import CS cups-2.3.3op2-33.el9

SOURCES/0001-Add-NoSystem-SSLOptions-value.patch

@@ -0,0 +1,174 @@
+From 40e62848ab3aa94b98dfaf1334e1c478c266bc73 Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Tue, 7 Jan 2025 15:12:15 +0100
+Subject: [PATCH] Add `NoSystem` SSLOptions value
+
+In case using system crypto policy breaks communication with device
+irreversibly (f.e. if device does not support better key exchange
+algorithm), the new option value gives a way how to opt-out from crypto
+policy if user do not want to change default system crypto policy for
+the whole machine.
+---
+ CHANGES.md                    | 1 +
+ cups/http-private.h           | 3 ++-
+ cups/tls-gnutls.c             | 7 ++++++-
+ cups/usersys.c                | 2 ++
+ doc/help/man-client.conf.html | 3 ++-
+ doc/help/man-cupsd.conf.html  | 5 +++--
+ man/client.conf.5             | 3 ++-
+ man/cupsd.conf.5              | 3 ++-
+ scheduler/conf.c              | 2 ++
+ 9 files changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/cups/http-private.h b/cups/http-private.h
+index 5f77b8ef0..f248bbb8d 100644
+--- a/cups/http-private.h
++++ b/cups/http-private.h
+@@ -131,7 +131,8 @@ extern "C" {
+ #  define _HTTP_TLS_ALLOW_RC4	1	/* Allow RC4 cipher suites */
+ #  define _HTTP_TLS_ALLOW_DH	2	/* Allow DH/DHE key negotiation */
+ #  define _HTTP_TLS_DENY_CBC	4	/* Deny CBC cipher suites */
+-#  define _HTTP_TLS_SET_DEFAULT 128     /* Setting the default TLS options */
++#  define _HTTP_TLS_NO_SYSTEM	8	/* No system crypto policy */
++#  define _HTTP_TLS_SET_DEFAULT 128	/* Setting the default TLS options */
+ 
+ #  define _HTTP_TLS_SSL3	0	/* Min/max version is SSL/3.0 */
+ #  define _HTTP_TLS_1_0		1	/* Min/max version is TLS/1.0 */
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index 719161da7..e8224b217 100644
+--- a/cups/tls-gnutls.c
++++ b/cups/tls-gnutls.c
+@@ -1285,6 +1285,8 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
+ 
+   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+ 
++  priority_string[0] = '\0';
++
+   if (tls_options < 0)
+   {
+     DEBUG_puts("4_httpTLSStart: Setting defaults.");
+@@ -1504,7 +1506,10 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
+     return (-1);
+   }
+ 
+-  strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string));
++  if (!(tls_options & _HTTP_TLS_NO_SYSTEM))
++    strlcpy(priority_string, "@SYSTEM,", sizeof(priority_string));
++
++  strlcat(priority_string, "NORMAL", sizeof(priority_string));
+ 
+   if (tls_max_version < _HTTP_TLS_MAX)
+   {
+diff --git a/cups/usersys.c b/cups/usersys.c
+index f752159b0..607587307 100644
+--- a/cups/usersys.c
++++ b/cups/usersys.c
+@@ -1608,6 +1608,8 @@ cups_set_ssl_options(
+       min_version = _HTTP_TLS_1_3;
+     else if (!_cups_strcasecmp(start, "None"))
+       options = _HTTP_TLS_NONE;
++    else if (!_cups_strcasecmp(start, "NoSystem"))
++      options |= _HTTP_TLS_NO_SYSTEM;
+   }
+ 
+   cc->ssl_options     = options;
+diff --git a/doc/help/man-client.conf.html b/doc/help/man-client.conf.html
+index 81cd73a1a..9194481bb 100644
+--- a/doc/help/man-client.conf.html
++++ b/doc/help/man-client.conf.html
+@@ -44,7 +44,7 @@ CUPS adds the remote hostname ("name@server.example.com") for you. The default n
+ <b>Note: This directive is not supported on macOS 10.7 or later.</b>
+ <dt><b>ServerName </b><i>hostname-or-ip-address</i>[<i>:port</i>]<b>/version=1.1</b>
+ <dd style="margin-left: 5.0em">Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
+-<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
++<dt><a name="SSLOptions"></a><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
+ <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
+ <dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
+ By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+@@ -57,6 +57,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
+ The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The <i>MinTLS</i> options set the minimum TLS version to support.
+ The <i>MaxTLS</i> options set the maximum TLS version to support.
