Changelog for cups154-filters-1.5.4-lp153.8.1.x86_64.rpm :

* Tue Nov 04 2014 jsmeixAATTsuse.de- Also for SLE12 krb5-devel must be used for build (cf. the entry below dated \"Wed Jun 26 10:39:30 CEST 2013\") because in contrast to IBS where krb5-mini-devel is available for build in SUSE:SLE-12:GA in OBS it cannot build for SLE_12 with \"unresolvable: nothing provides krb5-mini-devel\".
* Wed Sep 03 2014 jsmeixAATTsuse.de- Split those filters, backends, and banners from CUPS 1.5.4 into a cups154-filters sub-package so that CUPS 1.5.4 can be installed without cups154-filters and instead with cups-filters. Those filters, backends, and banners are not strictly required so that the cups154-filters sub-package is only recommended.- Do no longer obsolete cups-filters because now CUPS 1.5.4 can be used with cups-filters (instead of cups154-filters). This way it is possible to use traditional CUPS 1.5.4 even with the new PDF printing workflow from cups-filters (instead of the PostScript printing workflow from CUPS 1.5.4).
* Tue Sep 02 2014 jsmeixAATTsuse.de- CUPS traditional version 1.5.4 for the SLE12 \"legacy\" module. For SLE12 we provide the last traditional CUPS version 1.5.4 as \"cups154\" RPMs in the SLE12 \"legacy\" module. This way users where the SLE12 default CUPS version 1.7 does not support their particular needs (in particular users who need a traditional CUPS server with original CUPS Browsing features) can still use CUPS 1.5.4 on SLE12. For those users any (semi)-automated CUPS version upgrade must be prohibited because CUPS > 1.5.4 has major incompatible changes compared to CUPS <= 1.5.4 (see the SLE12 release notes). Therefore the CUPS 1.5.4 RPM package name contains the version and it conflicts with higher versions to avoid that an installed CUPS 1.5.4 gets accidentally replaced with a higher version. It is not possible to have different CUPS libraries versions installed at the same time. The API in the SLE12 default CUPS 1.7 version is compatible with the CUPS 1.5.4 API (existing functions are not changed) but newer CUPS libraries provide some new functions. In openSUSE 13.1 and openSUSE Factory (as of this writing) we still have the traditional CUPS version 1.5.4 so ensure that applications that are built on openSUSE work with the traditional CUPS version 1.5.4 libraries, see http://lists.opensuse.org/opensuse-factory/2013-08/msg00408.html But there could be third-party applications or applications built on SLE12 that might use newer CUPS library functions via configure magic so that such applications would require the current CUPS 1.7 libraries. On SLE12 it is not possible to use CUPS 1.5.4 together with applications that require the current CUPS 1.7 libraries.- Traditional CUPS 1.5.4 obsoletes any version of cups-filters because CUPS 1.5.4 provides equivalents for those filters via the traditional PostScript workflow.- CUPS 1.5.4 for SLE12 provides the same simple, safe, and reliably working way how cupsd is launched by systemd as CUPS 1.7 for SLE12 via one same single cups.service systemd unit file so that launching cupsd for SLE12 is compatible with how it had worked for SLE11. Therefore optional fancy systemd features from openSUSE in cups-0001-systemd-add-systemd-socket-activation-and-unit-files.patch cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch cups-0003-systemd-secure-cups.service-unit-file.patch and cups-provides-cupsd-service.patch are dropped in CUPS for SLE12 to avoid various issues as described in bnc#857372 - see in particular https://bugzilla.novell.com/show_bug.cgi?id=857372#c47 https://bugzilla.novell.com/show_bug.cgi?id=857372#c66 https://bugzilla.novell.com/show_bug.cgi?id=857372#c120- str4450.CVE-2014-3537.str4455.CVE-2014-5029.CVE-2014-5030.CVE-2014-5031.CUPS-1.5.4.patch fixes that the web interface incorrectly served symlinked files and files that were not world-readable, potentially leading to a disclosure of information (CVE-2014-3537 STR #4450 plus the subsequent CVE-2014-5029 CVE-2014-5030 CVE-2014-5031 STR #4455 all in bnc#887240).
