From: Michael R Sweet Date: Thu, 13 Apr 2023 15:22:51 +0000 (-0400) Subject: Clean up OpenSSL fixes and changelog (Issue #652) X-Git-Tag: v2.4.3~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a527192baac0dad5cdef02e15a0192ed2692d03;p=thirdparty%2Fcups.git Clean up OpenSSL fixes and changelog (Issue #652) --- diff --git a/CHANGES.md b/CHANGES.md index 992b8045f6..2fcd20b49c 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -21,8 +21,7 @@ Changes in CUPS v2.4.3 (TBA) - Fixed media size tolerance in `ippeveprinter` (Issue #487) - Fixed `cupsd` default keychain location when building with OpenSSL (Issue #529) -- Fixed TLS certificate generation bugs. -- Generate only one SAN extension for certificate via OpenSSL (Issue #652) +- Fixed TLS certificate generation bugs (Issue #652) - `ippDeleteValues` would not delete the last value (Issue #556) - Ignore some of IPP defaults if the application sends its PPD alternative (Issue #484) @@ -36,8 +35,8 @@ Changes in CUPS v2.4.3 (TBA) - Write defaults into /etc/cups/lpoptions if we're root (Issue #456) -Changes in CUPS v2.4.2 (26th May 2022) --------------------------------------- +Changes in CUPS v2.4.2 (2022-05-26) +----------------------------------- - Fixed certificate strings comparison for Local authorization (CVE-2022-26691) - The `cupsFileOpen` function no longer opens files for append in read-write @@ -72,8 +71,8 @@ Changes in CUPS v2.4.2 (26th May 2022) interface. -Changes in CUPS v2.4.1 (27th January 2020) ------------------------------------------- +Changes in CUPS v2.4.1 (2022-01-27) +----------------------------------- - The default color mode now is now configurable and defaults to the printer's reported default mode (Issue #277) @@ -88,8 +87,8 @@ Changes in CUPS v2.4.1 (27th January 2020) - Removed `purge-jobs` legacy code from CGI scripts and templates (Issue #325) -Changes in CUPS v2.4.0 (29th November 2021) -------------------------------------------- +Changes in CUPS v2.4.0 (2021-11-29) +----------------------------------- - Added configure option --with-idle-exit-timeout (Issue #294) - Added --with-systemd-timeoutstartsec configure option (Issue #298) @@ -99,16 +98,16 @@ Changes in CUPS v2.4.0 (29th November 2021) - Fixed and improved German translations (Issue #296, Issue #297) -Changes in CUPS v2.4rc1 (12th November 2021) --------------------------------------------- +Changes in CUPS v2.4rc1 (2021-11-12) +------------------------------------ - Added warning and debug messages when loading printers if the queue is raw or with driver (Issue #286) - Compilation now uses -fstack-protector-strong if available (Issue #285) -Changes in CUPS v2.4b1 (27th October 2021) ------------------------------------------- +Changes in CUPS v2.4b1 (2021-10-27) +----------------------------------- - Added support for CUPS running in a Snapcraft snap. - Added basic OAuth 2.0 client support (Issue #100) @@ -186,94 +185,3 @@ Changes in CUPS v2.4b1 (27th October 2021) `SMBConfigFile` directives in `cupsd.conf` and `cups-files.conf`. - Stubbed out deprecated `httpMD5` functions. - Add test for undefined page ranges during printing. - - -CUPS v2.3.3op2 (February 1, 2021) ---------------------------------- - -- Security: Fixed a buffer (read) overflow in the `ippReadIO` function - (CVE-2020-10001) -- Clarified the documentation for the "Listen" directive (Issue #53) -- Fixed duplicate ColorModel entries for AirPrint printers (Issue 59) -- Fixed directory/permission defaults for Debian kfreebsd-based systems - (Issue #60, Issue #61) -- Fixed crash bug in `ppdOpen` (Issue #64, Issue #78) -- Fixed regression in `snprintf` emulation function (Issue #67) -- The scheduler's systemd service file now waits for the nslcd service to start - (Issue #69) -- The libusb-based USB backend now uses a simpler read timer implementation to - avoid a regression in a previous change (Issue #72) -- The PPD caching code now only tracks the `APPrinterIconPath` value on macOS - (Issue #73) -- Fixed segfault in help.cgi when searching in man pages (Issue #81) -- Root certificates were incorrectly stored in "~/.cups/ssl". - - -CUPS v2.3.3op1 (November 27, 2020) ----------------------------------- - -- The automated test suite can now be activated using `make test` for - consistency with other projects and CI environments - the old `make check` - continues to work as well, and the previous test server behavior can be - accessed by running `make testserver`. -- ippeveprinter now supports multiple icons and strings files. -- ippeveprinter now uses the system's FQDN with Avahi. -- ippeveprinter now supports Get-Printer-Attributes on "/". -- ippeveprinter now uses a deterministic "printer-uuid" value. -- ippeveprinter now uses system sounds on macOS for Identify-Printer. -- Updated ippfind to look for files in "~/Desktop" on Windows. -- Updated ippfind to honor `SKIP-XXX` directives with `PAUSE`. -- Updated IPP Everywhere support to work around printers that only advertise - color raster support but really also support grayscale (Issue #1) -- ipptool now supports DNS-SD URIs like `ipps://My%20Printer._ipps._tcp.local` - (Issue #5) -- The scheduler now allows root backends to have world read permissions but not - world execute permissions (Issue #21) -- Failures to bind IPv6 listener sockets no longer cause errors if IPv6 is - disabled on the host (Issue #25) -- The SNMP backend now supports the HP and Ricoh vendor MIBs (Issue #28) -- The scheduler no longer includes a timestamp in files it writes (Issue #29) -- The systemd service names are now "cups.service" and "cups-lpd.service" - (Issue #30, Issue #31) -- The scheduler no longer adds the local hostname to the ServerAlias list - (Issue #32) -- Added `LogFileGroup` directive in "cups-files.conf" to control the group - owner of log files (Issue #34) -- Added `--with-max-log-size` configure option (Issue #35) -- Added `--enable-sync-on-close` configure option (Issue #37) -- Added `--with-error-policy` configure option (Issue #38) -- IPP Everywhere PPDs could have an "unknown" default InputSlot (Issue #44) -- The `httpAddrListen` function now uses a listen backlog of 128. -- Added USB quirks (Apple issue #5789, #5823, #5831) -- Fixed IPP Everywhere v1.1 conformance issues in ippeveprinter. -- Fixed DNS-SD name collision support in ippeveprinter. -- Fixed compiler and code analyzer warnings. -- Fixed TLS support on Windows. -- Fixed ippfind sub-type searches with Avahi. -- Fixed the default hostname used by ippeveprinter on macOS. -- Fixed resolution of local IPP-USB printers with Avahi. -- Fixed coverity issues (Issue #2) -- Fixed `httpAddrConnect` issues (Issue #3) -- Fixed web interface device URI issue (Issue #4) -- Fixed lp/lpr "printer/class not found" error reporting (Issue #6) -- Fixed xinetd support for LPD clients (Issue #7) -- Fixed libtool build issue (Issue #11) -- Fixed a memory leak in the scheduler (Issue #12) -- Fixed a potential integer overflow in the PPD hashing code (Issue #13) -- Fixed output-bin and print-quality handling issues (Issue #18) -- Fixed PPD options getting mapped to odd IPP values like "tray---4" (Issue #23) -- Fixed remote access to the cupsd.conf and log files (Issue #24) -- Fixed the automated test suite when running in certain build/CI environments - (Issue #25) -- Fixed a logging regression caused by a previous change for Apple issue #5604 - (Issue #25) -- Fixed fax phone number handling with GNOME (Issue #40) -- Fixed potential rounding error in rastertopwg filter (Issue #41) -- Fixed the "uri-security-supported" value from the scheduler (Issue #42) -- Fixed IPP backend crash bug with "printer-alert" values (Issue #43) -- Removed old Solaris inetconv(1m) reference in cups-lpd man page (Issue #46) -- Fixed default options that incorrectly use the "custom" prefix (Issue #48) -- Fixed a memory leak when resolving DNS-SD URIs (Issue #49) -- Fixed systemd status reporting by adopting the notify interface (Issue #51) -- Fixed crash in rastertopwg (Apple issue #5773) -- Fixed cupsManualCopies values in IPP Everywhere PPDs (Apple issue #5807) diff --git a/cups/tls-openssl.c b/cups/tls-openssl.c index 8f02a3cb71..191b45d12c 100644 --- a/cups/tls-openssl.c +++ b/cups/tls-openssl.c @@ -88,7 +88,8 @@ cupsMakeServerCredentials( crtfile[1024], // Certificate filename keyfile[1024]; // Private key filename const char *common_ptr; // Pointer into common name - GENERAL_NAMES *gens = sk_GENERAL_NAME_new_null(); // Names for SubjectAltName certificate extension + GENERAL_NAMES *gens; // Names for SubjectAltName certificate extension + DEBUG_printf(("cupsMakeServerCredentials(path=\"%s\", common_name=\"%s\", num_alt_names=%d, alt_names=%p, expiration_date=%d)", path, common_name, num_alt_names, alt_names, (int)expiration_date)); @@ -170,6 +171,7 @@ cupsMakeServerCredentials( X509_set_subject_name(cert, name); X509_NAME_free(name); + gens = sk_GENERAL_NAME_new_null(); http_x509_add_san(gens, common_name); if ((common_ptr = strstr(common_name, ".local")) == NULL) { @@ -196,7 +198,7 @@ cupsMakeServerCredentials( } } - // Add extension with dns names and free buffer for GENERAL_NAME + // Add extension with DNS names and free buffer for GENERAL_NAME X509_add1_ext_i2d(cert, NID_subject_alt_name, gens, 0, X509V3_ADD_DEFAULT); sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); @@ -1674,16 +1676,20 @@ http_x509_add_ext(X509 *cert, // I - Certificate // // 'http_x509_add_san()' - Add a subjectAltName to GENERAL_NAMES used for -// the extension to an X.509 certificate. +// the extension to an X.509 certificate. // static void -http_x509_add_san(GENERAL_NAMES *gens, // I - Concatenation of dns names +http_x509_add_san(GENERAL_NAMES *gens, // I - Concatenation of DNS names const char *name) // I - Hostname { - GENERAL_NAME *gen_dns = GENERAL_NAME_new(); + // DNS: name ASN1_IA5STRING *ia5 = ASN1_IA5STRING_new(); + // Hostname string + + + // Set the strings and push it on the GENERAL_NAMES list... ASN1_STRING_set(ia5, name, strlen(name)); GENERAL_NAME_set0_value(gen_dns, GEN_DNS, ia5); sk_GENERAL_NAME_push(gens, gen_dns);