++The <i>NoSystem</i> option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ <dt><a name="TrustOnFirstUse"></a><b>TrustOnFirstUse Yes</b>
+ <dd style="margin-left: 5.0em"><dt><b>TrustOnFirstUse No</b>
+diff --git a/doc/help/man-cupsd.conf.html b/doc/help/man-cupsd.conf.html
+index 4fd42f314..4a5395387 100644
+--- a/doc/help/man-cupsd.conf.html
++++ b/doc/help/man-cupsd.conf.html
+@@ -285,7 +285,7 @@ The default is "Minimal".
+ <dd style="margin-left: 5.0em"><dt><b>SSLListen [</b><i>ipv6-address</i><b>]:</b><i>port</i>
+ <dd style="margin-left: 5.0em"><dt><b>SSLListen *:</b><i>port</i>
+ <dd style="margin-left: 5.0em">Listens on the specified address and port for encrypted connections.
+-<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>]
++<dt><a name="SSLOptions"></a><dt><b>SSLOptions </b>[<i>AllowDH</i>] [<i>AllowRC4</i>] [<i>AllowSSL3</i>] [<i>DenyCBC</i>] [<i>DenyTLS1.0</i>] [<i>MaxTLS1.0</i>] [<i>MaxTLS1.1</i>] [<i>MaxTLS1.2</i>] [<i>MaxTLS1.3</i>] [<i>MinTLS1.0</i>] [<i>MinTLS1.1</i>] [<i>MinTLS1.2</i>] [<i>MinTLS1.3</i>] [<i>NoSystem</i>]
+ <dd style="margin-left: 5.0em"><dt><b>SSLOptions None</b>
+ <dd style="margin-left: 5.0em">Sets encryption options (only in /etc/cups/client.conf).
+ By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+@@ -298,6 +298,7 @@ The <i>DenyCBC</i> option disables all CBC cipher suites.
+ The <i>DenyTLS1.0</i> option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The <i>MinTLS</i> options set the minimum TLS version to support.
+ The <i>MaxTLS</i> options set the maximum TLS version to support.
++The <i>NoSystem</i> option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ <dt><a name="SSLPort"></a><b>SSLPort </b><i>port</i>
+ <dd style="margin-left: 5.0em">Listens on the specified port for encrypted connections.
+diff --git a/man/client.conf.5 b/man/client.conf.5
+index 54808c09f..56d6ec3ec 100644
+--- a/man/client.conf.5
++++ b/man/client.conf.5
+@@ -67,7 +67,7 @@ Specifies the address and optionally the port to use when connecting to the serv
+ Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
+ .\"#SSLOptions
+ .TP 5
+-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
++\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
+ .TP 5
+ \fBSSLOptions None\fR
+ Sets encryption options (only in /etc/cups/client.conf).
+@@ -81,6 +81,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
+ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The \fIMinTLS\fR options set the minimum TLS version to support.
+ The \fIMaxTLS\fR options set the maximum TLS version to support.
++The \fINoSystem\fR option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ .\"#TrustOnFirstUse
+ .TP 5
+diff --git a/man/cupsd.conf.5 b/man/cupsd.conf.5
+index fd5762dfd..4e1a7ca81 100644
+--- a/man/cupsd.conf.5
++++ b/man/cupsd.conf.5
+@@ -447,7 +447,7 @@ Listens on the specified address and port for encrypted connections.
+ .\"#SSLOptions
+ .TP 5
+ .TP 5
+-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
++\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR] [\fINoSystem\fR]
+ .TP 5
+ \fBSSLOptions None\fR
+ Sets encryption options (only in /etc/cups/client.conf).
+@@ -461,6 +461,7 @@ The \fIDenyCBC\fR option disables all CBC cipher suites.
+ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+ The \fIMinTLS\fR options set the minimum TLS version to support.
+ The \fIMaxTLS\fR options set the maximum TLS version to support.
++The \fINoSystem\fR option disables applying system cryptographic policy.
+ Not all operating systems support TLS 1.3 at this time.
+ .\"#SSLPort
+ .TP 5
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 3184d72f0..3bf176479 100644
+--- a/scheduler/conf.c
++++ b/scheduler/conf.c
+@@ -3054,6 +3054,8 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 	    min_version = _HTTP_TLS_1_3;
+ 	  else if (!_cups_strcasecmp(start, "None"))
+ 	    options = _HTTP_TLS_NONE;
++	  else if (!_cups_strcasecmp(start, "NoSystem"))
++	    options |= _HTTP_TLS_NO_SYSTEM;
+ 	  else if (_cups_strcasecmp(start, "NoEmptyFragments"))
+ 	    cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
+         }
+-- 
+2.47.1
+

