SOURCES/0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch

@@ -1,26 +0,0 @@
-From 2dc021f33a3ea358c9f5c5c54643adc4c46a84a1 Mon Sep 17 00:00:00 2001
-From: Michael R Sweet <msweet@msweet.org>
-Date: Wed, 3 Dec 2025 07:25:30 -0500
-Subject: [PATCH] Fix an infinite loop issue in GTK+ (Issue #1439)
-
----
- CHANGES.md  | 1 +
- cups/http.c | 2 +-
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/cups/http.c b/cups/http.c
-index 214e45158..31ed6ddc1 100644
---- a/cups/http.c
-+++ b/cups/http.c
-@@ -2779,7 +2779,7 @@ _httpUpdate(http_t        *http,	/* I - HTTP connection */
-     /* See whether our read buffer is full... */
-     DEBUG_printf(("2_httpUpdate: used=%d", http->used));
- 
--    if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
-+    if (http->used < sizeof(http->buffer))
-     {
-       /* No, try filling in more data... */
-       if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
--- 
-2.52.0
-

SOURCES/0001-Fix-domain-socket-handling.patch

@@ -1,86 +0,0 @@
-diff --git a/cups/http-addr.c b/cups/http-addr.c
-index 61c86384b..e86dcb622 100644
---- a/cups/http-addr.c
-+++ b/cups/http-addr.c
-@@ -198,31 +198,29 @@ httpAddrListen(http_addr_t *addr,	/* I - Address to bind to */
-   {
-     mode_t	mask;			/* Umask setting */
- 
--   /*
--    * Remove any existing domain socket file...
--    */
--
--    unlink(addr->un.sun_path);
--
--   /*
--    * Save the current umask and set it to 0 so that all users can access
--    * the domain socket...
--    */
--
--    mask = umask(0);
--
--   /*
--    * Bind the domain socket...
--    */
-+    // Remove any existing domain socket file...
-+    if ((status = unlink(addr->un.sun_path)) < 0)
-+    {
-+      DEBUG_printf(("1httpAddrListen: Unable to unlink \"%s\": %s", addr->un.sun_path, strerror(errno)));
-+      if (errno == ENOENT)
-+       status = 0;
-+    }
- 
--    status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr));
-+    if (!status)
-+    {
-+      // Save the current umask and set it to 0 so that all users can access
-+      // the domain socket...
-+      mask = umask(0);
- 
--   /*
--    * Restore the umask and fix permissions...
--    */
-+      // Bind the domain socket...
-+      if ((status = bind(fd, (struct sockaddr *)addr, (socklen_t)httpAddrLength(addr))) < 0)
-+      {
-+        DEBUG_printf(("1httpAddrListen: Unable to bind domain socket \"%s\": %s", addr->un.sun_path, strerror(errno)));
-+      }
- 
--    umask(mask);
--    chmod(addr->un.sun_path, 0140777);
-+      // Restore the umask...
-+      umask(mask);
-+    }
-   }
-   else
- #endif /* AF_LOCAL */
-diff --git a/scheduler/conf.c b/scheduler/conf.c
-index bc52d2add..93de8cf77 100644
---- a/scheduler/conf.c
-+++ b/scheduler/conf.c
-@@ -3055,6 +3055,25 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
- 
-       cupsd_listener_t	*lis;		/* New listeners array */
- 
-+     /*
-+      * If we are launched on-demand, do not use domain sockets from the config
-+      * file.  Also check that the domain socket path is not too long...
-+      */
-+
-+#ifdef HAVE_ONDEMAND
-+      if (*value == '/' && OnDemand)
-+      {
-+        if (strcmp(value, CUPS_DEFAULT_DOMAINSOCKET))
-+          cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - only using domain socket from launchd/systemd.", line, value, linenum);
-+        continue;
-+      }
-+#endif // HAVE_ONDEMAND
-+
-+      if (*value == '/' && strlen(value) > (sizeof(addr->addr.un.sun_path) - 1))
-+      {
-+        cupsdLogMessage(CUPSD_LOG_INFO, "Ignoring %s address %s at line %d - too long.", line, value, linenum);
-+        continue;
-+      }
- 
-      /*
-       * Get the address list...

SOURCES/0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch

@@ -1,26 +0,0 @@
-From 5cc470c8d95df40f32e8a401b2946886c91b03d1 Mon Sep 17 00:00:00 2001
-From: Michael R Sweet <msweet@msweet.org>
-Date: Fri, 15 Nov 2024 11:55:07 -0500
-Subject: [PATCH] Fix make-and-model whitespace trimming (Issue #1096)
-
----
- CHANGES.md       | 1 +
- cups/ppd-cache.c | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
-index a6163a0e1..a3198a795 100644
---- a/cups/ppd-cache.c
-+++ b/cups/ppd-cache.c
-@@ -3293,6 +3293,8 @@ _ppdCreateFromIPP2(
-       mptr --;
-       if (*mptr == ' ')
- 	*mptr = '\0';
-+      else
-+        break;
-     }
- 
-     if (!make[0])
--- 
-2.47.0
-

SOURCES/0001-Fix-various-issues-in-cupsd.patch

@@ -1,283 +0,0 @@
-diff -up cups-2.2.6/conf/cups-files.conf.in.config-issues cups-2.2.6/conf/cups-files.conf.in
---- cups-2.2.6/conf/cups-files.conf.in.config-issues	2025-12-10 09:55:08.849687904 +0100
-+++ cups-2.2.6/conf/cups-files.conf.in	2025-12-10 09:55:08.963762383 +0100
-@@ -19,6 +19,9 @@
- SystemGroup @CUPS_SYSTEM_GROUPS@
- @CUPS_SYSTEM_AUTHKEY@
- 
-+# Are Unix domain socket peer credentials used for authorization?
-+PeerCred @CUPS_PEER_CRED@
-+
- # User that is substituted for unauthenticated (remote) root accesses...
- #RemoteRoot remroot
- 
-diff -up cups-2.2.6/config.h.in.config-issues cups-2.2.6/config.h.in
---- cups-2.2.6/config.h.in.config-issues	2025-12-10 09:55:08.852849134 +0100
-+++ cups-2.2.6/config.h.in	2025-12-10 09:56:38.680857561 +0100
-@@ -88,6 +88,13 @@
- 
- 
- /*
-+ * Default PeerCred value...
-+ */
-+
-+#define CUPS_DEFAULT_PEER_CRED "on"
-+
-+
-+/*
-  * Default MaxCopies value...
-  */
- 
-diff -up cups-2.2.6/config-scripts/cups-defaults.m4.config-issues cups-2.2.6/config-scripts/cups-defaults.m4
---- cups-2.2.6/config-scripts/cups-defaults.m4.config-issues	2025-12-10 09:55:08.913734163 +0100
-+++ cups-2.2.6/config-scripts/cups-defaults.m4	2025-12-10 09:55:57.696584490 +0100
-@@ -95,6 +95,15 @@ AC_ARG_WITH(log_level, [  --with-log-lev
- AC_SUBST(CUPS_LOG_LEVEL)
- AC_DEFINE_UNQUOTED(CUPS_DEFAULT_LOG_LEVEL, "$CUPS_LOG_LEVEL")
- 
-+dnl Default PeerCred
-+AC_ARG_WITH([peer_cred], AS_HELP_STRING([--with-peer-cred], [set default PeerCred value (on/off/root-only), default=on]), [
-+    CUPS_PEER_CRED="$withval"
-+], [
-+    CUPS_PEER_CRED="on"
-+])
-+AC_SUBST([CUPS_PEER_CRED])
-+AC_DEFINE_UNQUOTED([CUPS_DEFAULT_PEER_CRED], ["$CUPS_PEER_CRED"], [Default PeerCred value.])
-+
- dnl Default AccessLogLevel
- AC_ARG_WITH(access_log_level, [  --with-access-log-level set default AccessLogLevel value, default=none],
- 	CUPS_ACCESS_LOG_LEVEL="$withval",
-diff -up cups-2.2.6/doc/help/man-cups-files.conf.html.config-issues cups-2.2.6/doc/help/man-cups-files.conf.html
---- cups-2.2.6/doc/help/man-cups-files.conf.html.config-issues	2025-12-10 09:55:08.849902857 +0100
-+++ cups-2.2.6/doc/help/man-cups-files.conf.html	2025-12-10 09:57:25.160598126 +0100
-@@ -119,6 +119,13 @@ The server name may be included in filen
- 
- </pre>
- The default is "/var/log/cups/page_log".
-+<dt><a name="PeerCred"></a><b>PeerCred off</b>
-+<dd style="margin-left: 5.0em"><dt><b>PeerCred on</b>
-+<dd style="margin-left: 5.0em"><dt><b>PeerCred root-only</b>
-+<dd style="margin-left: 5.0em">Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
-+When <b>on</b>, the peer credentials of any user are accepted for authorization.
-+The value <b>off</b> disables the use of peer credentials entirely, while the value <b>root-only</b> allows peer credentials only for the root user.
-+Note: for security reasons, the <b>on</b> setting is reduced to <b>root-only</b> for authorization of PUT requests.
- <dt><a name="RemoteRoot"></a><b>RemoteRoot </b><i>username</i>
- <dd style="margin-left: 5.0em">Specifies the username that is associated with unauthenticated accesses by clients claiming to be the root user.
- The default is "remroot".
-diff -up cups-2.2.6/man/cups-files.conf.man.in.config-issues cups-2.2.6/man/cups-files.conf.man.in
---- cups-2.2.6/man/cups-files.conf.man.in.config-issues	2025-12-10 09:59:33.227883234 +0100
-+++ cups-2.2.6/man/cups-files.conf.man.in	2025-12-10 09:59:57.400174430 +0100
-@@ -162,6 +162,17 @@ The default is "/var/log/cups/page_log".
- \fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
- Passes the specified environment variable(s) to child processes.
- Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
-+.\"#PeerCred
-+.TP 5
-+\fBPeerCred off\fR
-+.TP 5
-+\fBPeerCred on\fR
-+.TP 5
-+\fBPeerCred root-only\fR
-+Specifies whether peer credentials are used for authorization when communicating over the UNIX domain socket.
-+When \fBon\fR, the peer credentials of any user are accepted for authorization.
-+The value \fBoff\fR disables the use of peer credentials entirely, while the value \fBroot-only\fR allows peer credentials only for the root user.
-+Note: for security reasons, the \fBon\fR setting is reduced to \fBroot-only\fR for authorization of PUT requests.
- .\"#RemoteRoot
- .TP 5
- \fBRemoteRoot \fIusername\fR
-diff -up cups-2.2.6/scheduler/auth.c.config-issues cups-2.2.6/scheduler/auth.c
---- cups-2.2.6/scheduler/auth.c.config-issues	2025-12-10 09:55:08.953939209 +0100
-+++ cups-2.2.6/scheduler/auth.c	2025-12-10 09:55:08.965011783 +0100
-@@ -401,7 +401,7 @@ cupsdAuthorize(cupsd_client_t *con)	/* I
-   }
- #endif /* HAVE_AUTHORIZATION_H */
- #if defined(SO_PEERCRED) && defined(AF_LOCAL)
--  else if (!strncmp(authorization, "PeerCred ", 9) &&
-+  else if (PeerCred != CUPSD_PEERCRED_OFF && !strncmp(authorization, "PeerCred ", 9) &&
-            con->http->hostaddr->addr.sa_family == AF_LOCAL && con->best)
-   {
-    /*
-@@ -444,6 +444,12 @@ cupsdAuthorize(cupsd_client_t *con)	/* I
-     }
- #endif /* HAVE_AUTHORIZATION_H */
- 
-+    if ((PeerCred == CUPSD_PEERCRED_ROOTONLY || httpGetState(con->http) == HTTP_STATE_PUT_RECV) && strcmp(authorization + 9, "root"))
-+    {
-+      cupsdLogClient(con, CUPSD_LOG_INFO, "User \"%s\" is not allowed to use peer credentials.", authorization + 9);
-+      return;
-+    }
-+
-     if ((pwd = getpwnam(authorization + 9)) == NULL)
-     {
-       cupsdLogClient(con, CUPSD_LOG_ERROR, "User \"%s\" does not exist.", authorization + 9);
-diff -up cups-2.2.6/scheduler/auth.h.config-issues cups-2.2.6/scheduler/auth.h
---- cups-2.2.6/scheduler/auth.h.config-issues	2017-11-01 15:57:53.000000000 +0100
-+++ cups-2.2.6/scheduler/auth.h	2025-12-10 10:00:29.472254041 +0100
-@@ -52,6 +52,10 @@
- #define CUPSD_AUTH_LIMIT_ALL	127	/* Limit all requests */
- #define CUPSD_AUTH_LIMIT_IPP	128	/* Limit IPP requests */
- 
-+#define CUPSD_PEERCRED_OFF	0	/* Don't allow PeerCred authorization */
-+#define CUPSD_PEERCRED_ON	1	/* Allow PeerCred authorization for all users */
-+#define CUPSD_PEERCRED_ROOTONLY	2	/* Allow PeerCred authorization for root user */
-+
- #define IPP_ANY_OPERATION	(ipp_op_t)0
- 					/* Any IPP operation */
- #define IPP_BAD_OPERATION	(ipp_op_t)-1
-@@ -109,6 +113,9 @@ typedef struct cupsd_client_s cupsd_clie
- 
- VAR cups_array_t	*Locations	VALUE(NULL);
- 					/* Authorization locations */
-+VAR int			PeerCred	VALUE(CUPSD_PEERCRED_ON);
-+					/* Allow PeerCred authorization? */
-+
- #ifdef HAVE_SSL
- VAR http_encryption_t	DefaultEncryption VALUE(HTTP_ENCRYPT_REQUIRED);
- 					/* Default encryption for authentication */
-diff -up cups-2.2.6/scheduler/client.c.config-issues cups-2.2.6/scheduler/client.c
-diff -up cups-2.2.6/scheduler/conf.c.config-issues cups-2.2.6/scheduler/conf.c
---- cups-2.2.6/scheduler/conf.c.config-issues	2025-12-10 09:55:08.946765727 +0100
-+++ cups-2.2.6/scheduler/conf.c	2025-12-10 09:55:08.964315379 +0100
-@@ -52,6 +52,7 @@ typedef enum
- {
-   CUPSD_VARTYPE_INTEGER,		/* Integer option */
-   CUPSD_VARTYPE_TIME,			/* Time interval option */
-+  CUPSD_VARTYPE_NULLSTRING,		/* String option or NULL/empty string */
-   CUPSD_VARTYPE_STRING,			/* String option */
-   CUPSD_VARTYPE_BOOLEAN,		/* Boolean option */
-   CUPSD_VARTYPE_PATHNAME,		/* File/directory name option */
-@@ -74,7 +75,7 @@ static const cupsd_var_t	cupsd_vars[] =
- {
-   { "AutoPurgeJobs", 		&JobAutoPurge,		CUPSD_VARTYPE_BOOLEAN },
- #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
--  { "BrowseDNSSDSubTypes",	&DNSSDSubTypes,		CUPSD_VARTYPE_STRING },
-+  { "BrowseDNSSDSubTypes",	&DNSSDSubTypes,		CUPSD_VARTYPE_NULLSTRING },
- #endif /* HAVE_DNSSD || HAVE_AVAHI */
-   { "BrowseWebIF",		&BrowseWebIF,		CUPSD_VARTYPE_BOOLEAN },
-   { "Browsing",			&Browsing,		CUPSD_VARTYPE_BOOLEAN },
-@@ -124,7 +125,7 @@ static const cupsd_var_t	cupsd_vars[] =
-   { "MaxSubscriptionsPerPrinter",&MaxSubscriptionsPerPrinter,	CUPSD_VARTYPE_INTEGER },
-   { "MaxSubscriptionsPerUser",	&MaxSubscriptionsPerUser,	CUPSD_VARTYPE_INTEGER },
-   { "MultipleOperationTimeout",	&MultipleOperationTimeout,	CUPSD_VARTYPE_TIME },
--  { "PageLogFormat",		&PageLogFormat,		CUPSD_VARTYPE_STRING },
-+  { "PageLogFormat",		&PageLogFormat,		CUPSD_VARTYPE_NULLSTRING },
-   { "PreserveJobFiles",		&JobFiles,		CUPSD_VARTYPE_TIME },
-   { "PreserveJobHistory",	&JobHistory,		CUPSD_VARTYPE_TIME },
-   { "ReloadTimeout",		&ReloadTimeout,		CUPSD_VARTYPE_TIME },
-@@ -807,6 +808,13 @@ cupsdReadConfiguration(void)
-   IdleExitTimeout = 60;
- #endif /* HAVE_ONDEMAND */
- 
-+  if (!strcmp(CUPS_DEFAULT_PEER_CRED, "off"))
-+    PeerCred = CUPSD_PEERCRED_OFF;
-+  else if (!strcmp(CUPS_DEFAULT_PEER_CRED, "root-only"))
-+    PeerCred = CUPSD_PEERCRED_ROOTONLY;
-+  else
-+    PeerCred = CUPSD_PEERCRED_ON;
-+
-  /*
-   * Setup environment variables...
-   */
-@@ -1837,7 +1845,7 @@ get_addr_and_mask(const char *value,	/*
- 
-     family  = AF_INET6;
- 
--    for (i = 0, ptr = value + 1; *ptr && i < 8; i ++)
-+    for (i = 0, ptr = value + 1; *ptr && i >= 0 && i < 8; i ++)
-     {
-       if (*ptr == ']')
-         break;
-@@ -1986,7 +1994,7 @@ get_addr_and_mask(const char *value,	/*
- #ifdef AF_INET6
-       if (family == AF_INET6)
-       {
--        if (i > 128)
-+        if (i < 0 || i > 128)
- 	  return (0);
- 
-         i = 128 - i;
-@@ -2020,7 +2028,7 @@ get_addr_and_mask(const char *value,	/*
-       else
- #endif /* AF_INET6 */
-       {
--        if (i > 32)
-+        if (i < 0 || i > 32)
- 	  return (0);
- 
-         mask[0] = 0xffffffff;
-@@ -2930,7 +2938,17 @@ parse_variable(
- 	cupsdSetString((char **)var->ptr, temp);
- 	break;
- 
-+    case CUPSD_VARTYPE_NULLSTRING :
-+	cupsdSetString((char **)var->ptr, value);
-+	break;
-+
-     case CUPSD_VARTYPE_STRING :
-+        if (!value)
-+        {
-+	  cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.", line, linenum, filename);
-+	  return (0);
-+        }
-+
- 	cupsdSetString((char **)var->ptr, value);
- 	break;
-   }
-@@ -3438,9 +3456,10 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
- 		      line, value ? " " : "", value ? value : "", linenum,
- 		      ConfigurationFile, CupsFilesFile);
-     }
--    else
--      parse_variable(ConfigurationFile, linenum, line, value,
--                     sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars);
-+    else if (!parse_variable(ConfigurationFile, linenum, line, value,
-+			     sizeof(cupsd_vars) / sizeof(cupsd_vars[0]), cupsd_vars) &&
-+	     (FatalErrors & CUPSD_FATAL_CONFIG))
-+      return (0);
-   }
- 
-   return (1);
-@@ -3575,6 +3594,31 @@ read_cups_files_conf(cups_file_t *fp)	/*
- 	    break;
-       }
-     }
-+    else if (!_cups_strcasecmp(line, "PeerCred") && value)
-+    {
-+     /*
-+      * PeerCred {off,on,root-only}
-+      */
-+
-+      if (!_cups_strcasecmp(value, "off"))
-+      {
-+        PeerCred = CUPSD_PEERCRED_OFF;
-+      }
-+      else if (!_cups_strcasecmp(value, "on"))
-+      {
-+        PeerCred = CUPSD_PEERCRED_ON;
-+      }
-+      else if (!_cups_strcasecmp(value, "root-only"))
-+      {
-+        PeerCred = CUPSD_PEERCRED_ROOTONLY;
-+      }
-+      else
-+      {
-+	cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown PeerCred \"%s\" on line %d of %s.", value, linenum, CupsFilesFile);
-+        if (FatalErrors & CUPSD_FATAL_CONFIG)
-+          return (0);
-+      }
-+    }
-     else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
-     {
-      /*
-diff -up cups-2.2.6/test/run-stp-tests.sh.config-issues cups-2.2.6/test/run-stp-tests.sh
---- cups-2.2.6/test/run-stp-tests.sh.config-issues	2025-12-10 09:55:08.861374808 +0100
-+++ cups-2.2.6/test/run-stp-tests.sh	2025-12-10 09:55:08.964582228 +0100
-@@ -511,7 +511,7 @@ fi
- 
- cat >$BASE/cups-files.conf <<EOF
- FileDevice yes
--Printcap
-+Printcap $BASE/printcap
- User $user
- ServerRoot $BASE
- StateDir $BASE

