<div class="container">
<h1>Security update for cups</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:20229-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-02-04T11:35:17Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>critical</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244057">bsc#1244057</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249049">bsc#1249049</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249128">bsc#1249128</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253783">bsc#1253783</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254353">bsc#1254353</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-14688">jsc#PED-14688</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-14775">jsc#PED-14775</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-58060.html">CVE-2025-58060</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-58364.html">CVE-2025-58364</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-58436.html">CVE-2025-58436</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-61915.html">CVE-2025-61915</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58060</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.7</span>
<span class="cvss-vector">CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58060</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58060</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58364</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58364</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58436</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.2</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58436</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58436</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.1</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-58436</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-61915</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.7</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-61915</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-61915</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-61915</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.7</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.2</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves four vulnerabilities, contains two features and has one fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for cups fixes the following issues:</p>
<p>Update to version 2.4.16.</p>
<p>Security issues fixed:</p>
<ul>
<li>CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).</li>
<li>CVE-2025-58436: slow client communication leads to a possible DoS attack (bsc#1244057).</li>
<li>CVE-2025-58364: unsafe deserialization and validation of printer attributes can cause a null dereference (bsc#1249128).</li>
<li>CVE-2025-58060: authentication bypass with AuthType Negotiate (bsc#1249049).</li>
</ul>
<p>Other updates and bugfixes:</p>
<ul>
<li>
<p>Version upgrade to 2.4.16:</p>
</li>
<li>
<p>'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences,
potentially reading past the end of the source string
(Issue #1438)</p>
</li>
<li>The web interface did not support domain usernames fully
(Issue #1441)</li>
<li>Fixed an infinite loop issue in the GTK+ print dialog
(Issue #1439 boo#1254353)</li>
<li>Fixed stopping scheduler on unknown directive in
configuration (Issue #1443)</li>
<li>
<p>Fixed packages for Immutable Mode (jsc#PED-14775
from epic jsc#PED-14688)</p>
</li>
<li>
<p>Version upgrade to 2.4.15:</p>
</li>
<li>
<p>Fixed potential crash in 'cups-driverd' when there are
duplicate PPDs (Issue #1355)</p>
</li>
<li>
<p>Fixed error recovery when scanning for PPDs
in 'cups-driverd' (Issue #1416)</p>
</li>
<li>
<p>Version upgrade to 2.4.14.</p>
</li>
<li>
<p>Version upgrade to 2.4.13:</p>
</li>
<li>
<p>Added 'print-as-raster' printer and job attributes
for forcing rasterization (Issue #1282)</p>
</li>
<li>Updated documentation (Issue #1086)</li>
<li>Updated IPP backend to try a sanitized user name if the
printer/server does not like the value (Issue #1145)</li>
<li>Updated the scheduler to send the "printer-added"
or "printer-modified" events whenever an IPP Everywhere PPD
is installed (Issue #1244)</li>
<li>Updated the scheduler to send the "printer-modified" event
whenever the system default printer is changed (Issue #1246)</li>
<li>Fixed a memory leak in 'httpClose' (Issue #1223)</li>
<li>Fixed missing commas in 'ippCreateRequestedArray'
(Issue #1234)</li>
<li>Fixed subscription issues in the scheduler and D-Bus notifier
(Issue #1235)</li>
<li>Fixed media-default reporting for custom sizes (Issue #1238)</li>
<li>Fixed support for IPP/PPD options with periods or underscores
(Issue #1249)</li>
<li>Fixed parsing of real numbers in PPD compiler source files
(Issue #1263)</li>
<li>Fixed scheduler freezing with zombie clients (Issue #1264)</li>
<li>Fixed support for the server name in the ErrorLog filename
(Issue #1277)</li>
<li>Fixed job cleanup after daemon restart (Issue #1315)</li>
<li>Fixed handling of buggy DYMO USB printer serial numbers
(Issue #1338)</li>
<li>Fixed unreachable block in IPP backend (Issue #1351)</li>
<li>
<p>Fixed memory leak in _cupsConvertOptions (Issue #1354)</p>
</li>
<li>
<p>Version upgrade to 2.4.12:</p>
</li>
<li>
<p>GnuTLS follows system crypto policies now (Issue #1105)</p>
</li>
<li>Added <code>NoSystem</code> SSLOptions value (Issue #1130)</li>
<li>Now we raise alert for certificate issues (Issue #1194)</li>
<li>Added Kyocera USB quirk (Issue #1198)</li>
<li>The scheduler now logs a job's debugging history
if the backend fails (Issue #1205)</li>
<li>Fixed a potential timing issue with <code>cupsEnumDests</code>
(Issue #1084)</li>
<li>Fixed a potential "lost PPD" condition in the scheduler
(Issue #1109)</li>
<li>Fixed a compressed file error handling bug (Issue #1070)</li>
<li>Fixed a bug in the make-and-model whitespace trimming
code (Issue #1096)</li>
<li>Fixed a removal of IPP Everywhere permanent queue
if installation failed (Issue #1102)</li>
<li>Fixed <code>ServerToken None</code> in scheduler (Issue #1111)</li>
<li>Fixed invalid IPP keyword values created from PPD
option names (Issue #1118)</li>
<li>Fixed handling of "media" and "PageSize" in the same
print request (Issue #1125)</li>
<li>Fixed client raster printing from macOS (Issue #1143)</li>
<li>Fixed the default User-Agent string.</li>
<li>Fixed a recursion issue in <code>ippReadIO</code>.</li>
<li>Fixed handling incorrect radix in <code>scan_ps()</code> (Issue #1188)</li>
<li>Fixed validation of dateTime values with time zones
more than UTC+11 (Issue #1201)</li>
<li>Fixed attributes returned by the Create-Xxx-Subscriptions
requests (Issue #1204)</li>
<li>Fixed <code>ippDateToTime</code> when using a non GMT/UTC timezone
(Issue #1208)</li>
<li>Fixed <code>job-completed</code> event notifications for jobs that are
cancelled before started (Issue #1209)</li>
<li>Fixed DNS-SD discovery with <code>ippfind</code> (Issue #1211)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.2
<br/>
<code>zypper in -t patch SUSE-SL-Micro-6.2-242=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
<ul>
<li>cups-debugsource-2.4.16-160000.1.1</li>
<li>cups-debuginfo-2.4.16-160000.1.1</li>
<li>cups-config-2.4.16-160000.1.1</li>
<li>libcups2-debuginfo-2.4.16-160000.1.1</li>
<li>libcups2-2.4.16-160000.1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-58060.html">https://www.suse.com/security/cve/CVE-2025-58060.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-58364.html">https://www.suse.com/security/cve/CVE-2025-58364.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-58436.html">https://www.suse.com/security/cve/CVE-2025-58436.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-61915.html">https://www.suse.com/security/cve/CVE-2025-61915.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244057">https://bugzilla.suse.com/show_bug.cgi?id=1244057</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249049">https://bugzilla.suse.com/show_bug.cgi?id=1249049</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1249128">https://bugzilla.suse.com/show_bug.cgi?id=1249128</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1253783">https://bugzilla.suse.com/show_bug.cgi?id=1253783</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1254353">https://bugzilla.suse.com/show_bug.cgi?id=1254353</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-14688">https://jira.suse.com/browse/PED-14688</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-14775">https://jira.suse.com/browse/PED-14775</a>
</li>
</ul>
</div>