SOURCES/0001-fix-warnings-for-unused-vars.patch

@@ -0,0 +1,24 @@
+diff -up cups-2.3.3op2/cups/ppd-cache.c.fix-warn cups-2.3.3op2/cups/ppd-cache.c
+--- cups-2.3.3op2/cups/ppd-cache.c.fix-warn	2024-09-30 17:30:39.098043436 +0200
++++ cups-2.3.3op2/cups/ppd-cache.c	2024-09-30 17:31:30.738393111 +0200
+@@ -3051,8 +3051,7 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+   int                   resolutions[1000];
+                                         /* Array of resolution indices */
+   char			msgid[256];	/* Message identifier (attr.value) */
+-  const char		*keyword,	/* Keyword value */
+-			*msgstr;	/* Localized string */
++  const char		*keyword;	/* Keyword value */
+   cups_lang_t		*lang = cupsLangDefault();
+ 					/* Localization info */
+   cups_array_t		*strings = NULL;/* Printer strings file */
+@@ -4661,9 +4660,8 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+     {
+       ipp_t	*preset = ippGetCollection(attr, i);
+ 					/* Preset collection */
+-      const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL),
++      const char *preset_name = ippGetString(ippFindAttribute(preset, "preset-name", IPP_TAG_ZERO), 0, NULL);
+ 					/* Preset name */
+-		*localized_name;	/* Localized preset name */
+       ipp_attribute_t *member;		/* Member attribute in preset */
+       const char *member_name;		/* Member attribute name */
+       char      	member_value[256];	/* Member attribute value */

SOURCES/0001-mirror-ipp-everywhere-printer-changes-from-master.patch

@@ -0,0 +1,57 @@
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 977d0c6..c484d33 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -3134,10 +3134,10 @@ _ppdCreateFromIPP(char   *buffer,	/* I - Filename buffer */
+   cupsFilePuts(fp, "*cupsSNMPSupplies: False\n");
+   cupsFilePrintf(fp, "*cupsLanguages: \"%s\"\n", lang->language);
+ 
+-  if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL)
++  if ((attr = ippFindAttribute(response, "printer-more-info", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*APSupplies: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+-  if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL)
++  if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+   if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL)
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index 728d164..5089172 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -5773,6 +5773,18 @@ create_local_bg_thread(
+     cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString());
+   }
+ 
++  // Validate response from printer...
++  if (!ippValidateAttributes(response))
++  {
++    cupsdLogMessage(CUPSD_LOG_ERROR, "%s: The printer contains invalid attributes.", printer->name);
++
++    if (response)
++      ippDelete(response);
++
++    httpClose(http);
++    return (NULL);
++  }
++
+   // TODO: Grab printer icon file...
+   httpClose(http);
+ 
+diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c
+index daf24d5..eba7551 100644
+--- a/systemv/lpadmin.c
++++ b/systemv/lpadmin.c
+@@ -1226,6 +1226,12 @@ get_printer_ppd(
+   ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]), NULL, pattrs);
+   response = cupsDoRequest(http, request, resource);
+ 
++  if (response && !ippValidateAttributes(response))
++  {
++    _cupsLangPrintf(stderr, _("%s: The printer \"%s\" contains invalid IPP attributes."), "lpadmin", uri);
++    return (NULL);
++  }
++
+   if (cupsLastError() >= IPP_STATUS_REDIRECTION_OTHER_SITE)
+   {
+     _cupsLangPrintf(stderr, _("%s: Unable to query printer: %s"), "lpadmin", cupsLastErrorString());