SOURCES/0001-Setting-the-timeout-should-also-timeout-the-TLS-nego.patch

@@ -1,127 +0,0 @@
-From a7aabde8fee21c62795eba831fc2bc965c6e0149 Mon Sep 17 00:00:00 2001
-From: Michael R Sweet <michael.r.sweet@gmail.com>
-Date: Tue, 20 Feb 2018 20:18:05 -0500
-Subject: [PATCH] Setting the timeout should also timeout the TLS negotiation
- (rdar://34938533)
-
----
- cups/http.c       |  6 +++---
- cups/tls-darwin.c | 35 +++++++++++++++++++++++++++++++----
- cups/tls-gnutls.c | 35 ++++++++++++++++++++++++++++++++---
- cups/tls.c        |  2 +-
- 4 files changed, 67 insertions(+), 11 deletions(-)
-
-diff --git a/cups/http.c b/cups/http.c
-index 9af77c1c5..4d0a2a78e 100644
---- a/cups/http.c
-+++ b/cups/http.c
-@@ -4027,7 +4027,7 @@ http_read(http_t *http,			/* I - HTTP connection */
- 
-   DEBUG_printf(("http_read(http=%p, buffer=%p, length=" CUPS_LLFMT ")", (void *)http, (void *)buffer, CUPS_LLCAST length));
- 
--  if (!http->blocking)
-+  if (!http->blocking || http->timeout_value > 0.0)
-   {
-     while (!httpWait(http, http->wait_value))
-     {
-@@ -4626,7 +4626,7 @@ http_write(http_t     *http,		/* I - HTTP connection */
-   {
-     DEBUG_printf(("3http_write: About to write %d bytes.", (int)length));
- 
--    if (http->timeout_cb)
-+    if (http->timeout_value > 0.0)
-     {
- #ifdef HAVE_POLL
-       struct pollfd	pfd;		/* Polled file descriptor */
-@@ -4670,7 +4670,7 @@ http_write(http_t     *http,		/* I - HTTP connection */
- 	  http->error = errno;
- 	  return (-1);
- 	}
--	else if (nfds == 0 && !(*http->timeout_cb)(http, http->timeout_data))
-+	else if (nfds == 0 && (!http->timeout_cb || !(*http->timeout_cb)(http, http->timeout_data)))
- 	{
- #ifdef WIN32
- 	  http->error = WSAEWOULDBLOCK;
-diff --git a/cups/tls-gnutls.c b/cups/tls-gnutls.c
-index 0f0cd0028..bc3cdd07d 100644
---- a/cups/tls-gnutls.c
-+++ b/cups/tls-gnutls.c
-@@ -1087,7 +1087,7 @@ http_gnutls_read(
- 
-   http = (http_t *)ptr;
- 
--  if (!http->blocking)
-+  if (!http->blocking || http->timeout_value > 0.0)
-   {
-    /*
-     * Make sure we have data before we read...
-@@ -1245,6 +1245,9 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
-   char			priority_string[2048];
- 					/* Priority string */
-   int			version;	/* Current version */
-+  double		old_timeout;	/* Old timeout value */
-+  http_timeout_cb_t	old_cb;		/* Old timeout callback */
-+  void			*old_data;	/* Old timeout data */
-   static const char * const versions[] =/* SSL/TLS versions */
-   {
-     "VERS-SSL3.0",
-@@ -1578,6 +1581,24 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
- #endif /* HAVE_GNUTLS_TRANSPORT_SET_PULL_TIMEOUT_FUNCTION */
-   gnutls_transport_set_push_function(http->tls, http_gnutls_write);
- 
-+ /*
-+  * Enforce a minimum timeout of 10 seconds for the TLS handshake...
-+  */
-+
-+  old_timeout  = http->timeout_value;
-+  old_cb       = http->timeout_cb;
-+  old_data     = http->timeout_data;
-+
-+  if (!old_cb || old_timeout < 10.0)
-+  {
-+    DEBUG_puts("4_httpTLSStart: Setting timeout to 10 seconds.");
-+    httpSetTimeout(http, 10.0, NULL, NULL);
-+  }
-+
-+ /*
-+  * Do the TLS handshake...
-+  */
-+
-   while ((status = gnutls_handshake(http->tls)) != GNUTLS_E_SUCCESS)
-   {
-     DEBUG_printf(("5_httpStartTLS: gnutls_handshake returned %d (%s)",
-@@ -1595,10 +1616,18 @@ _httpTLSStart(http_t *http)		/* I - Connection to server */
-       free(credentials);
-       http->tls = NULL;
- 
-+      httpSetTimeout(http, old_timeout, old_cb, old_data);
-+
-       return (-1);
-     }
-   }
- 
-+ /*
-+  * Restore the previous timeout settings...
-+  */
-+
-+  httpSetTimeout(http, old_timeout, old_cb, old_data);
-+
-   http->tls_credentials = credentials;
- 
-   return (0);
-diff --git a/cups/tls.c b/cups/tls.c
-index e8874004f..278439db2 100644
---- a/cups/tls.c
-+++ b/cups/tls.c
-@@ -30,7 +30,7 @@
- 
- 
- /*
-- * Local functions...
-+ * Include platform-specific TLS code...
-  */
- 
- #ifdef HAVE_SSL
--- 
-2.52.0
-

SOURCES/0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch

@@ -1,12 +0,0 @@
-diff -up cups-2.2.6/cups/http.c.use-usessl cups-2.2.6/cups/http.c
---- cups-2.2.6/cups/http.c.use-usessl	2025-12-09 14:59:32.677174678 +0100
-+++ cups-2.2.6/cups/http.c	2025-12-09 15:00:38.443279836 +0100
-@@ -3152,7 +3152,7 @@ _httpWait(http_t *http,			/* I - HTTP co
-   */
- 
- #ifdef HAVE_SSL
--  if (http->tls && _httpTLSPending(http))
-+  if (usessl && http->tls && _httpTLSPending(http))
-   {
-     DEBUG_puts("5_httpWait: Return 1 since there is pending TLS data.");
-     return (1);