* Thu May 22 2014 wernerAATTsuse.de- Add build require pkgconfig(libsystemd-daemon) to allow to move systemd.pc back to systemd package
* Fri Apr 11 2014 jsmeixAATTsuse.de- cups-1.5.4-strftime.patch fixes CUPS upstream STR #4388: no or malformed output from lpstat in charset other than utf-8 (bnc#873030).
* Thu Feb 20 2014 jsmeixAATTsuse.de- Cautious clean up of systemd units via RPM scriptlets (see the entry below dated \"Wed Feb 19 15:05:44 CET 2014\") does not work reliable because it would leave a messsed up systemd setup for cupsd when YaST was used before to start/stop/enable/disable the cupsd, see https://bugzilla.novell.com/show_bug.cgi?id=857372#c115 so that now cups.socket and cups.path are stopped and disabled in any case to ensure starting/stopping/enabling/disabling of the cupsd also works with YaST, see https://bugzilla.novell.com/show_bug.cgi?id=857372#c120 (bnc#857372).- str4351.patch from CUPS upstream fixes https://www.cups.org/str.php?L4351 \"STR #4351 cups-lpd hugh jobs (>2G) fail\" (bnc#864782).
* Wed Feb 19 2014 jsmeixAATTsuse.de- Cautious clean up of systemd units via RPM scriptlets:
* When /usr/lib/systemd/system/cups.path and/or /usr/lib/systemd/system/cups.socket are in use stop and disable them because they are no longer provided but keep manually set up cups.path and/or cups.socket units.
* Enforce systemd to use the cups.service file in this package by \"systemctl reenable cups.service\" if it was enabled (intentionally this does not restart a running cupsd). For details see \"rpm -q --scripts cups\" and have a look at http://lists.opensuse.org/opensuse-packaging/2014-02/msg00096.html
* Wed Feb 12 2014 jsmeixAATTsuse.de- Added Begin/End comments in scriptlets for RPM macros so that it is easier to see in the \"rpm -q --scripts cups\" output what each RPM macro actually does.
* Wed Feb 12 2014 jsmeixAATTsuse.de- Clean up how cupsd is launched (via SysVinit or systemd) by maintaining strictly separated sections in cups.spec: Either for launching cupsd via systemd (if have_systemd is set) or for launching cupsd via SysVinit (if have_systemd is not set). SysVinit support cannot be removed because CUPS 1.5.4 is provided for SLE11 in the OBS devel project \"Printing\".
* Wed Feb 05 2014 jsmeixAATTsuse.de- cups-1.5.4-CVE-2012-5519.patch adds better default protection against misuse of privileges by normal users who have been specifically allowed by root to do cupsd configuration changes (CUPS STR#4223 CVE-2012-5519 Novell/Suse Bugzilla bnc#789566). The new ConfigurationChangeRestriction cupsd.conf directive specifies the level of restriction for cupsd.conf changes that happen via HTTP/IPP requests to the running cupsd (e.g. via CUPS web interface or via the cupsctl command). By default certain cupsd.conf directives that deal with filenames, paths, and users can no longer be changed via requests to the running cupsd but only by manual editing the cupsd.conf file and its default file permissions permit only root to write the cupsd.conf file. Those directives are: ConfigurationChangeRestriction, AccessLog, BrowseLDAPCACertFile, CacheDir, ConfigFilePerm, DataDir, DocumentRoot, ErrorLog, FatalErrors, FileDevice, FontPath, Group, JobPrivateAccess, JobPrivateValues, LogFilePerm, PageLog, Printcap, PrintcapFormat, PrintcapGUI, RemoteRoot, RequestRoot, ServerBin, ServerCertificate, ServerKey, ServerRoot, StateDir, SubscriptionPrivateAccess, SubscriptionPrivateValues, SystemGroup, SystemGroupAuthKey, TempDir, User, WebInterface.- The default group of users who are allowed to do cupsd configuration changes via requests to the running cupsd (i.e. the SystemGroup directive in cupsd.conf) is set to \'root\' only.- In this context a general security advice: When root allows normal users to do system administration tasks (in particular when root allows normal users to administer system processes - i.e. processes that run as root), then this or that kind of privilege escalation will be possible. Only trustworthy users who do not misuse their privileges may get allowed to do specific system administration tasks.