SOURCES/0001-ppdize-preset-and-template-names.patch

@@ -0,0 +1,116 @@
+From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <msweet@msweet.org>
+Date: Mon, 9 Sep 2024 15:59:57 -0400
+Subject: [PATCH] PPDize preset and template names.
+
+---
+ cups/ppd-cache.c | 33 ++++++++++++++++++++++++---------
+ 1 file changed, 24 insertions(+), 9 deletions(-)
+
+diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
+index 986c64f73..18c38d0ee 100644
+--- a/cups/ppd-cache.c
++++ b/cups/ppd-cache.c
+@@ -4975,12 +4975,14 @@ _ppdCreateFromIPP2(
+ 
+       cupsArrayAdd(templates, (void *)keyword);
+ 
++      pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
++
+       snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
+       if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+ 	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+ 	  msgstr = keyword;
+ 
+-      cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", keyword);
++      cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
+       for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
+       {
+         if (ippGetValueTag(finishing_attr) == IPP_TAG_BEGIN_COLLECTION)
+@@ -4993,7 +4995,7 @@ _ppdCreateFromIPP2(
+ 	}
+       }
+       cupsFilePuts(fp, "\"\n");
+-      cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, keyword, msgstr);
++      cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
+       cupsFilePuts(fp, "*End\n");
+     }
+ 
+@@ -5039,7 +5041,8 @@ _ppdCreateFromIPP2(
+       if (!preset || !preset_name)
+         continue;
+ 
+-      cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", preset_name);
++      pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
++      cupsFilePrintf(fp, "*APPrinterPreset %s: \"\n", ppdname);
+       for (member = ippFirstAttribute(preset); member; member = ippNextAttribute(preset))
+       {
+         member_name = ippGetName(member);
+@@ -5080,7 +5083,10 @@ _ppdCreateFromIPP2(
+             fin_col = ippGetCollection(member, i);
+ 
+             if ((keyword = ippGetString(ippFindAttribute(fin_col, "finishing-template", IPP_TAG_ZERO), 0, NULL)) != NULL)
+-              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", keyword);
++            {
++              pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
++              cupsFilePrintf(fp, "*cupsFinishingTemplate %s\n", ppdname);
++            }
+           }
+         }
+         else if (!strcmp(member_name, "media"))
+@@ -5107,13 +5113,13 @@ _ppdCreateFromIPP2(
+           if ((keyword = ippGetString(ippFindAttribute(media_col, "media-source", IPP_TAG_ZERO), 0, NULL)) != NULL)
+           {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*InputSlot %s\n", keyword);
++            cupsFilePrintf(fp, "*InputSlot %s\n", ppdname);
+ 	  }
+ 
+           if ((keyword = ippGetString(ippFindAttribute(media_col, "media-type", IPP_TAG_ZERO), 0, NULL)) != NULL)
+           {
+             pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+-            cupsFilePrintf(fp, "*MediaType %s\n", keyword);
++            cupsFilePrintf(fp, "*MediaType %s\n", ppdname);
+ 	  }
+         }
+         else if (!strcmp(member_name, "print-quality"))
+@@ -5159,7 +5165,10 @@ _ppdCreateFromIPP2(
+       cupsFilePuts(fp, "\"\n*End\n");
+ 
+       if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
+-        cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, preset_name, localized_name);
++      {
++        pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
++        cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
++      }
+     }
+   }
+ 
+@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+ 	*end;				/* End of name buffer */
+ 
+ 
+-  if (!ipp)
++  if (!ipp || !_cups_isalnum(*ipp))
+   {
+     *name = '\0';
+     return;
+@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
+       ipp ++;
+       *ptr++ = (char)toupper(*ipp++ & 255);
+     }
+-    else
++    else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp))
++    {
+       *ptr++ = *ipp++;
++    }
++    else
++    {
++      ipp ++;
++    }
+   }
+ 
+   *ptr = '\0';
+-- 
+2.46.1
+