SOURCES/0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch

@@ -1,43 +0,0 @@
-From 277d3b1c49895f070bbf4b73cada011d71fbf9f3 Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Thu, 4 Dec 2025 09:04:37 +0100
-Subject: [PATCH] conf.c: Fix stopping scheduler on unknown directive
-
-Change the return value to do not trigger stopping the scheduler in case
-of unknown directive, because stopping the scheduler on config errors
-should only happen in case of syntax errors.
----
- scheduler/conf.c | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/scheduler/conf.c b/scheduler/conf.c
-index 7d6da0252..0e7be0ef4 100644
---- a/scheduler/conf.c
-+++ b/scheduler/conf.c
-@@ -2708,16 +2708,16 @@ parse_variable(
-   {
-    /*
-     * Unknown directive!  Output an error message and continue...
-+    *
-+    * Return value 1 is on purpose - we ignore unknown directives to log
-+    * error, but do not stop the scheduler in case error in configuration
-+    * is set to be fatal.
-     */
- 
--    if (!value)
--      cupsdLogMessage(CUPSD_LOG_ERROR, "Missing value for %s on line %d of %s.",
--		      line, linenum, filename);
--    else
--      cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
--		      line, linenum, filename);
-+    cupsdLogMessage(CUPSD_LOG_ERROR, "Unknown directive %s on line %d of %s.",
-+		    line, linenum, filename);
- 
--    return (0);
-+    return (1);
-   }
- 
-   switch (var->type)
--- 
-2.52.0
-

SOURCES/0001-mirror-ipp-everywhere-printer-changes-from-master.patch

@@ -1,40 +0,0 @@
-diff --git a/scheduler/ipp.c b/scheduler/ipp.c
-index 728d164..5089172 100644
---- a/scheduler/ipp.c
-+++ b/scheduler/ipp.c
-@@ -5773,6 +5773,18 @@ create_local_bg_thread(
-     cupsdLogMessage(CUPSD_LOG_DEBUG, "%s: IPP/1.1 Get-Printer-Attributes returned %s (%s)", printer->name, ippErrorString(cupsLastError()), cupsLastErrorString());
-   }
- 
-+  // Validate response from printer...
-+  if (!ippValidateAttributes(response))
-+  {
-+    cupsdLogMessage(CUPSD_LOG_ERROR, "%s: The printer contains invalid attributes.", printer->name);
-+
-+    if (response)
-+      ippDelete(response);
-+
-+    httpClose(http);
-+    return (NULL);
-+  }
-+
-   // TODO: Grab printer icon file...
-   httpClose(http);
- 
-diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c
-index daf24d5..eba7551 100644
---- a/systemv/lpadmin.c
-+++ b/systemv/lpadmin.c
-@@ -1226,6 +1226,12 @@ get_printer_ppd(
-   ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]), NULL, pattrs);
-   response = cupsDoRequest(http, request, resource);
- 
-+  if (response && !ippValidateAttributes(response))
-+  {
-+    _cupsLangPrintf(stderr, _("%s: The printer \"%s\" contains invalid IPP attributes."), "lpadmin", uri);
-+    return (NULL);
-+  }
-+
-   if (cupsLastError() >= IPP_STATUS_REDIRECTION_OTHER_SITE)
-   {
-     _cupsLangPrintf(stderr, _("%s: Unable to query printer: %s"), "lpadmin", cupsLastErrorString());

SOURCES/0001-ppdize-preset-and-template-names.patch

@@ -1,41 +0,0 @@
-From e0630cd18f76340d302000f2bf6516e99602b844 Mon Sep 17 00:00:00 2001
-From: Michael R Sweet <msweet@msweet.org>
-Date: Mon, 9 Sep 2024 15:59:57 -0400
-Subject: [PATCH] PPDize preset and template names.
-
----
- cups/ppd-cache.c | 33 ++++++++++++++++++++++++---------
- 1 file changed, 24 insertions(+), 9 deletions(-)
-
-diff --git a/cups/ppd-cache.c b/cups/ppd-cache.c
-index 986c64f73..18c38d0ee 100644
---- a/cups/ppd-cache.c
-+++ b/cups/ppd-cache.c
-@@ -5543,7 +5552,7 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
- 	*end;				/* End of name buffer */
- 
- 
--  if (!ipp)
-+  if (!ipp || !_cups_isalnum(*ipp))
-   {
-     *name = '\0';
-     return;
-@@ -5558,8 +5567,14 @@ pwg_ppdize_name(const char *ipp,	/* I - IPP keyword */
-       ipp ++;
-       *ptr++ = (char)toupper(*ipp++ & 255);
-     }
--    else
-+    else if (*ipp == '_' || *ipp == '.' || *ipp == '-' || _cups_isalnum(*ipp))
-+    {
-       *ptr++ = *ipp++;
-+    }
-+    else
-+    {
-+      ipp ++;
-+    }
-   }
- 
-   *ptr = '\0';
--- 
-2.46.1
-

SOURCES/0001-refactor-make-and-model-code.patch

@@ -1,136 +0,0 @@
-diff -up cups-2.2.6/cups/ppd-cache.c.make-model-refact cups-2.2.6/cups/ppd-cache.c
---- cups-2.2.6/cups/ppd-cache.c.make-model-refact	2024-10-25 09:50:04.894056025 +0200
-+++ cups-2.2.6/cups/ppd-cache.c	2024-10-25 09:51:15.832552712 +0200
-@@ -2937,9 +2937,10 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
- 			*x_dim, *y_dim;	/* Media dimensions */
-   ipp_t			*media_size;	/* Media size collection */
-   char			make[256],	/* Make and model */
--			*model,		/* Model name */
-+			*mptr,		/* Pointer into make and model */
- 			ppdname[PPD_MAX_NAME];
- 		    			/* PPD keyword */
-+  const char		*model;		/* Model name */
-   int			i, j,		/* Looping vars */
- 			count,		/* Number of values */
- 			bottom,		/* Largest bottom margin */
-@@ -3057,35 +3058,105 @@ _ppdCreateFromIPP(char   *buffer,	/* I -
-   }
- 
-  /*
--  * Standard stuff for PPD file...
-+  * Get a sanitized make and model...
-   */
- 
--  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
--  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
--  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
--  cupsFilePuts(fp, "*LanguageVersion: English\n");
--  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
--  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
--  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
--  cupsFilePuts(fp, "*FileSystem: False\n");
--  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
-+  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL && ippValidateAttribute(attr))
-+  {
-+   /*
-+    * Sanitize the model name to only contain PPD-safe characters.
-+    */
- 
--  if ((attr = ippFindAttribute(response, "printer-make-and-model", IPP_TAG_TEXT)) != NULL)
-     strlcpy(make, ippGetString(attr, 0, NULL), sizeof(make));
-+
-+    for (mptr = make; *mptr; mptr ++)
-+    {
-+      if (*mptr < ' ' || *mptr >= 127 || *mptr == '\"')
-+      {
-+       /*
-+	* Truncate the make and model on the first bad character...
-+	*/
-+
-+	*mptr = '\0';
-+	break;
-+      }
-+    }
-+
-+    while (mptr > make)
-+    {
-+     /*
-+      * Strip trailing whitespace...
-+      */
-+
-+      mptr --;
-+      if (*mptr == ' ')
-+	*mptr = '\0';
-+    }
-+
-+    if (!make[0])
-+    {
-+     /*
-+      * Use a default make and model if nothing remains...
-+      */
-+
-+      strlcpy(make, "Unknown", sizeof(make));
-+    }
-+  }
-   else
--    strlcpy(make, "Unknown Printer", sizeof(make));
-+  {
-+   /*
-+    * Use a default make and model...
-+    */
-+
-+    strlcpy(make, "Unknown", sizeof(make));
-+  }
- 
-   if (!_cups_strncasecmp(make, "Hewlett Packard ", 16) ||
-       !_cups_strncasecmp(make, "Hewlett-Packard ", 16))
-   {
-+   /*
-+    * Normalize HP printer make and model...
-+    */
-+
-     model = make + 16;
-     strlcpy(make, "HP", sizeof(make));
-+
-+    if (!_cups_strncasecmp(model, "HP ", 3))
-+      model += 3;
-+  }
-+  else if ((mptr = strchr(make, ' ')) != NULL)
-+  {
-+   /*
-+    * Separate "MAKE MODEL"...
-+    */
-+
-+    while (*mptr && *mptr == ' ')
-+      *mptr++ = '\0';
-+
-+    model = mptr;
-   }
--  else if ((model = strchr(make, ' ')) != NULL)
--    *model++ = '\0';
-   else
--    model = make;
-+  {
-+   /*
-+    * No separate model name...
-+    */
-+ 
-+    model = "Printer";
-+  }
-+
-+ /*
-+  * Standard stuff for PPD file...
-+  */
- 
-+  cupsFilePuts(fp, "*PPD-Adobe: \"4.3\"\n");
-+  cupsFilePuts(fp, "*FormatVersion: \"4.3\"\n");
-+  cupsFilePrintf(fp, "*FileVersion: \"%d.%d\"\n", CUPS_VERSION_MAJOR, CUPS_VERSION_MINOR);
-+  cupsFilePuts(fp, "*LanguageVersion: English\n");
-+  cupsFilePuts(fp, "*LanguageEncoding: ISOLatin1\n");
-+  cupsFilePuts(fp, "*PSVersion: \"(3010.000) 0\"\n");
-+  cupsFilePuts(fp, "*LanguageLevel: \"3\"\n");
-+  cupsFilePuts(fp, "*FileSystem: False\n");
-+  cupsFilePuts(fp, "*PCFileName: \"ippeve.ppd\"\n");
-   cupsFilePrintf(fp, "*Manufacturer: \"%s\"\n", make);
-   cupsFilePrintf(fp, "*ModelName: \"%s\"\n", model);
-   cupsFilePrintf(fp, "*Product: \"(%s)\"\n", model);

SOURCES/0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch

@@ -1,29 +0,0 @@
-From c1d2c631267f28131dd31df5b895b8bfb3005b0d Mon Sep 17 00:00:00 2001
-From: Zdenek Dohnal <zdohnal@redhat.com>
-Date: Thu, 11 Dec 2025 15:12:55 +0100
-Subject: [PATCH] scheduler: Fix possible use_after_free in `cupsdReadClient()`
-
-If `cupsdSendHeader()` fails, we free the connection and return -1, but
-in that case we try to free the connection again in `cupsdReadClient()`.
----
- scheduler/client.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/scheduler/client.c b/scheduler/client.c
-index f6166091e..63844d531 100644
---- a/scheduler/client.c
-+++ b/scheduler/client.c
-@@ -2761,10 +2761,7 @@ check_start_tls(cupsd_client_t *con)	/* I - Client connection */
-     httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
- 
-     if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
--    {
--      cupsdCloseClient(con);
-       return (-1);
--    }
-   }
- 
-   return (1);
--- 
-2.52.0
-

SOURCES/CVE-2025-58060.patch

@@ -1,35 +0,0 @@
-diff --git a/scheduler/auth.c b/scheduler/auth.c
-index e7d0006..d70e21e 100644
---- a/scheduler/auth.c
-+++ b/scheduler/auth.c
-@@ -564,8 +564,12 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
-     switch (type)
-     {
-       default :
-+	  {
-+	    cupsdLogClient(con, CUPSD_LOG_ERROR, "Basic authentication is not enabled.");
-+	    return;
-+	  }
-       case CUPSD_AUTH_BASIC :
--          {
-+	  {
- #if HAVE_LIBPAM
- 	   /*
- 	    * Only use PAM to do authentication.  This supports MD5
-@@ -737,6 +741,16 @@ cupsdAuthorize(cupsd_client_t *con)	/* I - Client connection */
-     gss_name_t		client_name;	/* Client name */
- 
- 
-+   /*
-+    * Only allow Kerberos if enabled...
-+    */
-+
-+    if (type != CUPSD_AUTH_NEGOTIATE)
-+    {
-+      cupsdLogClient(con, CUPSD_LOG_ERROR, "Kerberos authentication is not enabled.");
-+      return;
-+    }
-+
- #  ifdef __APPLE__
-    /*
-     * If the weak-linked GSSAPI/Kerberos library is not present, don't try

SOURCES/CVE-2025-58364.patch

@@ -1,46 +0,0 @@
-diff -up cups-2.2.6/cups/ipp.c.cve-2025-58364 cups-2.2.6/cups/ipp.c
---- cups-2.2.6/cups/ipp.c.cve-2025-58364	2025-10-22 10:15:10.072426099 +0200
-+++ cups-2.2.6/cups/ipp.c	2025-10-22 10:20:00.117427768 +0200
-@@ -3050,34 +3050,6 @@ ippReadIO(void       *src,		/* I - Data
- 	  */
- 
-           tag = (ipp_tag_t)buffer[0];
--          if (tag == IPP_TAG_EXTENSION)
--          {
--           /*
--            * Read 32-bit "extension" tag...
--            */
--
--	    if ((*cb)(src, buffer, 4) < 1)
--	    {
--	      DEBUG_puts("1ippReadIO: Callback returned EOF/error");
--	      _cupsBufferRelease((char *)buffer);
--	      return (IPP_STATE_ERROR);
--	    }
--
--	    tag = (ipp_tag_t)((((((buffer[0] << 8) | buffer[1]) << 8) |
--	                        buffer[2]) << 8) | buffer[3]);
--
--            if (tag & IPP_TAG_CUPS_CONST)
--            {
--             /*
--              * Fail if the high bit is set in the tag...
--              */
--
--	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("IPP extension tag larger than 0x7FFFFFFF."), 1);
--	      DEBUG_printf(("1ippReadIO: bad tag 0x%x.", tag));
--	      _cupsBufferRelease((char *)buffer);
--	      return (IPP_STATE_ERROR);
--            }
--          }
- 
- 	  if (tag == IPP_TAG_END)
- 	  {
-@@ -3286,6 +3258,7 @@ ippReadIO(void       *src,		/* I - Data
- 
- 	    if ((*cb)(src, buffer, (size_t)n) < n)
- 	    {
-+	      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Unable to read IPP attribute name."), 1);
- 	      DEBUG_puts("1ippReadIO: unable to read name.");
- 	      _cupsBufferRelease((char *)buffer);
- 	      return (IPP_STATE_ERROR);

