGI name checking.
  • Fixed infinite loop in http_write() on busy print servers (Issue #827)
  • Fixed potential TLS blocking issues (Issue #1128)
  • Fixed a job history bug in the scheduler (Issue #1440)
  • Fixed notifier logging bug that would result in nul bytes getting into the log (Issue #1450)
  • Fixed possible use-after-free in cupsdReadClient() (Issue #1454)
  • Fixed a document format bug in the IPP backend (Issue #1457)
  • Fixed DRAIN_OUTPUT race condition (Issue #1461)
  • Fixed a bug when then ippFindXxx and ippSetXxx functions were mixed.
  • Fixed the mapping of supply type keywords to SNMP names.
  • Fixed a bug in the IPP backend when SNMP was disabled.
  • Fixed a crash bug in the rastertoepson filter.
  • Fixed a bug in cgiCheckVariables.
  • Fixed handling read/write errors with OpenSSL (Issue #1506)
  • Fixed handling rehandshake error in _httpTLSRead (Issue #1508)
  • Fixed a debug printf bug on Windows (Issue #1529)
  • Fixed a recursion issue with encoding of nested collections (Issue #1539)
  • Fixed parsing of the LimitRequestBody, MaxLogSize, and MaxRequestSize directives in "cupsd.conf" (Issue #1540)
  • Fixed a parsing bug in ipptool (Issue #1542)
  • Fixed blank line detection in the rastertolabel filter (Issue #1545)
  • Fixed httpPeek edge case on compressed streams

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.2
    zypper in -t patch SUSE-SL-Micro-6.2-802=1

Package List:

  • SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    • libcups2-debuginfo-2.4.19-160000.1.1
    • cups-config-2.4.19-160000.1.1
    • libcups2-2.4.19-160000.1.1
    • cups-debuginfo-2.4.19-160000.1.1
    • cups-debugsource-2.4.19-160000.1.1

References: