REDHAT-BUG-490597
First published: Tue Mar 17 2009(Updated: )
Aaron Sigel of Apple Product Security reported that CUPS did not check Host: HTTP header in the connections to the daemon. This insufficient checking may be of an advantage as part of some other attack, e.g. DNS rebinding attack (however, for such attack, user's web browser or browser plugin must be prone to the DNS rebinding attack). Upstream patch adds check for the Host: header used in clients' requests. It also introduced ServerAlias configuration directive, that must be used to allow clients to use additional valid host names besides those set has hostname or hostname's aliases.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| CUPS |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=335489&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=335489&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=337477&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=337477&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=337478&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=337478&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=337735&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=337735&action=edit
- http://www.cups.org/articles.php?L582
- http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc9
- http://admin.fedoraproject.org/updates/cups-1.3.10-1.fc10
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=532352&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=532352&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=532590&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=532590&action=edit
- https://bugzilla.redhat.com/show_bug.cgi?id=490597
Frequently Asked Questions
What is the severity of REDHAT-BUG-490597?
The severity of REDHAT-BUG-490597 is considered critical due to insufficient validation of the Host: HTTP header.
How do I fix REDHAT-BUG-490597?
To fix REDHAT-BUG-490597, ensure to update the CUPS application to the latest version that addresses the vulnerability.
What are the potential impacts of REDHAT-BUG-490597?
The potential impacts of REDHAT-BUG-490597 include exploitation via DNS rebinding attacks, allowing unauthorized access to resources.
Which software is affected by REDHAT-BUG-490597?
The software affected by REDHAT-BUG-490597 is Apple CUPS.
Who reported the vulnerability REDHAT-BUG-490597?
The vulnerability REDHAT-BUG-490597 was reported by Aaron Sigel of Apple Product Security.
- collector/redhat-bugzilla
- alias/CVE-2009-0164
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apple
- canonical/cups