SOURCES/cups-CVE-2025-58436.patch

@@ -1,524 +0,0 @@
-diff -up cups-2.2.6/cups/http.c.slow-client cups-2.2.6/cups/http.c
---- cups-2.2.6/cups/http.c.slow-client	2025-12-09 15:13:08.505351097 +0100
-+++ cups-2.2.6/cups/http.c	2025-12-09 15:16:54.210443194 +0100
-@@ -52,7 +52,7 @@ static http_t		*http_create(const char *
- static void		http_debug_hex(const char *prefix, const char *buffer,
- 			               int bytes);
- #endif /* DEBUG */
--static ssize_t		http_read(http_t *http, char *buffer, size_t length);
-+static ssize_t		http_read(http_t *http, char *buffer, size_t length, int timeout);
- static ssize_t		http_read_buffered(http_t *http, char *buffer, size_t length);
- static ssize_t		http_read_chunk(http_t *http, char *buffer, size_t length);
- static int		http_send(http_t *http, http_state_t request,
-@@ -1209,7 +1209,7 @@ httpGets(char   *line,			/* I - Line to
-         return (NULL);
-       }
- 
--      bytes = http_read(http, http->buffer + http->used, (size_t)(HTTP_MAX_BUFFER - http->used));
-+      bytes = http_read(http, http->buffer + http->used, (size_t)(_HTTP_MAX_BUFFER - http->used), http->wait_value);
- 
-       DEBUG_printf(("4httpGets: read " CUPS_LLFMT " bytes.", CUPS_LLCAST bytes));
- 
-@@ -1724,24 +1724,13 @@ httpPeek(http_t *http,			/* I - HTTP con
- 
-     ssize_t	buflen;			/* Length of read for buffer */
- 
--    if (!http->blocking)
--    {
--      while (!httpWait(http, http->wait_value))
--      {
--	if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
--	  continue;
--
--	return (0);
--      }
--    }
--
-     if ((size_t)http->data_remaining > sizeof(http->buffer))
-       buflen = sizeof(http->buffer);
-     else
-       buflen = (ssize_t)http->data_remaining;
- 
-     DEBUG_printf(("2httpPeek: Reading %d bytes into buffer.", (int)buflen));
--    bytes = http_read(http, http->buffer, (size_t)buflen);
-+    bytes = http_read(http, http->buffer, (size_t)buflen, http->wait_value);
- 
-     DEBUG_printf(("2httpPeek: Read " CUPS_LLFMT " bytes into buffer.",
-                   CUPS_LLCAST bytes));
-@@ -1762,9 +1751,9 @@ httpPeek(http_t *http,			/* I - HTTP con
-     int		zerr;			/* Decompressor error */
-     z_stream	stream;			/* Copy of decompressor stream */
- 
--    if (http->used > 0 && http->stream.avail_in < HTTP_MAX_BUFFER)
-+    if (http->used > 0 && http->stream.avail_in < _HTTP_MAX_BUFFER)
-     {
--      size_t buflen = buflen = HTTP_MAX_BUFFER - http->stream.avail_in;
-+      size_t buflen = buflen = _HTTP_MAX_BUFFER - http->stream.avail_in;
- 					/* Number of bytes to copy */
- 
-       if (http->stream.avail_in > 0 &&
-@@ -2022,7 +2011,7 @@ httpRead2(http_t *http,			/* I - HTTP co
- 
-       if (bytes == 0)
-       {
--        ssize_t buflen = HTTP_MAX_BUFFER - (ssize_t)http->stream.avail_in;
-+        ssize_t buflen = _HTTP_MAX_BUFFER - (ssize_t)http->stream.avail_in;
- 					/* Additional bytes for buffer */
- 
-         if (buflen > 0)
-@@ -2893,7 +2882,7 @@ int					/* O - 1 to continue, 0 to stop
- _httpUpdate(http_t        *http,	/* I - HTTP connection */
-             http_status_t *status)	/* O - Current HTTP status */
- {
--  char		line[32768],		/* Line from connection... */
-+  char		line[_HTTP_MAX_BUFFER],	/* Line from connection... */
- 		*value;			/* Pointer to value on line */
-   http_field_t	field;			/* Field index */
-   int		major, minor;		/* HTTP version numbers */
-@@ -2901,12 +2890,46 @@ _httpUpdate(http_t        *http,	/* I -
- 
-   DEBUG_printf(("_httpUpdate(http=%p, status=%p), state=%s", (void *)http, (void *)status, httpStateString(http->state)));
- 
-+  /* When doing non-blocking I/O, make sure we have a whole line... */
-+  if (!http->blocking)
-+  {
-+    ssize_t	bytes;			/* Bytes "peeked" from connection */
-+
-+    /* See whether our read buffer is full... */
-+    DEBUG_printf(("2_httpUpdate: used=%d", http->used));
-+
-+    if (http->used > 0 && !memchr(http->buffer, '\n', (size_t)http->used) && (size_t)http->used < sizeof(http->buffer))
-+    {
-+      /* No, try filling in more data... */
-+      if ((bytes = http_read(http, http->buffer + http->used, sizeof(http->buffer) - (size_t)http->used, /*timeout*/0)) > 0)
-+      {
-+	DEBUG_printf(("2_httpUpdate: Read %d bytes.", (int)bytes));
-+	http->used += (int)bytes;
-+      }
-+    }
-+
-+    /* Peek at the incoming data... */
-+    if (!http->used || !memchr(http->buffer, '\n', (size_t)http->used))
-+    {
-+      /* Don't have a full line, tell the reader to try again when there is more data... */
-+      DEBUG_puts("1_htttpUpdate: No newline in buffer yet.");
-+      if ((size_t)http->used == sizeof(http->buffer))
-+	*status = HTTP_STATUS_ERROR;
-+      else
-+	*status = HTTP_STATUS_CONTINUE;
-+      return (0);
-+    }
-+
-+    DEBUG_puts("2_httpUpdate: Found newline in buffer.");
-+  }
-+
-  /*
-   * Grab a single line from the connection...
-   */
- 
-   if (!httpGets(line, sizeof(line), http))
-   {
-+    DEBUG_puts("1_httpUpdate: Error reading request line.");
-     *status = HTTP_STATUS_ERROR;
-     return (0);
-   }
-@@ -4054,7 +4077,8 @@ http_debug_hex(const char *prefix,	/* I
- static ssize_t				/* O - Number of bytes read or -1 on error */
- http_read(http_t *http,			/* I - HTTP connection */
-           char   *buffer,		/* I - Buffer */
--          size_t length)		/* I - Maximum bytes to read */
-+          size_t length,		/* I - Maximum bytes to read */
-+          int    timeout)		/* I - Wait timeout */
- {
-   ssize_t	bytes;			/* Bytes read */
- 
-@@ -4063,7 +4087,7 @@ http_read(http_t *http,			/* I - HTTP co
- 
-   if (!http->blocking || http->timeout_value > 0.0)
-   {
--    while (!httpWait(http, http->wait_value))
-+    while (!_httpWait(http, timeout, 1))
-     {
-       if (http->timeout_cb && (*http->timeout_cb)(http, http->timeout_data))
- 	continue;
-@@ -4181,7 +4205,7 @@ http_read_buffered(http_t *http,	/* I -
-     else
-       bytes = (ssize_t)length;
- 
--    DEBUG_printf(("2http_read: Grabbing %d bytes from input buffer.",
-+    DEBUG_printf(("2http_read_buffered: Grabbing %d bytes from input buffer.",
-                   (int)bytes));
- 
-     memcpy(buffer, http->buffer, (size_t)bytes);
-@@ -4191,7 +4215,7 @@ http_read_buffered(http_t *http,	/* I -
-       memmove(http->buffer, http->buffer + bytes, (size_t)http->used);
-   }
-   else
--    bytes = http_read(http, buffer, length);
-+    bytes = http_read(http, buffer, length, http->wait_value);
- 
-   return (bytes);
- }
-@@ -4536,15 +4560,15 @@ http_set_timeout(int    fd,		/* I - File
- static void
- http_set_wait(http_t *http)		/* I - HTTP connection */
- {
--  if (http->blocking)
--  {
--    http->wait_value = (int)(http->timeout_value * 1000);
-+  http->wait_value = (int)(http->timeout_value * 1000);
- 
--    if (http->wait_value <= 0)
-+  if (http->wait_value <= 0)
-+  {
-+    if (http->blocking)
-       http->wait_value = 60000;
-+    else
-+      http->wait_value = 1000;
-   }
--  else
--    http->wait_value = 10000;
- }
- 
- 
-diff -up cups-2.2.6/cups/http-private.h.slow-client cups-2.2.6/cups/http-private.h
---- cups-2.2.6/cups/http-private.h.slow-client	2025-12-09 15:13:08.405517186 +0100
-+++ cups-2.2.6/cups/http-private.h	2025-12-09 15:14:41.466141368 +0100
-@@ -172,6 +172,7 @@ extern "C" {
-  * Constants...
-  */
- 
-+#  define _HTTP_MAX_BUFFER	32768	/* Size of read buffer */
- #  define _HTTP_MAX_SBUFFER	65536	/* Size of (de)compression buffer */
- #  define _HTTP_RESOLVE_DEFAULT	0	/* Just resolve with default options */
- #  define _HTTP_RESOLVE_STDERR	1	/* Log resolve progress to stderr */
-@@ -298,8 +299,8 @@ struct _http_s				/**** HTTP connection
-   http_encoding_t	data_encoding;	/* Chunked or not */
-   int			_data_remaining;/* Number of bytes left (deprecated) */
-   int			used;		/* Number of bytes used in buffer */
--  char			buffer[HTTP_MAX_BUFFER];
--					/* Buffer for incoming data */
-+  char			_buffer[HTTP_MAX_BUFFER];
-+					/* Old read buffer (deprecated) */
-   int			_auth_type;	/* Authentication in use (deprecated) */
-   _cups_md5_state_t	md5_state;	/* MD5 state */
-   char			nonce[HTTP_MAX_VALUE];
-@@ -368,6 +369,8 @@ struct _http_s				/**** HTTP connection
-   z_stream		stream;		/* (De)compression stream */
-   Bytef			*sbuffer;	/* (De)compression buffer */
- #  endif /* HAVE_LIBZ */
-+  char			buffer[_HTTP_MAX_BUFFER];
-+					/* Read buffer */
- };
- #  endif /* !_HTTP_NO_PRIVATE */
- 
-diff -up cups-2.2.6/scheduler/client.c.slow-client cups-2.2.6/scheduler/client.c
---- cups-2.2.6/scheduler/client.c.slow-client	2025-12-09 15:13:08.478315602 +0100
-+++ cups-2.2.6/scheduler/client.c	2025-12-09 15:23:26.936553480 +0100
-@@ -44,11 +44,11 @@
- 
- static int		check_if_modified(cupsd_client_t *con,
- 			                  struct stat *filestats);
--static int		compare_clients(cupsd_client_t *a, cupsd_client_t *b,
--			                void *data);
- #ifdef HAVE_SSL
--static int		cupsd_start_tls(cupsd_client_t *con, http_encryption_t e);
-+static int		check_start_tls(cupsd_client_t *con);
- #endif /* HAVE_SSL */
-+static int		compare_clients(cupsd_client_t *a, cupsd_client_t *b,
-+			                void *data);
- static char		*get_file(cupsd_client_t *con, struct stat *filestats,
- 			          char *filename, size_t len);
- static http_status_t	install_cupsd_conf(cupsd_client_t *con);
-@@ -423,14 +423,20 @@ cupsdAcceptClient(cupsd_listener_t *lis)
-   if (lis->encryption == HTTP_ENCRYPTION_ALWAYS)
-   {
-    /*
--    * https connection; go secure...
-+    * HTTPS connection, force TLS negotiation...
-     */
- 
--    if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
--      cupsdCloseClient(con);
-+    con->tls_start = time(NULL);
-+    con->encryption = HTTP_ENCRYPTION_ALWAYS;
-   }
-   else
-+  {
-+   /*
-+    * HTTP connection, but check for HTTPS negotiation on first data...
-+    */
-+
-     con->auto_ssl = 1;
-+  }
- #endif /* HAVE_SSL */
- }
- 
-@@ -673,17 +679,46 @@ cupsdReadClient(cupsd_client_t *con)	/*
- 
-     con->auto_ssl = 0;
- 
--    if (recv(httpGetFd(con->http), buf, 1, MSG_PEEK) == 1 &&
--        (!buf[0] || !strchr("DGHOPT", buf[0])))
-+    if (recv(httpGetFd(con->http), buf, 5, MSG_PEEK) == 5 && buf[0] == 0x16 && buf[1] == 3 && buf[2])
-     {
-      /*
--      * Encrypt this connection...
-+      * Client hello record, encrypt this connection...
-       */
- 
--      cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw first byte %02X, auto-negotiating SSL/TLS session.", buf[0] & 255);
-+      cupsdLogClient(con, CUPSD_LOG_DEBUG2, "Saw client hello record, auto-negotiating TLS session.");
-+      con->tls_start = time(NULL);
-+      con->encryption = HTTP_ENCRYPTION_ALWAYS;
-+    }
-+  }
- 
--      if (cupsd_start_tls(con, HTTP_ENCRYPTION_ALWAYS))
--        cupsdCloseClient(con);
-+  if (con->tls_start)
-+  {
-+   /*
-+    * Try negotiating TLS...
-+    */
-+
-+    int tls_status = check_start_tls(con);
-+
-+    if (tls_status < 0)
-+    {
-+     /*
-+      * TLS negotiation failed, close the connection.
-+      */
-+
-+      cupsdCloseClient(con);
-+      return;
-+    }
-+    else if (tls_status == 0)
-+    {
-+     /*
-+      * Nothing to do yet...
-+      */
-+
-+      if ((time(NULL) - con->tls_start) > 5)
-+      {
-+	// Timeout, close the connection...
-+	cupsdCloseClient(con);
-+      }
- 
-       return;
-     }
-@@ -847,9 +882,7 @@ cupsdReadClient(cupsd_client_t *con)	/*
-         * Parse incoming parameters until the status changes...
- 	*/
- 
--        while ((status = httpUpdate(con->http)) == HTTP_STATUS_CONTINUE)
--	  if (!httpGetReady(con->http))
--	    break;
-+	status = httpUpdate(con->http);
- 
- 	if (status != HTTP_STATUS_OK && status != HTTP_STATUS_CONTINUE)
- 	{
-@@ -999,11 +1032,10 @@ cupsdReadClient(cupsd_client_t *con)	/*
- 	  return;
- 	}
- 
--        if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
--        {
--	  cupsdCloseClient(con);
--	  return;
--	}
-+	con->tls_start = time(NULL);
-+	con->tls_upgrade = 1;
-+	con->encryption = HTTP_ENCRYPTION_REQUIRED;
-+	return;
- #else
- 	if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
- 	{
-@@ -1042,32 +1074,11 @@ cupsdReadClient(cupsd_client_t *con)	/*
-       if (!_cups_strcasecmp(httpGetField(con->http, HTTP_FIELD_CONNECTION),
-                             "Upgrade") && !httpIsEncrypted(con->http))
-       {
--#ifdef HAVE_SSL
--       /*
--        * Do encryption stuff...
--	*/
--
--        httpClearFields(con->http);
--
--	if (!cupsdSendHeader(con, HTTP_STATUS_SWITCHING_PROTOCOLS, NULL,
--	                     CUPSD_AUTH_NONE))
--	{
--	  cupsdCloseClient(con);
--	  return;
--	}
--
--        if (cupsd_start_tls(con, HTTP_ENCRYPTION_REQUIRED))
--        {
--	  cupsdCloseClient(con);
--	  return;
--	}
--#else
- 	if (!cupsdSendError(con, HTTP_STATUS_NOT_IMPLEMENTED, CUPSD_AUTH_NONE))
- 	{
- 	  cupsdCloseClient(con);
- 	  return;
- 	}
--#endif /* HAVE_SSL */
-       }
- 
-       if ((status = cupsdIsAuthorized(con, NULL)) != HTTP_STATUS_OK)
-@@ -3003,6 +3014,69 @@ check_if_modified(
- }
- 
- 
-+#ifdef HAVE_SSL
-+/*
-+ * 'check_start_tls()' - Start encryption on a connection.
-+ */
-+
-+static int				/* O - 0 to continue, 1 on success, -1 on error */
-+check_start_tls(cupsd_client_t *con)	/* I - Client connection */
-+{
-+  unsigned char	chello[4096];		/* Client hello record */
-+  ssize_t	chello_bytes;		/* Bytes read/peeked */
-+  int		chello_len;		/* Length of record */
-+
-+
-+ /*
-+  * See if we have a good and complete client hello record...
-+  */
-+
-+  if ((chello_bytes = recv(httpGetFd(con->http), (char *)chello, sizeof(chello), MSG_PEEK)) < 5)
-+    return (0);				/* Not enough bytes (yet) */
-+
-+  if (chello[0] != 0x016 || chello[1] != 3 || chello[2] == 0)
-+    return (-1);			/* Not a TLS Client Hello record */
-+
-+  chello_len = (chello[3] << 8) | chello[4];
-+
-+  if ((chello_len + 5) > chello_bytes)
-+    return (0);				/* Not enough bytes yet */
-+
-+ /*
-+  * OK, we do, try negotiating...
-+  */
-+
-+  con->tls_start = 0;
-+
-+  if (httpEncryption(con->http, con->encryption))
-+  {
-+    cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s", cupsLastErrorString());
-+    return (-1);
-+  }
-+
-+  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
-+
-+  if (con->tls_upgrade)
-+  {
-+    // Respond to the original OPTIONS command...
-+    con->tls_upgrade = 0;
-+
-+    httpClearFields(con->http);
-+    httpClearCookie(con->http);
-+    httpSetField(con->http, HTTP_FIELD_CONTENT_LENGTH, "0");
-+
-+    if (!cupsdSendHeader(con, HTTP_STATUS_OK, NULL, CUPSD_AUTH_NONE))
-+    {
-+      cupsdCloseClient(con);
-+      return (-1);
-+    }
-+  }
-+
-+  return (1);
-+}
-+#endif /* HAVE_SSL */
-+
-+
- /*
-  * 'compare_clients()' - Compare two client connections.
-  */
-@@ -3023,28 +3097,6 @@ compare_clients(cupsd_client_t *a,	/* I
- }
- 
- 
--#ifdef HAVE_SSL
--/*
-- * 'cupsd_start_tls()' - Start encryption on a connection.
-- */
--
--static int				/* O - 0 on success, -1 on error */
--cupsd_start_tls(cupsd_client_t    *con,	/* I - Client connection */
--                http_encryption_t e)	/* I - Encryption mode */
--{
--  if (httpEncryption(con->http, e))
--  {
--    cupsdLogClient(con, CUPSD_LOG_ERROR, "Unable to encrypt connection: %s",
--                   cupsLastErrorString());
--    return (-1);
--  }
--
--  cupsdLogClient(con, CUPSD_LOG_DEBUG, "Connection now encrypted.");
--  return (0);
--}
--#endif /* HAVE_SSL */
--
--
- /*
-  * 'get_file()' - Get a filename and state info.
-  */
-diff -up cups-2.2.6/scheduler/client.h.slow-client cups-2.2.6/scheduler/client.h
---- cups-2.2.6/scheduler/client.h.slow-client	2025-12-09 15:13:08.395814648 +0100
-+++ cups-2.2.6/scheduler/client.h	2025-12-09 15:36:24.758565531 +0100
-@@ -59,6 +59,9 @@ struct cupsd_client_s
-   cups_lang_t		*language;	/* Language to use */
- #ifdef HAVE_SSL
-   int			auto_ssl;	/* Automatic test for SSL/TLS */
-+  time_t		tls_start;	/* Do TLS negotiation? */
-+  int			tls_upgrade;	/* Doing TLS upgrade via OPTIONS? */
-+  http_encryption_t	encryption;	/* Type of TLS negotiation */
- #endif /* HAVE_SSL */
-   http_addr_t		clientaddr;	/* Client's server address */
-   char			clientname[256];/* Client's server name for connection */
-diff -up cups-2.2.6/scheduler/select.c.slow-client cups-2.2.6/scheduler/select.c
---- cups-2.2.6/scheduler/select.c.slow-client	2017-11-01 15:57:53.000000000 +0100
-+++ cups-2.2.6/scheduler/select.c	2025-12-09 15:13:08.508485767 +0100
-@@ -412,6 +412,9 @@ cupsdDoSelect(long timeout)		/* I - Time
- 
-   cupsd_in_select = 1;
- 
-+  // Prevent 100% CPU by releasing control before the kevent call...
-+  usleep(1);
-+
-   if (timeout >= 0 && timeout < 86400)
-   {
-     ktimeout.tv_sec  = timeout;
-@@ -458,6 +461,9 @@ cupsdDoSelect(long timeout)		/* I - Time
-     struct epoll_event	*event;		/* Current event */
- 
- 
-+    // Prevent 100% CPU by releasing control before the epoll_wait call...
-+    usleep(1);
-+
-     if (timeout >= 0 && timeout < 86400)
-       nfds = epoll_wait(cupsd_epoll_fd, cupsd_epoll_events, MaxFDs,
-                 	timeout * 1000);
-@@ -550,6 +556,9 @@ cupsdDoSelect(long timeout)		/* I - Time
-     }
-   }
- 
-+  // Prevent 100% CPU by releasing control before the poll call...
-+  usleep(1);
-+
-   if (timeout >= 0 && timeout < 86400)
-     nfds = poll(cupsd_pollfds, (nfds_t)count, timeout * 1000);
-   else
-@@ -603,6 +612,9 @@ cupsdDoSelect(long timeout)		/* I - Time
-   cupsd_current_input  = cupsd_global_input;
-   cupsd_current_output = cupsd_global_output;
- 
-+  // Prevent 100% CPU by releasing control before the select call...
-+  usleep(1);
-+
-   if (timeout >= 0 && timeout < 86400)
-   {
-     stimeout.tv_sec  = timeout;

