turn off MD5 Digest authentication by default, because MD5 is marked insecure
This commit is contained in:
parent
9fbfd375a6
commit
456f9aa151
@ -0,0 +1,36 @@
|
|||||||
|
From 887041aaa3f61b87c55b2a746a8813be3d584034 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||||
|
Date: Fri, 19 Nov 2021 12:23:08 +0100
|
||||||
|
Subject: [PATCH] cups/http-support.c: Apply DigestOptions to RFC 2069 support
|
||||||
|
|
||||||
|
Earlier we applied DigestOptions only for devices which implement RFC
|
||||||
|
2617 or RFC 7616, this commit applies it even for RFC 2069 support.
|
||||||
|
|
||||||
|
This issue came up during CentOS Stream/RHEL 9 development, where MD5
|
||||||
|
digest is marked as insecure for authentication/authorization, so it
|
||||||
|
should be turned off in default configurations to prevent security
|
||||||
|
issues.
|
||||||
|
---
|
||||||
|
cups/http-support.c | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/cups/http-support.c b/cups/http-support.c
|
||||||
|
index 209235ee6..3d1208789 100644
|
||||||
|
--- a/cups/http-support.c
|
||||||
|
+++ b/cups/http-support.c
|
||||||
|
@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
|
||||||
|
* Use old RFC 2069 Digest method...
|
||||||
|
*/
|
||||||
|
|
||||||
|
+ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
|
||||||
|
+ {
|
||||||
|
+ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
|
||||||
|
+ return (0);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* H(A1) = H(username:realm:password) */
|
||||||
|
snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
|
||||||
|
hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
30
cups.spec
30
cups.spec
@ -17,7 +17,7 @@ Summary: CUPS printing system
|
|||||||
Name: cups
|
Name: cups
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 2.3.3%{OP_VER}
|
Version: 2.3.3%{OP_VER}
|
||||||
Release: 10%{?dist}
|
Release: 11%{?dist}
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Url: https://openprinting.github.io/cups/
|
Url: https://openprinting.github.io/cups/
|
||||||
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
||||||
@ -97,6 +97,8 @@ Patch23: 0001-cups-md5passwd.c-Stub-out-httpMD5-functions.patch
|
|||||||
Patch24: cups-deprecate-drivers.patch
|
Patch24: cups-deprecate-drivers.patch
|
||||||
# 2022610 - compile with -fstack-protector-strong if available
|
# 2022610 - compile with -fstack-protector-strong if available
|
||||||
Patch25: cups-fstack-strong.patch
|
Patch25: cups-fstack-strong.patch
|
||||||
|
# Applying DigestOptions to MD5 Digest authentication defined by RFC 2069
|
||||||
|
Patch26: 0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch
|
||||||
|
|
||||||
##### Patches removed because IMHO they aren't no longer needed
|
##### Patches removed because IMHO they aren't no longer needed
|
||||||
##### but still I'll leave them in git in case their removal
|
##### but still I'll leave them in git in case their removal
|
||||||
@ -322,6 +324,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
|||||||
%patch24 -p1 -b .deprecated-drivers
|
%patch24 -p1 -b .deprecated-drivers
|
||||||
# 2022610 - compile with fstack-protector-strong if available
|
# 2022610 - compile with fstack-protector-strong if available
|
||||||
%patch25 -p1 -b .fstack-strong
|
%patch25 -p1 -b .fstack-strong
|
||||||
|
# apply DigestOptions for MD5 Digest authentication defined by RFC 2069
|
||||||
|
%patch26 -p1 -b .no-digest-rfc2069
|
||||||
|
|
||||||
|
|
||||||
%if %{lspp}
|
%if %{lspp}
|
||||||
@ -420,6 +424,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf
|
|||||||
touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
|
touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
|
||||||
touch %{buildroot}%{_sysconfdir}/cups/lpoptions
|
touch %{buildroot}%{_sysconfdir}/cups/lpoptions
|
||||||
|
|
||||||
|
# deny MD5 digest authentication by default in client.conf
|
||||||
|
cat > %{buildroot}%{_sysconfdir}/cups/client.conf <<EOF
|
||||||
|
# MD5 Digest authentication is turned off by default
|
||||||
|
# because MD5 is marked as insecure for authentication.
|
||||||
|
#
|
||||||
|
# If you need MD5 Digest authentication and you are aware of
|
||||||
|
# potential security risk, turn MD5 Digest authentication on
|
||||||
|
# by changing the directive value to 'None'.
|
||||||
|
|
||||||
|
DigestOptions DenyMD5
|
||||||
|
EOF
|
||||||
|
|
||||||
# LSB 3.2 printer driver directory
|
# LSB 3.2 printer driver directory
|
||||||
mkdir -p %{buildroot}%{_datadir}/ppd
|
mkdir -p %{buildroot}%{_datadir}/ppd
|
||||||
|
|
||||||
@ -464,6 +480,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
|||||||
%post
|
%post
|
||||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||||
|
|
||||||
|
# remove this after F36 is EOL
|
||||||
|
# - previously the file was empty by default, so check whether the directive exists
|
||||||
|
# and if not, add the directive+value
|
||||||
|
# - we don't check for directive value in case some users already know they need MD5
|
||||||
|
# Digest authentication, so we won't break their setup with every update
|
||||||
|
# - ^\s* prevents matching comments and ignores whitespaces at the beginning
|
||||||
|
grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
|
||||||
|
>> %{_sysconfdir}/cups/client.conf
|
||||||
|
|
||||||
%post client
|
%post client
|
||||||
%if %{use_alternatives}
|
%if %{use_alternatives}
|
||||||
/usr/sbin/alternatives --install %{_bindir}/lpr print %{_bindir}/lpr.cups 40 \
|
/usr/sbin/alternatives --install %{_bindir}/lpr print %{_bindir}/lpr.cups 40 \
|
||||||
@ -673,6 +698,9 @@ rm -f %{cups_serverbin}/backend/smb
|
|||||||
%{_mandir}/man7/ippeveps.7.gz
|
%{_mandir}/man7/ippeveps.7.gz
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 22 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
|
||||||
|
- turn off MD5 Digest authentication by default, because MD5 is marked insecure
|
||||||
|
|
||||||
* Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10
|
* Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10
|
||||||
- 2022610 - fix compilation issues reported by annocheck
|
- 2022610 - fix compilation issues reported by annocheck
|
||||||
- 2019845 - Add more warning messages about driver going deprecated (completed)
|
- 2019845 - Add more warning messages about driver going deprecated (completed)
|
||||||
|
Loading…
Reference in New Issue
Block a user