SOURCES/0001-quote-ppd-localized-strings.patch

@@ -0,0 +1,220 @@
+diff -up cups-2.3.3op2/cups/ppd-cache.c.quote-ppd-strings cups-2.3.3op2/cups/ppd-cache.c
+--- cups-2.3.3op2/cups/ppd-cache.c.quote-ppd-strings	2024-09-30 17:24:43.345405200 +0200
++++ cups-2.3.3op2/cups/ppd-cache.c	2024-09-30 17:29:35.752595925 +0200
+@@ -29,6 +29,7 @@
+  */
+ 
+ static int	cups_get_url(http_t **http, const char *url, char *name, size_t namesize);
++static void	ppd_put_string(cups_file_t *fp, cups_lang_t *lang, cups_array_t *strings, const char *ppd_option, const char *ppd_choice, const char *pwg_msgid);
+ static void	pwg_add_finishing(cups_array_t *finishings, ipp_finishings_t template, const char *name, const char *value);
+ static void	pwg_add_message(cups_array_t *a, const char *msg, const char *str);
+ static int	pwg_compare_finishings(_pwg_finishings_t *a, _pwg_finishings_t *b);
+@@ -3211,7 +3212,7 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+   if ((attr = ippFindAttribute(response, "printer-charge-info-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+     cupsFilePrintf(fp, "*cupsChargeInfoURI: \"%s\"\n", ippGetString(attr, 0, NULL));
+ 
+-  if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL)
++  if ((attr = ippFindAttribute(response, "printer-strings-uri", IPP_TAG_URI)) != NULL && ippValidateAttribute(attr))
+   {
+     http_t	*http = NULL;		/* Connection to printer */
+     char	stringsfile[1024];	/* Temporary strings file */
+@@ -3768,13 +3769,16 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+ 	cupsFilePrintf(fp, "*DefaultInputSlot: %s\n", ppdname);
+ 
+       for (j = 0; j < (int)(sizeof(sources) / sizeof(sources[0])); j ++)
++      {
+         if (!strcmp(sources[j], keyword))
+ 	{
+ 	  snprintf(msgid, sizeof(msgid), "media-source.%s", keyword);
++
+ 	  cupsFilePrintf(fp, "*InputSlot %s: \"<</MediaPosition %d>>setpagedevice\"\n", ppdname, j);
+-	  cupsFilePrintf(fp, "*%s.InputSlot %s/%s: \"\"\n", lang->language, ppdname, _cupsLangString(lang, msgid));
++	  ppd_put_string(fp, lang, strings, "InputSlot", ppdname, msgid);
+ 	  break;
+ 	}
++      }
+     }
+     cupsFilePuts(fp, "*CloseUI: *InputSlot\n");
+   }
+@@ -3800,12 +3804,9 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+       pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ 
+       snprintf(msgid, sizeof(msgid), "media-type.%s", keyword);
+-      if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	  msgstr = keyword;
+ 
+       cupsFilePrintf(fp, "*MediaType %s: \"<</MediaType(%s)>>setpagedevice\"\n", ppdname, ppdname);
+-      cupsFilePrintf(fp, "*%s.MediaType %s/%s: \"\"\n", lang->language, ppdname, msgstr);
++      ppd_put_string(fp, lang, strings, "MediaType", ppdname, msgid);
+     }
+     cupsFilePuts(fp, "*CloseUI: *MediaType\n");
+   }
+@@ -4035,12 +4036,9 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+       pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ 
+       snprintf(msgid, sizeof(msgid), "output-bin.%s", keyword);
+-      if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	  msgstr = keyword;
+ 
+       cupsFilePrintf(fp, "*OutputBin %s: \"\"\n", ppdname);
+-      cupsFilePrintf(fp, "*%s.OutputBin %s/%s: \"\"\n", lang->language, ppdname, msgstr);
++      ppd_put_string(fp, lang, strings, "OutputBin", ppdname, msgid);
+ 
+       if ((tray_ptr = ippGetOctetString(trays, i, &tray_len)) != NULL)
+       {
+@@ -4159,9 +4157,6 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
+           ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
+@@ -4176,7 +4171,7 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+           continue;
+ 
+ 	cupsFilePrintf(fp, "*StapleLocation %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.StapleLocation %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "StapleLocation", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*StapleLocation %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4239,9 +4234,6 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
+           ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
+@@ -4256,7 +4248,7 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+           continue;
+ 