SOURCES/cups-check-for-listeners.patch

@@ -1,94 +0,0 @@
-diff --git a/scheduler/conf.c b/scheduler/conf.c
-index c113eb3..77ce179 100644
---- a/scheduler/conf.c
-+++ b/scheduler/conf.c
-@@ -573,6 +573,18 @@ cupsdReadConfiguration(void)
- 
-   cupsdDeleteAllListeners();
- 
-+ /*
-+  * Allocate Listeners array
-+  */
-+
-+  Listeners = cupsArrayNew(NULL, NULL);
-+
-+  if (!Listeners)
-+  {
-+    fprintf(stderr, "Unable to allocate memory for array Listeners.\n");
-+    return (0);
-+  }
-+
-   old_remote_port = RemotePort;
-   RemotePort      = 0;
- 
-@@ -1080,28 +1092,6 @@ cupsdReadConfiguration(void)
-     }
-   }
- 
-- /*
--  * Check that we have at least one listen/port line; if not, report this
--  * as an error and exit!
--  */
--
--  if (cupsArrayCount(Listeners) == 0)
--  {
--   /*
--    * No listeners!
--    */
--
--    cupsdLogMessage(CUPSD_LOG_EMERG,
--                    "No valid Listen or Port lines were found in the "
--		    "configuration file.");
--
--   /*
--    * Commit suicide...
--    */
--
--    cupsdEndProcess(getpid(), 0);
--  }
--
-  /*
-   * Set the default locale using the language and charset...
-   */
-@@ -3162,17 +3152,6 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
-         * Allocate another listener...
- 	*/
- 
--        if (!Listeners)
--	  Listeners = cupsArrayNew(NULL, NULL);
--
--	if (!Listeners)
--	{
--          cupsdLogMessage(CUPSD_LOG_ERROR,
--	                  "Unable to allocate %s at line %d - %s.",
--	                  line, linenum, strerror(errno));
--          break;
--	}
--
-         if ((lis = calloc(1, sizeof(cupsd_listener_t))) == NULL)
- 	{
-           cupsdLogMessage(CUPSD_LOG_ERROR,
-diff --git a/scheduler/main.c b/scheduler/main.c
-index a6e2c3a..b935c52 100644
---- a/scheduler/main.c
-+++ b/scheduler/main.c
-@@ -2113,6 +2113,21 @@ service_checkin(void)
-     service_add_listener(fd, 0);
-   }
- #endif /* HAVE_LAUNCHD */
-+
-+  if (cupsArrayCount(Listeners) == 0)
-+  {
-+   /*
-+    * No listeners!
-+    */
-+
-+    cupsdLogMessage(CUPSD_LOG_EMERG, "No listener sockets present.");
-+
-+   /*
-+    * Commit suicide...
-+    */
-+
-+    cupsdEndProcess(getpid(), 0);
-+  }
- }

SOURCES/cups-lspp.patch

@@ -1,11 +1,10 @@
-diff -up cups-2.2.6/config.h.in.lspp cups-2.2.6/config.h.in
+diff -up cups-2.2.5/config.h.in.lspp cups-2.2.5/config.h.in
---- cups-2.2.6/config.h.in.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/config.h.in.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/config.h.in	2024-08-15 14:55:07.310818870 +0200
++++ cups-2.2.5/config.h.in	2017-10-17 19:06:19.640228964 +0200
-@@ -730,4 +730,12 @@ static __inline int _cups_abs(int i) { r
+@@ -730,4 +730,11 @@ static __inline int _cups_abs(int i) { r
  #  endif /* __GNUC__ || __STDC_VERSION__ */
  #endif /* !HAVE_ABS && !abs */
  
