SUSE-SU-2026:20229-1: critical: Security update for cups

Thu Feb 5 20:30:07 UTC 2026

# Security update for cups

Announcement ID: SUSE-SU-2026:20229-1  
Release Date: 2026-02-04T11:35:17Z  
Rating: critical  
References:

  * bsc#1244057
  * bsc#1249049
  * bsc#1249128
  * bsc#1253783
  * bsc#1254353
  * jsc#PED-14688
  * jsc#PED-14775

Cross-References:

  * CVE-2025-58060
  * CVE-2025-58364
  * CVE-2025-58436
  * CVE-2025-61915

CVSS scores:

  * CVE-2025-58060 ( SUSE ):  7.7
    CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-58060 ( SUSE ):  7.5 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2025-58060 ( NVD ):  8.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
  * CVE-2025-58364 ( SUSE ):  6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-58364 ( NVD ):  6.5 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-58436 ( SUSE ):  8.2
    CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-58436 ( SUSE ):  5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-58436 ( NVD ):  5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-58436 ( NVD ):  5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  * CVE-2025-61915 ( SUSE ):  6.7
    CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-61915 ( SUSE ):  6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
  * CVE-2025-61915 ( NVD ):  6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
  * CVE-2025-61915 ( NVD ):  6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected Products:

  * SUSE Linux Micro 6.2

An update that solves four vulnerabilities, contains two features and has one
fix can now be installed.

## Description:

This update for cups fixes the following issues:

Update to version 2.4.16.

Security issues fixed:

  * CVE-2025-61915: local denial-of-service via cupsd.conf update and related
    issues (bsc#1253783).
  * CVE-2025-58436: slow client communication leads to a possible DoS attack
    (bsc#1244057).
  * CVE-2025-58364: unsafe deserialization and validation of printer attributes
    can cause a null dereference (bsc#1249128).
  * CVE-2025-58060: authentication bypass with AuthType Negotiate (bsc#1249049).

Other updates and bugfixes:

  * Version upgrade to 2.4.16:

  * 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences, potentially
    reading past the end of the source string (Issue #1438)

  * The web interface did not support domain usernames fully (Issue #1441)
  * Fixed an infinite loop issue in the GTK+ print dialog (Issue #1439
    boo#1254353)
  * Fixed stopping scheduler on unknown directive in configuration (Issue #1443)
  * Fixed packages for Immutable Mode (jsc#PED-14775 from epic jsc#PED-14688)

  * Version upgrade to 2.4.15:

  * Fixed potential crash in 'cups-driverd' when there are duplicate PPDs (Issue
    #1355)

  * Fixed error recovery when scanning for PPDs in 'cups-driverd' (Issue #1416)

  * Version upgrade to 2.4.14.

  * Version upgrade to 2.4.13:

  * Added 'print-as-raster' printer and job attributes for forcing rasterization
    (Issue #1282)

  * Updated documentation (Issue #1086)
  * Updated IPP backend to try a sanitized user name if the printer/server does
    not like the value (Issue #1145)
  * Updated the scheduler to send the "printer-added" or "printer-modified"
    events whenever an IPP Everywhere PPD is installed (Issue #1244)
  * Updated the scheduler to send the "printer-modified" event whenever the
    system default printer is changed (Issue #1246)
  * Fixed a memory leak in 'httpClose' (Issue #1223)
  * Fixed missing commas in 'ippCreateRequestedArray' (Issue #1234)
  * Fixed subscription issues in the scheduler and D-Bus notifier (Issue #1235)
  * Fixed media-default reporting for custom sizes (Issue #1238)
  * Fixed support for IPP/PPD options with periods or underscores (Issue #1249)
  * Fixed parsing of real numbers in PPD compiler source files (Issue #1263)
  * Fixed scheduler freezing with zombie clients (Issue #1264)
  * Fixed support for the server name in the ErrorLog filename (Issue #1277)
  * Fixed job cleanup after daemon restart (Issue #1315)
  * Fixed handling of buggy DYMO USB printer serial numbers (Issue #1338)
  * Fixed unreachable block in IPP backend (Issue #1351)
  * Fixed memory leak in _cupsConvertOptions (Issue #1354)

  * Version upgrade to 2.4.12:

  * GnuTLS follows system crypto policies now (Issue #1105)

  * Added `NoSystem` SSLOptions value (Issue #1130)
  * Now we raise alert for certificate issues (Issue #1194)
  * Added Kyocera USB quirk (Issue #1198)
  * The scheduler now logs a job's debugging history if the backend fails (Issue
    #1205)
  * Fixed a potential timing issue with `cupsEnumDests` (Issue #1084)
  * Fixed a potential "lost PPD" condition in the scheduler (Issue #1109)
  * Fixed a compressed file error handling bug (Issue #1070)
  * Fixed a bug in the make-and-model whitespace trimming code (Issue #1096)
  * Fixed a removal of IPP Everywhere permanent queue if installation failed
    (Issue #1102)
  * Fixed `ServerToken None` in scheduler (Issue #1111)
  * Fixed invalid IPP keyword values created from PPD option names (Issue #1118)
  * Fixed handling of "media" and "PageSize" in the same print request (Issue
    #1125)
  * Fixed client raster printing from macOS (Issue #1143)
  * Fixed the default User-Agent string.
  * Fixed a recursion issue in `ippReadIO`.
  * Fixed handling incorrect radix in `scan_ps()` (Issue #1188)
  * Fixed validation of dateTime values with time zones more than UTC+11 (Issue
    #1201)
  * Fixed attributes returned by the Create-Xxx-Subscriptions requests (Issue
    #1204)
  * Fixed `ippDateToTime` when using a non GMT/UTC timezone (Issue #1208)
  * Fixed `job-completed` event notifications for jobs that are cancelled before
    started (Issue #1209)
  * Fixed DNS-SD discovery with `ippfind` (Issue #1211)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.2  
    zypper in -t patch SUSE-SL-Micro-6.2-242=1

## Package List:

  * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    * cups-debugsource-2.4.16-160000.1.1
    * cups-debuginfo-2.4.16-160000.1.1
    * cups-config-2.4.16-160000.1.1
    * libcups2-debuginfo-2.4.16-160000.1.1
    * libcups2-2.4.16-160000.1.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-58060.html
  * https://www.suse.com/security/cve/CVE-2025-58364.html
  * https://www.suse.com/security/cve/CVE-2025-58436.html
  * https://www.suse.com/security/cve/CVE-2025-61915.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1244057
  * https://bugzilla.suse.com/show_bug.cgi?id=1249049
  * https://bugzilla.suse.com/show_bug.cgi?id=1249128
  * https://bugzilla.suse.com/show_bug.cgi?id=1253783
  * https://bugzilla.suse.com/show_bug.cgi?id=1254353
  * https://jira.suse.com/browse/PED-14688
  * https://jira.suse.com/browse/PED-14775

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260205/dd229a9e/attachment.htm>