turn off MD5 Digest authentication by default, because MD5 is marked insecure
This commit is contained in:
Zdenek Dohnal
parent
9fbfd375a6
commit
456f9aa151
@ -0,0 +1,36 @@
|
||||
From 887041aaa3f61b87c55b2a746a8813be3d584034 Mon Sep 17 00:00:00 2001
|
||||
From: Zdenek Dohnal <zdohnal@redhat.com>
|
||||
Date: Fri, 19 Nov 2021 12:23:08 +0100
|
||||
Subject: [PATCH] cups/http-support.c: Apply DigestOptions to RFC 2069 support
|
||||
|
||||
Earlier we applied DigestOptions only for devices which implement RFC
|
||||
2617 or RFC 7616, this commit applies it even for RFC 2069 support.
|
||||
|
||||
This issue came up during CentOS Stream/RHEL 9 development, where MD5
|
||||
digest is marked as insecure for authentication/authorization, so it
|
||||
should be turned off in default configurations to prevent security
|
||||
issues.
|
||||
---
|
||||
cups/http-support.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/cups/http-support.c b/cups/http-support.c
|
||||
index 209235ee6..3d1208789 100644
|
||||
--- a/cups/http-support.c
|
||||
+++ b/cups/http-support.c
|
||||
@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
|
||||
* Use old RFC 2069 Digest method...
|
||||
*/
|
||||
|
||||
+ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
|
||||
+ {
|
||||
+ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
|
||||
+ return (0);
|
||||
+ }
|
||||
+
|
||||
/* H(A1) = H(username:realm:password) */
|
||||
snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
|
||||
hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
|
||||
--
|
||||
2.31.1
|
||||
|
||||
30
cups.spec
30
cups.spec
@ -17,7 +17,7 @@ Summary: CUPS printing system
|
||||
Name: cups
|
||||
Epoch: 1
|
||||
Version: 2.3.3%{OP_VER}
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: ASL 2.0
|
||||
Url: https://openprinting.github.io/cups/
|
||||
# Apple stopped uploading the new versions into github, use OpenPrinting fork
|
||||
@ -97,6 +97,8 @@ Patch23: 0001-cups-md5passwd.c-Stub-out-httpMD5-functions.patch
|
||||
Patch24: cups-deprecate-drivers.patch
|
||||
# 2022610 - compile with -fstack-protector-strong if available
|
||||
Patch25: cups-fstack-strong.patch
|
||||
# Applying DigestOptions to MD5 Digest authentication defined by RFC 2069
|
||||
Patch26: 0001-cups-http-support.c-Apply-DigestOptions-to-RFC-2069-.patch
|
||||
|
||||
##### Patches removed because IMHO they aren't no longer needed
|
||||
##### but still I'll leave them in git in case their removal
|
||||
@ -322,6 +324,8 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
|
||||
%patch24 -p1 -b .deprecated-drivers
|
||||
# 2022610 - compile with fstack-protector-strong if available
|
||||
%patch25 -p1 -b .fstack-strong
|
||||
# apply DigestOptions for MD5 Digest authentication defined by RFC 2069
|
||||
%patch26 -p1 -b .no-digest-rfc2069
|
||||
|
||||
|
||||
%if %{lspp}
|
||||
@ -420,6 +424,18 @@ touch %{buildroot}%{_sysconfdir}/cups/client.conf
|
||||
touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
|
||||
touch %{buildroot}%{_sysconfdir}/cups/lpoptions
|
||||
|
||||
# deny MD5 digest authentication by default in client.conf
|
||||
cat > %{buildroot}%{_sysconfdir}/cups/client.conf <<EOF
|
||||
# MD5 Digest authentication is turned off by default
|
||||
# because MD5 is marked as insecure for authentication.
|
||||
#
|
||||
# If you need MD5 Digest authentication and you are aware of
|
||||
# potential security risk, turn MD5 Digest authentication on
|
||||
# by changing the directive value to 'None'.
|
||||
|
||||
DigestOptions DenyMD5
|
||||
EOF
|
||||
|
||||
# LSB 3.2 printer driver directory
|
||||
mkdir -p %{buildroot}%{_datadir}/ppd
|
||||
|
||||
@ -464,6 +480,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
|
||||
%post
|
||||
%systemd_post %{name}.path %{name}.socket %{name}.service
|
||||
|
||||
# remove this after F36 is EOL
|
||||
# - previously the file was empty by default, so check whether the directive exists
|
||||
# and if not, add the directive+value
|
||||
# - we don't check for directive value in case some users already know they need MD5
|
||||
# Digest authentication, so we won't break their setup with every update
|
||||
# - ^\s* prevents matching comments and ignores whitespaces at the beginning
|
||||
grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
|
||||
>> %{_sysconfdir}/cups/client.conf
|
||||
|
||||
%post client
|
||||
%if %{use_alternatives}
|
||||
/usr/sbin/alternatives --install %{_bindir}/lpr print %{_bindir}/lpr.cups 40 \
|
||||
@ -673,6 +698,9 @@ rm -f %{cups_serverbin}/backend/smb
|
||||
%{_mandir}/man7/ippeveps.7.gz
|
||||
|
||||
%changelog
|
||||
* Mon Nov 22 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-11
|
||||
- turn off MD5 Digest authentication by default, because MD5 is marked insecure
|
||||
|
||||
* Fri Nov 12 2021 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-10
|
||||
- 2022610 - fix compilation issues reported by annocheck
|
||||
- 2019845 - Add more warning messages about driver going deprecated (completed)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user