-+
 +/*
 + * Are we trying to meet LSPP requirements?
 + */
@@ -14,9 +13,9 @@ diff -up cups-2.2.6/config.h.in.lspp cups-2.2.6/config.h.in
 +
 +
  #endif /* !_CUPS_CONFIG_H_ */
-diff -up cups-2.2.6/config-scripts/cups-lspp.m4.lspp cups-2.2.6/config-scripts/cups-lspp.m4
+diff -up cups-2.2.5/config-scripts/cups-lspp.m4.lspp cups-2.2.5/config-scripts/cups-lspp.m4
---- cups-2.2.6/config-scripts/cups-lspp.m4.lspp	2024-08-15 14:55:07.310818870 +0200
+--- cups-2.2.5/config-scripts/cups-lspp.m4.lspp	2017-10-17 19:06:19.640228964 +0200
-+++ cups-2.2.6/config-scripts/cups-lspp.m4	2024-08-15 14:55:07.310818870 +0200
++++ cups-2.2.5/config-scripts/cups-lspp.m4	2017-10-17 19:06:19.640228964 +0200
 @@ -0,0 +1,36 @@
 +dnl
 +dnl   LSPP code for the Common UNIX Printing System (CUPS).
@@ -41,7 +40,7 @@ diff -up cups-2.2.6/config-scripts/cups-lspp.m4.lspp cups-2.2.6/config-scripts/c
 +AC_ARG_ENABLE(lspp, [  --enable-lspp           turn on auditing and label support, default=no])
 +
 +if test x"$enable_lspp" != xno; then
-+    case "$(uname)" in
++    case "$uname" in
 +        Linux)
 +            AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)])
 +            AC_CHECK_HEADER(libaudit.h)
@@ -54,9 +53,9 @@ diff -up cups-2.2.6/config-scripts/cups-lspp.m4.lspp cups-2.2.6/config-scripts/c
 +            ;;
 +    esac
 +fi
-diff -up cups-2.2.6/configure.ac.lspp cups-2.2.6/configure.ac
+diff -up cups-2.2.5/configure.ac.lspp cups-2.2.5/configure.ac
---- cups-2.2.6/configure.ac.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/configure.ac.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/configure.ac	2024-08-15 14:55:07.310818870 +0200
++++ cups-2.2.5/configure.ac	2017-10-17 19:06:19.640228964 +0200
 @@ -38,6 +38,8 @@ sinclude(config-scripts/cups-startup.m4)
  sinclude(config-scripts/cups-defaults.m4)
  sinclude(config-scripts/cups-scripting.m4)
@@ -66,9 +65,9 @@ diff -up cups-2.2.6/configure.ac.lspp cups-2.2.6/configure.ac
  INSTALL_LANGUAGES=""
  UNINSTALL_LANGUAGES=""
  LANGFILES=""
-diff -up cups-2.2.6/filter/common.c.lspp cups-2.2.6/filter/common.c
+diff -up cups-2.2.5/filter/common.c.lspp cups-2.2.5/filter/common.c
---- cups-2.2.6/filter/common.c.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/filter/common.c.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/filter/common.c	2024-08-15 14:55:07.310818870 +0200
++++ cups-2.2.5/filter/common.c	2017-10-17 19:06:19.640228964 +0200
 @@ -17,6 +17,12 @@
   * Include necessary headers...
   */
@@ -237,9 +236,9 @@ diff -up cups-2.2.6/filter/common.c.lspp cups-2.2.6/filter/common.c
  
  
  /*
-diff -up cups-2.2.6/filter/pstops.c.lspp cups-2.2.6/filter/pstops.c
+diff -up cups-2.2.5/filter/pstops.c.lspp cups-2.2.5/filter/pstops.c
---- cups-2.2.6/filter/pstops.c.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/filter/pstops.c.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/filter/pstops.c	2024-08-15 14:55:07.311818856 +0200
++++ cups-2.2.5/filter/pstops.c	2017-10-17 19:06:19.641228955 +0200
 @@ -3176,6 +3176,18 @@ write_label_prolog(pstops_doc_t *doc,	/*
  {
    const char	*classification;	/* CLASSIFICATION environment variable */
@@ -395,21 +394,21 @@ diff -up cups-2.2.6/filter/pstops.c.lspp cups-2.2.6/filter/pstops.c
  
  
  /*
-diff -up cups-2.2.6/Makedefs.in.lspp cups-2.2.6/Makedefs.in
+diff -up cups-2.2.5/Makedefs.in.lspp cups-2.2.5/Makedefs.in
---- cups-2.2.6/Makedefs.in.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/Makedefs.in.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/Makedefs.in	2024-08-15 14:55:07.310818870 +0200
++++ cups-2.2.5/Makedefs.in	2017-10-17 19:06:19.641228955 +0200
-@@ -145,7 +145,7 @@ ARFLAGS		=	@ARFLAGS@
+@@ -161,7 +161,7 @@ LDFLAGS		=	-L../cgi-bin -L../cups -L../f
- BACKLIBS	=	@BACKLIBS@
+ 			@LDFLAGS@ @RELROFLAGS@ @PIEFLAGS@ $(OPTIM)
- BUILDDIRS	=	@BUILDDIRS@
+ LINKCUPS	=	@LINKCUPS@ $(LIBGSSAPI) $(DNSSDLIBS) $(SSLLIBS) $(LIBZ)
- CFLAGS		=	@CPPFLAGS@ @CFLAGS@
+ LINKCUPSIMAGE	=	@LINKCUPSIMAGE@
--COMMONLIBS	=	@LIBS@
+-LIBS		=	$(LINKCUPS) $(COMMONLIBS)
-+COMMONLIBS	=	@LIBS@ @LIBAUDIT@ @LIBSELINUX@
++LIBS		=	$(LINKCUPS) $(COMMONLIBS) @LIBAUDIT@ @LIBSELINUX@
- CXXFLAGS	=	@CPPFLAGS@ @CXXFLAGS@
+ ONDEMANDFLAGS	=	@ONDEMANDFLAGS@
- CXXLIBS		=	@CXXLIBS@
+ ONDEMANDLIBS	=	@ONDEMANDLIBS@
- DBUS_NOTIFIER	=	@DBUS_NOTIFIER@
+ OPTIM		=	@OPTIM@
-diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
+diff -up cups-2.2.5/scheduler/client.c.lspp cups-2.2.5/scheduler/client.c
---- cups-2.2.6/scheduler/client.c.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/scheduler/client.c.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/scheduler/client.c	2024-08-15 14:55:07.311818856 +0200
++++ cups-2.2.5/scheduler/client.c	2017-10-17 19:06:19.689228556 +0200
 @@ -22,12 +22,20 @@
  #define _HTTP_NO_PRIVATE
  #include "cupsd.h"
@@ -491,19 +490,7 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
  #ifdef AF_LOCAL
    if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
    {
-@@ -522,6 +583,11 @@ cupsdCloseClient(cupsd_client_t *con)	/*
+@@ -562,6 +623,13 @@ cupsdReadClient(cupsd_client_t *con)	/*
-     }
- #endif /* HAVE_AUTHORIZATION_H */
- 
-+#ifdef WITH_LSPP
-+    if (con->scon)
-+      cupsdClearString(&con->scon);
-+#endif /* WITH_LSPP */
-+
-    /*
-     * Re-enable new client connections if we are going back under the
-     * limit...
-@@ -562,6 +628,13 @@ cupsdReadClient(cupsd_client_t *con)	/*
    mime_type_t		*type;		/* MIME type of file */
    cupsd_printer_t	*p;		/* Printer */
    static unsigned	request_id = 0;	/* Request ID for temp files */
@@ -517,10 +504,10 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
  
  
    status = HTTP_STATUS_CONTINUE;
-@@ -1924,7 +1997,73 @@ cupsdReadClient(cupsd_client_t *con)	/*
+@@ -1926,6 +1994,73 @@ cupsdReadClient(cupsd_client_t *con)	/*
- 	    fchmod(con->file, 0640);
- 	    fchown(con->file, RunUser, Group);
              fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
+ 	  }
+ 
 +#ifdef WITH_LSPP
 +	  if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
 +	  {
@@ -585,13 +572,13 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
 +			   con->filename, context_str(tmpcon));
 +	    context_free(tmpcon);
 +	    context_free(clicon);
- 	  }
++	  }
 +#endif /* WITH_LSPP */
-+	}
++
- 
  	  if (httpGetState(con->http) != HTTP_STATE_POST_SEND)
  	  {
-@@ -3456,6 +3595,49 @@ is_path_absolute(const char *path)	/* I
+ 	    if (!httpWait(con->http, 0))
+@@ -3456,6 +3591,49 @@ is_path_absolute(const char *path)	/* I
    return (1);
  }
  
@@ -641,9 +628,9 @@ diff -up cups-2.2.6/scheduler/client.c.lspp cups-2.2.6/scheduler/client.c
  
  /*
   * 'pipe_command()' - Pipe the output of a command to the remote client.
-diff -up cups-2.2.6/scheduler/client.h.lspp cups-2.2.6/scheduler/client.h
+diff -up cups-2.2.5/scheduler/client.h.lspp cups-2.2.5/scheduler/client.h
---- cups-2.2.6/scheduler/client.h.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/scheduler/client.h.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/scheduler/client.h	2024-08-15 14:55:07.312818843 +0200
++++ cups-2.2.5/scheduler/client.h	2017-10-17 19:06:19.690228548 +0200
 @@ -16,6 +16,13 @@
  #endif /* HAVE_AUTHORIZATION_H */
  
@@ -669,20 +656,19 @@ diff -up cups-2.2.6/scheduler/client.h.lspp cups-2.2.6/scheduler/client.h
  };
  
  #define HTTP(con) ((con)->http)
-@@ -139,6 +150,10 @@ extern void	cupsdStopListening(void);
+@@ -138,6 +149,9 @@ extern void	cupsdStartListening(void);
+ extern void	cupsdStopListening(void);
  extern void	cupsdUpdateCGI(void);
  extern void	cupsdWriteClient(cupsd_client_t *con);
- 
 +#ifdef WITH_LSPP
 +extern uid_t	client_pid_to_auid(pid_t clipid);
 +#endif /* WITH_LSPP */
-+
+ 
  #ifdef HAVE_SSL
  extern int	cupsdEndTLS(cupsd_client_t *con);
- extern int	cupsdStartTLS(cupsd_client_t *con);
+diff -up cups-2.2.5/scheduler/conf.c.lspp cups-2.2.5/scheduler/conf.c
-diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c
+--- cups-2.2.5/scheduler/conf.c.lspp	2017-10-17 19:06:19.637228989 +0200
---- cups-2.2.6/scheduler/conf.c.lspp	2024-08-15 14:55:07.306818923 +0200
++++ cups-2.2.5/scheduler/conf.c	2017-10-17 19:06:19.691228540 +0200
-+++ cups-2.2.6/scheduler/conf.c	2024-08-15 14:55:07.312818843 +0200
 @@ -40,6 +40,9 @@
  #  define INADDR_NONE	0xffffffff
  #endif /* !INADDR_NONE */
@@ -740,7 +726,7 @@ diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c
    cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
                    RemotePort ? "enabled" : "disabled");
  
-@@ -1277,7 +1306,19 @@ cupsdReadConfiguration(void)
+@@ -1286,7 +1315,19 @@ cupsdReadConfiguration(void)
      cupsdClearString(&Classification);
  
    if (Classification)
@@ -760,7 +746,7 @@ diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c
  
   /*
    * Check the MaxClients setting, and then allocate memory for it...
-@@ -3761,6 +3802,18 @@ read_location(cups_file_t *fp,		/* I - C
+@@ -3770,6 +3811,18 @@ read_location(cups_file_t *fp,		/* I - C
    return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum);
  }
  
@@ -779,9 +765,9 @@ diff -up cups-2.2.6/scheduler/conf.c.lspp cups-2.2.6/scheduler/conf.c
  
  /*
   * 'read_policy()' - Read a <Policy name> definition.
-diff -up cups-2.2.6/scheduler/conf.h.lspp cups-2.2.6/scheduler/conf.h
+diff -up cups-2.2.5/scheduler/conf.h.lspp cups-2.2.5/scheduler/conf.h
---- cups-2.2.6/scheduler/conf.h.lspp	2024-08-15 14:55:07.250819672 +0200
+--- cups-2.2.5/scheduler/conf.h.lspp	2017-10-17 19:06:19.585229421 +0200
-+++ cups-2.2.6/scheduler/conf.h	2024-08-15 14:55:07.312818843 +0200
++++ cups-2.2.5/scheduler/conf.h	2017-10-17 19:06:19.691228540 +0200
 @@ -250,6 +250,13 @@ VAR char		*ServerKeychain		VALUE(NULL);
  					/* Keychain holding cert + key */
  #endif /* HAVE_SSL */
@@ -806,10 +792,19 @@ diff -up cups-2.2.6/scheduler/conf.h.lspp cups-2.2.6/scheduler/conf.h
  
  /*
   * Prototypes...
-diff -up cups-2.2.6/scheduler/cupsd.h.lspp cups-2.2.6/scheduler/cupsd.h
+diff -up cups-2.2.5/scheduler/cupsd.h.lspp cups-2.2.5/scheduler/cupsd.h
---- cups-2.2.6/scheduler/cupsd.h.lspp	2024-08-15 14:55:07.298819030 +0200
+--- cups-2.2.5/scheduler/cupsd.h.lspp	2017-10-17 19:06:19.626229080 +0200
-+++ cups-2.2.6/scheduler/cupsd.h	2024-08-15 14:55:07.312818843 +0200
++++ cups-2.2.5/scheduler/cupsd.h	2017-10-17 19:06:19.691228540 +0200
-@@ -36,6 +36,14 @@
+@@ -11,6 +11,8 @@
+  * file is missing or damaged, see the license at "http://www.cups.org/".
+  */
+ 
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
+ 
+ /*
+  * Include necessary headers.
+@@ -36,13 +38,20 @@
  #  include <unistd.h>
  #endif /* WIN32 */
  
