{"affected":[{"ecosystem_specific":{"binaries":[{"cups-config":"2.4.16-1.1","libcups2":"2.4.16-1.1"}]},"package":{"ecosystem":"SUSE:Linux Micro 6.0","name":"cups","purl":"pkg:rpm/suse/cups&distro=SUSE%20Linux%20Micro%206.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"2.4.16-1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for cups fixes the following issues:\n\nUpdate to version 2.4.16.\n\nSecurity issues fixed:\n\n- CVE-2025-58436: single client sending slow messages to cupsd can delay the application and make it unusable for other\n  clients (bsc#1244057).\n- CVE-2025-58060: authentication bypass with AuthType negotiate (bsc#1249049).\n- CVE-2025-58364: unsafe deserialization and validation of printer attributes can lead to null dereference\n  (bsc#1249128).\n- CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).\n\nOther updates and bugfixes:\n\n- Version upgrade to 2.4.16:\n\n  * 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences,\n    potentially reading past the end of the source string\n    (Issue #1438)\n  * The web interface did not support domain usernames fully\n    (Issue #1441)\n  * Fixed an infinite loop issue in the GTK+ print dialog\n    (Issue #1439 bsc#1254353)\n  * Fixed stopping scheduler on unknown directive in\n    configuration (Issue #1443)\n  \n- Version upgrade to 2.4.15:\n\n  * Fixed potential crash in 'cups-driverd' when there are\n    duplicate PPDs (Issue #1355)\n  * Fixed error recovery when scanning for PPDs\n    in 'cups-driverd' (Issue #1416)\n  \n- Fix packages for Immutable Mode - cups (jsc#PED-14775,jsc#PED-14688)\n\n- Version upgrade to 2.4.14.\n  \n- Version upgrade to 2.4.13:\n\n  * Added 'print-as-raster' printer and job attributes\n    for forcing rasterization (Issue #1282)\n  * Updated documentation (Issue #1086)\n  * Updated IPP backend to try a sanitized user name if the\n    printer/server does not like the value (Issue #1145)\n  * Updated the scheduler to send the \"printer-added\"\n    or \"printer-modified\" events  whenever an IPP Everywhere PPD\n    is installed (Issue #1244)\n  * Updated the scheduler to send the \"printer-modified\" event\n    whenever the system default printer is changed (Issue #1246)\n  * Fixed a memory leak in 'httpClose' (Issue #1223)\n  * Fixed missing commas in 'ippCreateRequestedArray'\n    (Issue #1234)\n  * Fixed subscription issues in the scheduler and D-Bus notifier\n    (Issue #1235)\n  * Fixed media-default reporting for custom sizes (Issue #1238)\n  * Fixed support for IPP/PPD options with periods or underscores\n    (Issue #1249)\n  * Fixed parsing of real numbers in PPD compiler source files\n    (Issue #1263)\n  * Fixed scheduler freezing with zombie clients (Issue #1264)\n  * Fixed support for the server name in the ErrorLog filename\n    (Issue #1277)\n  * Fixed job cleanup after daemon restart (Issue #1315)\n  * Fixed handling of buggy DYMO USB printer serial numbers\n   (Issue #1338)\n  * Fixed unreachable block in IPP backend (Issue #1351)\n  * Fixed memory leak in _cupsConvertOptions (Issue #1354)\n\n- Version upgrade to 2.4.12:\n  \n  * GnuTLS follows system crypto policies now (Issue #1105)\n  * Added `NoSystem` SSLOptions value (Issue #1130)\n  * Now we raise alert for certificate issues (Issue #1194)\n  * Added Kyocera USB quirk (Issue #1198)\n  * The scheduler now logs a job's debugging history\n    if the backend fails (Issue #1205)\n  * Fixed a potential timing issue with `cupsEnumDests`\n    (Issue #1084)\n  * Fixed a potential \"lost PPD\" condition in the scheduler\n    (Issue #1109)\n  * Fixed a compressed file error handling bug (Issue #1070)\n  * Fixed a bug in the make-and-model whitespace trimming\n    code (Issue #1096)\n  * Fixed a removal of IPP Everywhere permanent queue\n    if installation failed (Issue #1102)\n  * Fixed `ServerToken None` in scheduler (Issue #1111)\n  * Fixed invalid IPP keyword values created from PPD\n    option names (Issue #1118)\n  * Fixed handling of \"media\" and \"PageSize\" in the same\n    print request (Issue #1125)\n  * Fixed client raster printing from macOS (Issue #1143)\n  * Fixed the default User-Agent string.\n  * Fixed a recursion issue in `ippReadIO`.\n  * Fixed handling incorrect radix in `scan_ps()` (Issue #1188)\n  * Fixed validation of dateTime values with time zones\n    more than UTC+11 (Issue #1201)\n  * Fixed attributes returned by the Create-Xxx-Subscriptions\n    requests (Issue #1204)\n  * Fixed `ippDateToTime` when using a non GMT/UTC timezone\n    (Issue #1208)\n  * Fixed `job-completed` event notifications for jobs that are\n    cancelled before started (Issue #1209)\n  * Fixed DNS-SD discovery with `ippfind` (Issue #1211)\n","id":"SUSE-SU-2026:20528-1","modified":"2026-03-02T13:19:17Z","published":"2026-03-02T13:19:17Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2026/suse-su-202620528-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1244057"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249049"},{"type":"REPORT","url":"https://bugzilla.suse.com/1249128"},{"type":"REPORT","url":"https://bugzilla.suse.com/1253783"},{"type":"REPORT","url":"https://bugzilla.suse.com/1254353"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58060"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58364"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58436"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-61915"}],"related":["CVE-2025-58060","CVE-2025-58364","CVE-2025-58436","CVE-2025-61915"],"summary":"Security update for cups","upstream":["CVE-2025-58060","CVE-2025-58364","CVE-2025-58436","CVE-2025-61915"]}