+ 	cupsFilePrintf(fp, "*FoldType %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.FoldType %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "FoldType", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*FoldType %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4327,9 +4319,6 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value >= IPP_FINISHINGS_NONE && value <= IPP_FINISHINGS_LAMINATE)
+           ppd_keyword = base_keywords[value - IPP_FINISHINGS_NONE];
+@@ -4344,7 +4333,7 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+           continue;
+ 
+ 	cupsFilePrintf(fp, "*PunchMedia %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.PunchMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "PunchMedia", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*PunchMedia %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4415,9 +4404,6 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+         cupsArrayAdd(names, (char *)keyword);
+ 
+ 	snprintf(msgid, sizeof(msgid), "finishings.%d", value);
+-	if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	  if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	    msgstr = keyword;
+ 
+         if (value == IPP_FINISHINGS_TRIM)
+           ppd_keyword = "Auto";
+@@ -4425,7 +4411,7 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+ 	  ppd_keyword = trim_keywords[value - IPP_FINISHINGS_TRIM_AFTER_PAGES];
+ 
+ 	cupsFilePrintf(fp, "*CutMedia %s: \"\"\n", ppd_keyword);
+-	cupsFilePrintf(fp, "*%s.CutMedia %s/%s: \"\"\n", lang->language, ppd_keyword, msgstr);
++	ppd_put_string(fp, lang, strings, "CutMedia", ppd_keyword, msgid);
+ 	cupsFilePrintf(fp, "*cupsIPPFinishings %d/%s: \"*CutMedia %s\"\n", value, keyword, ppd_keyword);
+       }
+ 
+@@ -4467,9 +4453,6 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+       pwg_ppdize_name(keyword, ppdname, sizeof(ppdname));
+ 
+       snprintf(msgid, sizeof(msgid), "finishing-template.%s", keyword);
+-      if ((msgstr = _cupsLangString(lang, msgid)) == msgid || !strcmp(msgid, msgstr))
+-	if ((msgstr = _cupsMessageLookup(strings, msgid)) == msgid)
+-	  msgstr = keyword;
+ 
+       cupsFilePrintf(fp, "*cupsFinishingTemplate %s: \"\n", ppdname);
+       for (finishing_attr = ippFirstAttribute(finishing_col); finishing_attr; finishing_attr = ippNextAttribute(finishing_col))
+@@ -4484,7 +4467,7 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+ 	}
+       }
+       cupsFilePuts(fp, "\"\n");
+-      cupsFilePrintf(fp, "*%s.cupsFinishingTemplate %s/%s: \"\"\n", lang->language, ppdname, msgstr);
++      ppd_put_string(fp, lang, strings, "cupsFinishingTemplate", ppdname, msgid);
+       cupsFilePuts(fp, "*End\n");
+     }
+ 
+@@ -4811,11 +4794,9 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+ 
+       cupsFilePuts(fp, "\"\n*End\n");
+ 
+-      if ((localized_name = _cupsMessageLookup(strings, preset_name)) != preset_name)
+-      {
+-        pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
+-        cupsFilePrintf(fp, "*%s.APPrinterPreset %s/%s: \"\"\n", lang->language, ppdname, localized_name);
+-      }
++      snprintf(msgid, sizeof(msgid), "preset-name.%s", preset_name);
++      pwg_ppdize_name(preset_name, ppdname, sizeof(ppdname));
++      ppd_put_string(fp, lang, strings, "APPrinterPreset", ppdname, msgid);
+     }
+   }
+ 
+@@ -5054,6 +5035,43 @@ cups_get_url(http_t     **http,		/* IO -
+ }
+ 
+ 
++/*
++ * 'ppd_put_strings()' - Write localization attributes to a PPD file.
++ */
++
++static void
++ppd_put_string(cups_file_t  *fp,	/* I - PPD file */
++               cups_lang_t  *lang,	/* I - Language */
++               cups_array_t *strings,	/* I - Strings */
++	       const char   *ppd_option,/* I - PPD option */
++	       const char   *ppd_choice,/* I - PPD choice */
++	       const char   *pwg_msgid)	/* I - PWG message ID */
++{
++  const char	*text;			/* Localized text */
++
++
++  if ((text = _cupsLangString(lang, pwg_msgid)) == pwg_msgid || !strcmp(pwg_msgid, text))
++  {
++    if ((text = _cupsMessageLookup(strings, pwg_msgid)) == pwg_msgid)
++      return;
++  }
++
++  // Add the first line of localized text...
++  cupsFilePrintf(fp, "*%s.%s %s/", lang->language, ppd_option, ppd_choice);
++  while (*text && *text != '\n')
++  {
++    // Escape ":" and "<"...
++    if (*text == ':' || *text == '<')
++      cupsFilePrintf(fp, "<%02X>", *text);
++    else
++      cupsFilePutChar(fp, *text);
++
++    text ++;
++  }
++  cupsFilePuts(fp, ": \"\"\n");
++}
++
++
+ /*
+  * 'pwg_add_finishing()' - Add a finishings value.
+  */