@@ -824,17 +819,27 @@ diff -up cups-2.2.6/scheduler/cupsd.h.lspp cups-2.2.6/scheduler/cupsd.h
  #include "mime.h"
  
  #if defined(HAVE_CDSASSL)
-@@ -248,4 +256,4 @@ extern void     cupsdRunTimeout (cupsd_t
+ #  include <CoreFoundation/CoreFoundation.h>
- extern void     cupsdUpdateTimeout (cupsd_timeout_t *timeout,
+ #endif /* HAVE_CDSASSL */
- 				    const struct timeval *tv);
+ 
- extern void     cupsdRemoveTimeout (cupsd_timeout_t *timeout);
+-
--#endif /* HAVE_AVAHI */
+ /*
-\ No newline at end of file
+  * Some OS's don't have hstrerror(), most notably Solaris...
-+#endif /* HAVE_AVAHI */
+  */
-diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
+diff -up cups-2.2.5/scheduler/ipp.c.lspp cups-2.2.5/scheduler/ipp.c
---- cups-2.2.6/scheduler/ipp.c.lspp	2024-08-15 14:55:07.268819431 +0200
+--- cups-2.2.5/scheduler/ipp.c.lspp	2017-10-17 19:06:19.599229305 +0200
-+++ cups-2.2.6/scheduler/ipp.c	2024-08-15 14:56:15.961900807 +0200
++++ cups-2.2.5/scheduler/ipp.c	2017-10-17 19:06:19.695228506 +0200
-@@ -37,6 +37,12 @@ extern int mbr_check_membership_by_id(uu
+@@ -14,6 +14,9 @@
+  * missing or damaged, see the license at "http://www.cups.org/".
+  */
+ 
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
+ /*
+  * Include necessary headers...
+  */
+@@ -37,6 +40,14 @@ extern int mbr_check_membership_by_id(uu
  #  endif /* HAVE_MEMBERSHIPPRIV_H */
  #endif /* __APPLE__ */
  
@@ -843,11 +848,13 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
 +#include <selinux/selinux.h>
 +#include <selinux/context.h>
 +#include <selinux/avc.h>
++#include <selinux/flask.h>
++#include <selinux/av_permissions.h>
 +#endif /* WITH_LSPP */
  
  /*
   * Local functions...
-@@ -61,6 +67,9 @@ static void	cancel_all_jobs(cupsd_client
+@@ -61,6 +72,9 @@ static void	cancel_all_jobs(cupsd_client
  static void	cancel_job(cupsd_client_t *con, ipp_attribute_t *uri);
  static void	cancel_subscription(cupsd_client_t *con, int id);
  static int	check_rss_recipient(const char *recipient);
@@ -857,7 +864,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  static int	check_quotas(cupsd_client_t *con, cupsd_printer_t *p);
  static void	close_job(cupsd_client_t *con, ipp_attribute_t *uri);
  static void	copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra,
-@@ -1286,6 +1295,21 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1286,6 +1300,21 @@ add_job(cupsd_client_t  *con,		/* I - Cl
      "time-at-creation",
      "time-at-processing"
    };
@@ -879,7 +886,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  
  
    cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))",
-@@ -1607,6 +1631,106 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1597,6 +1626,106 @@ add_job(cupsd_client_t  *con,		/* I - Cl
      return (NULL);
    }
  
@@ -916,18 +923,18 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
 +	/*
 +	 * The printer does not exist, so for now assume it's a FileDevice
 +	 */
-+        tclass = string_to_security_class("file");
++	tclass = SECCLASS_FILE;
-+        avr = string_to_av_perm(tclass, "write");
++	avr = FILE__WRITE;
 +      }
 +      else if (S_ISCHR(printerstat.st_mode))
 +      {
-+        tclass = string_to_security_class("chr_file");
++	tclass = SECCLASS_CHR_FILE;
-+        avr = string_to_av_perm(tclass, "write");
++	avr = CHR_FILE__WRITE;
 +      }
 +      else if (S_ISREG(printerstat.st_mode))
 +      {
-+        tclass = string_to_security_class("file");
++	tclass = SECCLASS_FILE;
-+        avr = string_to_av_perm(tclass, "write");
++	avr = FILE__WRITE;
 +      }
 +      else
 +      {
@@ -986,7 +993,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
    if ((job = cupsdAddJob(priority, printer->name)) == NULL)
    {
      send_ipp_status(con, IPP_INTERNAL_ERROR,
-@@ -1615,6 +1739,32 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1605,6 +1734,32 @@ add_job(cupsd_client_t  *con,		/* I - Cl
      return (NULL);
    }
  
@@ -1019,7 +1026,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
    job->dtype   = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE);
    job->attrs   = con->request;
    job->dirty   = 1;
-@@ -1802,6 +1952,29 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1794,6 +1949,29 @@ add_job(cupsd_client_t  *con,		/* I - Cl
        ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]);
        ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]);
      }
@@ -1049,7 +1056,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  
      job->job_sheets = attr;
  
-@@ -1832,6 +2005,9 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1824,6 +2002,9 @@ add_job(cupsd_client_t  *con,		/* I - Cl
  	                		     "job-sheets=\"%s,none\", "
  					     "job-originating-user-name=\"%s\"",
  	              Classification, job->username);
@@ -1059,7 +1066,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  	}
  	else if (attr->num_values == 2 &&
  	         strcmp(attr->values[0].string.text,
-@@ -1850,6 +2026,9 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1842,6 +2023,9 @@ add_job(cupsd_client_t  *con,		/* I - Cl
  					     "job-originating-user-name=\"%s\"",
  		      attr->values[0].string.text,
  		      attr->values[1].string.text, job->username);
@@ -1069,7 +1076,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  	}
  	else if (strcmp(attr->values[0].string.text, Classification) &&
  	         strcmp(attr->values[0].string.text, "none") &&
-@@ -1870,6 +2049,9 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1862,6 +2046,9 @@ add_job(cupsd_client_t  *con,		/* I - Cl
  			"job-originating-user-name=\"%s\"",
  			attr->values[0].string.text,
  			attr->values[1].string.text, job->username);
@@ -1079,14 +1086,14 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
          }
        }
        else if (strcmp(attr->values[0].string.text, Classification) &&
-@@ -1910,9 +2092,55 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+@@ -1902,8 +2089,52 @@ add_job(cupsd_client_t  *con,		/* I - Cl
  		      "job-sheets=\"%s\", "
  		      "job-originating-user-name=\"%s\"",
  		      Classification, job->username);
 +#ifdef WITH_LSPP
 +	override = 1;
 +#endif /* WITH_LSPP */
-+      }
+       }
 +#ifdef WITH_LSPP
 +      if (is_lspp_config() && AuditLog != -1)
 +      {
@@ -1120,22 +1127,19 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
 +	  }
 +          cupsdClearString(&audit_message);
 +	}
-       }
++      }
++
++      if (userheader)
++        free(userheader);
++      if (userfooter)
++        free(userfooter);
 +#endif /* WITH_LSPP */
      }
++    
  
-+#ifdef WITH_LSPP
-+    if (userheader)
-+      free(userheader);
-+    if (userfooter)
-+      free(userfooter);
-+#endif /* WITH_LSPP */
-+
-+
     /*
      * See if we need to add the starting sheet...
-     */
+@@ -3686,6 +3917,128 @@ check_rss_recipient(
-@@ -3694,6 +3922,128 @@ check_rss_recipient(
  }
  
  
@@ -1207,8 +1211,8 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
 +    return -1;
 +  }
 +  avc_entry_ref_init(&avcref);
-+  tclass = string_to_security_class("file");
++  tclass = SECCLASS_FILE;
-+  avr = string_to_av_perm(tclass, "read");
++  avr = FILE__READ;
 +
 + /*
 +  * Perform the check with the client as the subject, first with the job as the object
@@ -1264,7 +1268,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  /*
   * 'check_quotas()' - Check quotas for a printer and user.
   */
-@@ -4150,6 +4500,15 @@ copy_banner(cupsd_client_t *con,	/* I -
+@@ -4142,6 +4495,15 @@ copy_banner(cupsd_client_t *con,	/* I -
    char		attrname[255],		/* Name of attribute */
  		*s;			/* Pointer into name */
    ipp_attribute_t *attr;		/* Attribute */
@@ -1280,7 +1284,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  
  
    cupsdLogMessage(CUPSD_LOG_DEBUG2,
-@@ -4185,6 +4544,85 @@ copy_banner(cupsd_client_t *con,	/* I -
+@@ -4177,6 +4539,85 @@ copy_banner(cupsd_client_t *con,	/* I -
  
    fchmod(cupsFileNumber(out), 0640);
    fchown(cupsFileNumber(out), RunUser, Group);
@@ -1366,7 +1370,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
  
   /*
    * Try the localized banner file under the subdirectory...
-@@ -4279,6 +4717,24 @@ copy_banner(cupsd_client_t *con,	/* I -
+@@ -4271,6 +4712,24 @@ copy_banner(cupsd_client_t *con,	/* I -
        else
          s = attrname;
  
@@ -1391,7 +1395,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
        if (!strcmp(s, "printer-name"))
        {
          cupsFilePuts(out, job->dest);
-@@ -6467,6 +6923,22 @@ get_job_attrs(cupsd_client_t  *con,	/* I
+@@ -6459,6 +6918,22 @@ get_job_attrs(cupsd_client_t  *con,	/* I
  
    exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username);
  
@@ -1414,7 +1418,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
   /*
    * Copy attributes...
    */
-@@ -6864,6 +7336,11 @@ get_jobs(cupsd_client_t  *con,		/* I - C
+@@ -6856,6 +7331,11 @@ get_jobs(cupsd_client_t  *con,		/* I - C
        if (username[0] && _cups_strcasecmp(username, job->username))
  	continue;
  
@@ -1426,7 +1430,7 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
        if (count > 0)
  	ippAddSeparator(con->response);
  
-@@ -11495,6 +11972,11 @@ validate_user(cupsd_job_t    *job,	/* I
+@@ -11487,6 +11967,11 @@ validate_user(cupsd_job_t    *job,	/* I
  
    strlcpy(username, get_username(con), userlen);
  
@@ -1438,10 +1442,20 @@ diff -up cups-2.2.6/scheduler/ipp.c.lspp cups-2.2.6/scheduler/ipp.c
   /*
    * Check the username against the owner...
    */
-diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
+diff -up cups-2.2.5/scheduler/job.c.lspp cups-2.2.5/scheduler/job.c
---- cups-2.2.6/scheduler/job.c.lspp	2024-08-15 14:55:07.278819298 +0200
+--- cups-2.2.5/scheduler/job.c.lspp	2017-10-17 19:06:19.607229238 +0200
-+++ cups-2.2.6/scheduler/job.c	2024-08-15 14:55:07.316818790 +0200
++++ cups-2.2.5/scheduler/job.c	2017-10-17 19:06:19.696228498 +0200
-@@ -26,6 +26,12 @@
+@@ -11,6 +11,9 @@
+  * missing or damaged, see the license at "http://www.cups.org/".
+  */
+ 
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
+ /*
+  * Include necessary headers...
+  */
+@@ -26,6 +29,14 @@
  #  endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */
  #endif /* __APPLE__ */
  
@@ -1450,11 +1464,13 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
 +#include <selinux/selinux.h>
 +#include <selinux/context.h>
 +#include <selinux/avc.h>
++#include <selinux/flask.h>
++#include <selinux/av_permissions.h>
 +#endif /* WITH_LSPP */
  
  /*
   * Design Notes for Job Management
-@@ -547,6 +553,14 @@ cupsdContinueJob(cupsd_job_t *job)	/* I
+@@ -547,6 +558,14 @@ cupsdContinueJob(cupsd_job_t *job)	/* I
  					/* PRINTER_STATE_REASONS env var */
  			rip_max_cache[255];
  					/* RIP_MAX_CACHE env variable */
@@ -1469,7 +1485,7 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
  
  
    cupsdLogMessage(CUPSD_LOG_DEBUG2,
-@@ -1083,6 +1097,67 @@ cupsdContinueJob(cupsd_job_t *job)	/* I
+@@ -1083,6 +1102,67 @@ cupsdContinueJob(cupsd_job_t *job)	/* I
    if (final_content_type[0])
      envp[envc ++] = final_content_type;
  