SOURCES/0001-refactor-make-and-model-code.patch

@@ -0,0 +1,136 @@
+diff -up cups-2.3.3op2/cups/ppd-cache.c.make-model-refact cups-2.3.3op2/cups/ppd-cache.c
+--- cups-2.3.3op2/cups/ppd-cache.c.make-model-refact	2024-09-30 17:19:35.443100091 +0200
++++ cups-2.3.3op2/cups/ppd-cache.c	2024-09-30 17:24:10.927162954 +0200
+@@ -3027,9 +3027,10 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+   ipp_t			*media_col,	/* Media collection */
+ 			*media_size;	/* Media size collection */
+   char			make[256],	/* Make and model */
+-			*model,		/* Model name */
++			*mptr,		/* Pointer into make and model */
+ 			ppdname[PPD_MAX_NAME];
+ 		    			/* PPD keyword */
++  const char		*model;		/* Model name */
+   int			i, j,		/* Looping vars */
+ 			count,		/* Number of values */
+ 			bottom,		/* Largest bottom margin */
+@@ -3090,35 +3091,105 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
+   }
+ 
+  /*
+-  * Standard stuff for PPD file...
++  * Get a sanitized make and model...
+   */
+ 
+-  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
+-  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
+-  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
+-  cupsFilePuts(fp, "*LanguageVersion: English\n");
+-  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
+-  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
+-  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
+-  cupsFilePuts(fp, "*FileSystem: False\n");
+-  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
++  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
++  {
++   /*
++    * Sanitize the model name to only contain PPD-safe characters.
++    */
+ 
+-  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL)
+     strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
++
++    for (mptr = make; *mptr; mptr ++)
++    {
++      if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
++      {
++       /*
++	* Truncate the make and model on the first bad character...
++	*/
++
++	*mptr = '\0';
++	break;
++      }
++    }
++
++    while (mptr > make)
++    {
++     /*
++      * Strip trailing whitespace...
++      */
++
++      mptr --;
++      if (*mptr == ' ')
++	*mptr = '\0';
++    }
++
++    if (!make[0])
++    {
++     /*
++      * Use a default make and model if nothing remains...
++      */
++
++      strlcpy(make, "Unknown", sizeof(make));
++    }
++  }
+   else
+-    strlcpy(make, "Unknown Printer", sizeof(make));
++  {
++   /*
++    * Use a default make and model...
++    */
++
++    strlcpy(make, "Unknown", sizeof(make));
++  }
+ 
+   if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
+       !_cups_strncasecmp(make, "Hewlett-Packard ", 16))
+   {
++   /*
++    * Normalize HP printer make and model...
++    */
++
+     model = make + 16;
+     strlcpy(make, "HP", sizeof(make));
++
++    if (!_cups_strncasecmp(model, "HP ", 3))
++      model += 3;
++  }
++  else if ((mptr = strchr(make, ' ')) != NULL)
++  {
++   /*
++    * Separate "MAKE MODEL"...
++    */
++
++    while (*mptr && *mptr == ' ')
++      *mptr++ = '\0';
++
++    model = mptr;
+   }
+-  else if ((model = strchr(make, ' ')) != NULL)
+-    *model++ = '\0';
+   else
+-    model = make;
++  {
++   /*
++    * No separate model name...
++    */
++ 
++    model = "Printer";
++  }
++
++ /*
++  * Standard stuff for PPD file...
++  */
+ 
++  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
++  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
++  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
++  cupsFilePuts(fp, "*LanguageVersion: English\n");
++  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
++  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
++  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
++  cupsFilePuts(fp, "*FileSystem: False\n");
++  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
+   cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
+   cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model);
+   cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model);

SOURCES/0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch

@@ -0,0 +1,31 @@
+From 331a202a87db30b5d1d5386ccc99de6843eef03e Mon Sep 17 00:00:00 2001
+From: Zdenek Dohnal <zdohnal@redhat.com>
+Date: Fri, 6 Dec 2024 07:59:16 +0100
+Subject: [PATCH] tls-gnutls.c: Use system crypto policy if available
+
+Some Linux systems provide a way how to control cryptography on system or service level via cryptographic policies. OpenSSL implementation reflects system changes to some degree, however GnuTLS implementation does not take system policy into account.
+
+GnuTLS supports fallback mechanism, so we can fallback to NORMAL if @System is not defined on the system.
+
+Fortunately, the current GnuTLS implementation allows overrides via priority strings (so no "this cipher/hash is disabled" if we enabled them in our application by priority string), so allowing to honor system policy can save us work if someone wants to disable a specific cipher, so we don't have to implement it in libcups.
+---
+ CHANGES.md        | 2 ++
+ cups/tls-gnutls.c | 2 +-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
+index f3f71a055..719161da7 100644
+--- a/cups/tls-gnutls.c
++++ b/cups/tls-gnutls.c
+@@ -1504,7 +1504,7 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
+     return (-1);
+   }
+ 
+-  strlcpy(priority_string, "NORMAL", sizeof(priority_string));
++  strlcpy(priority_string, "@SYSTEM,NORMAL", sizeof(priority_string));
+ 
+   if (tls_max_version < _HTTP_TLS_MAX)
+   {
+-- 
+2.47.1
+