@@ -1537,18 +1553,6 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
    if (Classification && !banner_page)
    {
      if ((attr = ippFindAttribute(job->attrs, "job-sheets",
-@@ -1464,6 +1539,11 @@ cupsdDeleteJob(cupsd_job_t       *job,	/
- 
-   cupsdClearString(&job->username);
-   cupsdClearString(&job->dest);
-+
-+#ifdef WITH_LSPP
-+  cupsdClearString(&job->scon);
-+#endif
-+
-   for (i = 0;
-        i < (int)(sizeof(job->auth_env) / sizeof(job->auth_env[0]));
-        i ++)
 @@ -1908,6 +1988,22 @@ cupsdLoadJob(cupsd_job_t *job)		/* I - J
        ippSetString(job->attrs, &job->reasons, 0, "none");
    }
@@ -1736,18 +1740,18 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
 +	/*
 +	 * The printer does not exist, so for now assume it's a FileDevice
 +	 */
-+	tclass = string_to_security_class("file");
++	tclass = SECCLASS_FILE;
-+	avr = string_to_av_perm(tclass, "write");
++	avr = FILE__WRITE;
 +      }
 +      else if (S_ISCHR(printerstat.st_mode))
 +      {
-+	tclass = string_to_security_class("chr_file");
++	tclass = SECCLASS_CHR_FILE;
-+	avr = string_to_av_perm(tclass, "write");
++	avr = CHR_FILE__WRITE;
 +      }
 +      else if (S_ISREG(printerstat.st_mode))
 +      {
-+	tclass = string_to_security_class("file");
++	tclass = SECCLASS_FILE;
-+	avr = string_to_av_perm(tclass, "write");
++	avr = FILE__WRITE;
 +      }
 +      else
 +      {
@@ -1819,13 +1823,16 @@ diff -up cups-2.2.6/scheduler/job.c.lspp cups-2.2.6/scheduler/job.c
   /*
    * Now start the first file in the job...
    */
-diff -up cups-2.2.6/scheduler/job.h.lspp cups-2.2.6/scheduler/job.h
+diff -up cups-2.2.5/scheduler/job.h.lspp cups-2.2.5/scheduler/job.h
---- cups-2.2.6/scheduler/job.h.lspp	2017-11-01 15:57:53.000000000 +0100
+--- cups-2.2.5/scheduler/job.h.lspp	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.6/scheduler/job.h	2024-08-15 14:55:07.316818790 +0200
++++ cups-2.2.5/scheduler/job.h	2017-10-17 19:06:19.696228498 +0200
-@@ -11,6 +11,10 @@
+@@ -11,6 +11,13 @@
   * missing or damaged, see the license at "http://www.cups.org/".
   */
  
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
 +#ifdef WITH_LSPP
 +#include <selinux/selinux.h>
 +#endif /* WITH_LSPP */
@@ -1833,7 +1840,7 @@ diff -up cups-2.2.6/scheduler/job.h.lspp cups-2.2.6/scheduler/job.h
  /*
   * Constants...
   */
-@@ -88,6 +92,10 @@ struct cupsd_job_s			/**** Job request *
+@@ -88,6 +95,10 @@ struct cupsd_job_s			/**** Job request *
    int			progress;	/* Printing progress */
    int			num_keywords;	/* Number of PPD keywords */
    cups_option_t		*keywords;	/* PPD keywords */
@@ -1844,9 +1851,9 @@ diff -up cups-2.2.6/scheduler/job.h.lspp cups-2.2.6/scheduler/job.h
  };
  
  typedef struct cupsd_joblog_s		/**** Job log message ****/
-diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c
+diff -up cups-2.2.5/scheduler/main.c.lspp cups-2.2.5/scheduler/main.c
---- cups-2.2.6/scheduler/main.c.lspp	2024-08-15 14:55:07.299819017 +0200
+--- cups-2.2.5/scheduler/main.c.lspp	2017-10-17 19:06:19.637228989 +0200
-+++ cups-2.2.6/scheduler/main.c	2024-08-15 14:55:07.316818790 +0200
++++ cups-2.2.5/scheduler/main.c	2017-10-17 19:08:26.642173026 +0200
 @@ -56,6 +56,9 @@
  #  include <sys/param.h>
  #endif /* HAVE_SYS_PARAM_H */
@@ -1867,7 +1874,7 @@ diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c
  #ifdef __APPLE__
    int			use_sysman = 1;	/* Use system management functions? */
  #else
-@@ -508,6 +514,25 @@ main(int  argc,				/* I - Number of comm
+@@ -516,6 +522,25 @@ main(int  argc,				/* I - Number of comm
      exit(errno);
    }
  
@@ -1893,7 +1900,7 @@ diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c
   /*
    * Let the system know we are busy while we bring up cupsd...
    */
-@@ -1219,6 +1244,11 @@ main(int  argc,				/* I - Number of comm
+@@ -1227,6 +1252,11 @@ main(int  argc,				/* I - Number of comm
  
    cupsdStopSelect();
  
@@ -1905,10 +1912,19 @@ diff -up cups-2.2.6/scheduler/main.c.lspp cups-2.2.6/scheduler/main.c
    return (!stop_scheduler);
  }
  
-diff -up cups-2.2.6/scheduler/printers.c.lspp cups-2.2.6/scheduler/printers.c
+diff -up cups-2.2.5/scheduler/printers.c.lspp cups-2.2.5/scheduler/printers.c
---- cups-2.2.6/scheduler/printers.c.lspp	2024-08-15 14:55:07.253819632 +0200
+--- cups-2.2.5/scheduler/printers.c.lspp	2017-10-17 19:06:19.587229404 +0200
-+++ cups-2.2.6/scheduler/printers.c	2024-08-15 14:55:07.317818776 +0200
++++ cups-2.2.5/scheduler/printers.c	2017-10-17 19:06:19.697228490 +0200
-@@ -35,6 +35,10 @@
+@@ -11,6 +11,8 @@
+  * missing or damaged, see the license at "http://www.cups.org/".
+  */
+ 
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
+ /*
+  * Include necessary headers...
+  */
+@@ -35,6 +37,10 @@
  #  include <asl.h>
  #endif /* __APPLE__ */
  
@@ -1919,7 +1935,7 @@ diff -up cups-2.2.6/scheduler/printers.c.lspp cups-2.2.6/scheduler/printers.c
  
  /*
   * Local functions...
-@@ -2212,6 +2216,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
+@@ -2212,6 +2218,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
    ipp_attribute_t *attr;		/* Attribute data */
    char		*name,			/* Current user/group name */
  		*filter;		/* Current filter */
@@ -1933,7 +1949,7 @@ diff -up cups-2.2.6/scheduler/printers.c.lspp cups-2.2.6/scheduler/printers.c
  
  
    DEBUG_printf(("cupsdSetPrinterAttrs: entering name = %s, type = %x\n", p->name,
-@@ -2339,6 +2350,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
+@@ -2339,6 +2352,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
        attr->values[1].string.text = _cupsStrAlloc(Classification ?
  	                                   Classification : p->job_sheets[1]);
      }

SOURCES/cups-require-cups-socket.patch

@@ -1,12 +0,0 @@
-diff --git a/scheduler/org.cups.cupsd.service.in b/scheduler/org.cups.cupsd.service.in
-index c02412fb0..18b5e0386 100644
---- a/scheduler/org.cups.cupsd.service.in
-+++ b/scheduler/org.cups.cupsd.service.in
-@@ -2,6 +2,7 @@
- Description=CUPS Scheduler
- Documentation=man:cupsd(8)
- After=network.target nss-user-lookup.target
-+Requires=cups.socket
- 
- [Service]
- ExecStart=@sbindir@/cupsd -l

SOURCES/cups-socket-remove-on-stop.patch

@@ -1,12 +0,0 @@
-diff --git a/scheduler/org.cups.cupsd.socket.in b/scheduler/org.cups.cupsd.socket.in
-index 613b977a6..1deee826a 100644
---- a/scheduler/org.cups.cupsd.socket.in
-+++ b/scheduler/org.cups.cupsd.socket.in
-@@ -4,6 +4,7 @@ PartOf=org.cups.cupsd.service
- 
- [Socket]
- ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
-+RemoveOnStop=on
- 
- [Install]
- WantedBy=sockets.target

SPECS/cups.spec

@@ -22,7 +22,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.6
-Release: 66%{?dist}
+Release: 57%{?dist}
 License: GPLv2+ and LGPLv2 with exceptions and AML
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@@ -170,48 +170,6 @@ Patch86: cups-preservejob-leak.patch
 Patch87: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
 # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
 Patch88: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/commit/a436956
-Patch89: 0001-Fix-domain-socket-handling.patch
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/pull/31
-Patch90: cups-require-cups-socket.patch
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/commit/3448c52
-Patch91: cups-socket-remove-on-stop.patch
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/commit/7adb508
-# https://github.com/OpenPrinting/cups/commit/824f49f
-# https://github.com/OpenPrinting/cups/commit/56b9728
-# https://github.com/OpenPrinting/cups/commit/74f437b
-# https://github.com/OpenPrinting/cups/commit/fb0c914
-Patch92: cups-check-for-listeners.patch
-# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
-Patch93: 0001-mirror-ipp-everywhere-printer-changes-from-master.patch
-Patch94: 0001-refactor-make-and-model-code.patch
-Patch95: 0001-ppdize-preset-and-template-names.patch
-Patch96: 0001-Fix-make-and-model-whitespace-trimming-Issue-1096.patch
-# RHEL-112424 CVE-2025-58060 cups: Authentication Bypass in CUPS Authorization Handling
-Patch97: CVE-2025-58060.patch
-# RHEL-122045 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
-Patch98: CVE-2025-58364.patch
-# RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
-# 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch
-# 0001-Setting-the-timeout-should-also-timeout-the-TLS-nego.patch
-# cups-CVE-2025-58436.patch
-# 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch
-Patch99: 0001-_httpWait-s-usessl-parameter-wasn-t-being-used.patch
-Patch100: 0001-Setting-the-timeout-should-also-timeout-the-TLS-nego.patch
-Patch101: cups-CVE-2025-58436.patch
-Patch102: 0001-Fix-an-infinite-loop-issue-in-GTK-Issue-1439.patch
-# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
-# 0001-Fix-various-issues-in-cupsd.patch
-# 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
-Patch103: 0001-Fix-various-issues-in-cupsd.patch
-Patch104: 0001-conf.c-Fix-stopping-scheduler-on-unknown-directive.patch
-# fix use-after-free reported by OSH
-# https://github.com/OpenPrinting/cups/pull/1454
-Patch105: 0001-scheduler-Fix-possible-use_after_free-in-cupsdReadCl.patch
 
 Patch1000: cups-lspp.patch
 
@@ -519,42 +477,6 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch87 -p1 -b .message-stderr
 # RHEL-10702 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
 %patch88 -p1 -b .cupsgetjobs-pollhup
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/commit/a436956
-%patch89 -p1 -b .cve2024-35235
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/pull/31
-%patch90 -p1 -b .cups-require-cups-socket
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/commit/3448c52
-%patch91 -p1 -b .cups-remove-on-stop
-# RHEL-40386 CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-# https://github.com/OpenPrinting/cups/commit/7adb508
-# https://github.com/OpenPrinting/cups/commit/824f49f
-# https://github.com/OpenPrinting/cups/commit/56b9728
-# https://github.com/OpenPrinting/cups/commit/74f437b
-# https://github.com/OpenPrinting/cups/commit/fb0c914
-%patch92 -p1 -b .cups-check-for-listeners
-# RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
-%patch93 -p1 -b .ippeve-validate
-%patch94 -p1 -b .make-model-refact
-%patch95 -p1 -b .ppdize-presets
-%patch96 -p1 -b .make-model-trim
-# RHEL-112424 CVE-2025-58060 cups: Authentication Bypass in CUPS Authorization Handling
-%patch97 -p1 -b .cve-2025-58060
-# RHEL-122045 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
-%patch98 -p1 -b .cve-2025-58364
-# RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
-%patch99 -p1 -b .use-usessl
-%patch100 -p1 -b .timeout-tls
-%patch101 -p1 -b .slow-client
-%patch102 -p1 -b .gtk-infinite-loop
-# RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
-%patch103 -p1 -b .config-issues
-%patch104 -p1 -b .ignore-unknown
-# fix use-after-free reported by OSH
-%patch105 -p1 -b .osh-use-after-free
-
 
 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in
 
@@ -981,38 +903,6 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz
 
 %changelog
-* Fri Dec 12 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-66
-- fix use-after-free reported by OSH
-
-* Tue Dec 09 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-65
-- RHEL-129729 CVE-2025-58436 cups: Slow client communication leads to a possible DoS attack
-- RHEL-129720 CVE-2025-61915 cups: Local denial-of-service via cupsd.conf update and related issues
-
-* Wed Oct 22 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-64
-- RHEL-122045 CVE-2025-58364 cups: Null Pointer Dereference in CUPS ipp_read_io() Leading to Remote DoS
-
-* Thu Sep 04 2025 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-63
-- RHEL-112424 CVE-2025-58060 cups: Authentication Bypass in CUPS Authorization Handling
-
-* Fri Oct 25 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-62
-- RHEL-60338 CVE-2024-47175 cups: remote command injection via attacker controlled data in PPD file
-
-* Thu Aug 15 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-61
-- RHEL-54038 cups source rpm doesn't actually build lspp support
-- fix memory leaks caused by lspp
-
-* Tue Jun 18 2024 Pavol Zacik <pzacik@redhat.com>  - 1:2.2.6-60
-- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777
-- Delete the domain socket file after stopping the cups.socket service
-- Fix cupsd Listener checks
-
-* Fri Jun 14 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-59
-- RHEL-40386 cups: Cupsd Listen arbitrary chmod 0140777
-- Require cups.socket in cupsd service file
-
-* Mon Jun 10 2024 Pavol Zacik <pzacik@redhat.com> - 1:2.2.6-58
-- CVE-2024-35235 cups: Cupsd Listen arbitrary chmod 0140777
-
 * Mon Feb 26 2024 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-57
 - revert RHEL-19200 - no new subpackages are needed