SPECS/cups.spec

@@ -24,7 +24,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.3.3%{OP_VER}
-Release: 30%{?dist}
+Release: 33%{?dist}
 License: ASL 2.0
 Url: http://www.cups.org/
 # Apple stopped uploading the new versions into github, use OpenPrinting fork
@@ -150,6 +150,17 @@ Patch43: cups-socket-remove-on-stop.patch
 # https://github.com/OpenPrinting/cups/commit/74f437b
 # https://github.com/OpenPrinting/cups/commit/fb0c914
 Patch44: cups-check-for-listeners.patch
+# RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
+Patch45: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch
+Patch46: 0001-refactor-make-and-model-code.patch
+Patch47: 0001-ppdize-preset-and-template-names.patch
+Patch48: 0001-quote-ppd-localized-strings.patch
+Patch49: 0001-fix-warnings-for-unused-vars.patch
+# RHEL-68414 Inability to disable weak ciphers in CUPS configuration
+# patches: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
+#          0001-Add-NoSystem-SSLOptions-value.patch
+Patch50: 0001-tls-gnutls.c-Use-system-crypto-policy-if-available.patch
+Patch51: 0001-Add-NoSystem-SSLOptions-value.patch
 
 
 ##### Patches removed because IMHO they aren't no longer needed
@@ -428,6 +439,16 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
 # https://github.com/OpenPrinting/cups/commit/74f437b
 # https://github.com/OpenPrinting/cups/commit/fb0c914
 %patch44 -p1 -b .cups-check-for-listeners.patch
+# RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
+%patch45 -p1 -b .ippeve-validate
+%patch46 -p1 -b .make-model-refact
+%patch47 -p1 -b .ppdize-presets
+%patch48 -p1 -b .quote-ppd-strings
+%patch49 -p1 -b .fix-warn
+# RHEL-68414 Inability to disable weak ciphers in CUPS configuration
+%patch50 -p1 -b .tls-system
+%patch51 -p1 -b .ssl-nosystem
+
 
 %if %{lspp}
 # LSPP support.
@@ -649,6 +670,36 @@ done
 
 %{_sbindir}/upgrade_get_document
 
+# to prevent possible breakage due starting following system crypto policy
+# within minor releases
+# SSLOptions in cupsd.conf influences what SSL cupsd daemon will offer to clients,
+# SSLOptions in client.conf influences what SSL clients using libcups will use to
+# connect with destionation (destination can be other cupsd or printer)
+for conf in %{_sysconfdir}/cups/cupsd.conf %{_sysconfdir}/cups/client.conf
+do
+  # do not update anything if we already put changes into the file
+  if ! grep -q "# RHEL-68414 Fix" ${conf}
+  then
+    # backup the file if there is no rpmsave already
+    if ! test -f ${conf}.rpmsave
+    then
+      cp ${conf}{,.rpmsave}
+    fi
+
+    # two situations can happen:
+    # - no SSLOptions in the file - just put the new lines into file
+    # - SSLOptions already exists in the file - we append NoSystem to the
+    #   directive
+    if ! grep -q "^\s*SSLOptions" ${conf}
+    then
+      echo -e "# RHEL-68414 Fix\nSSLOptions NoSystem\n" >> ${conf}
+    else
+      # captures the group into \1, which can be later used
+      sed -i 's,^\s*SSLOptions \(.*\)$,# RHEL-68414 Fix\nSSLOptions \1 NoSystem,' ${conf}
+    fi
+  fi
+done
+
 exit 0
 
 %post client
@@ -862,6 +913,15 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Wed Jan 08 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-33
+- Add NoSystem SSLOptions value
+
+* Mon Dec 09 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-32
+- RHEL-68414 Inability to disable weak ciphers in CUPS configuration
+
+* Tue Oct 01 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-31
+- RHEL-60343 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
+
 * Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.3.3op2-30
 - RHEL-6526 cups source rpm doesn't actually build lspp support
 - fix memory leaks from LSPP