A 9.9 CVE has been announced for Linux 
Remote code execution. No details yet. Heartbleed was 7.5, for reference. This is one of the worst in history. All GNU/Linux systems impacted.
Original social link:
Direct link:
Of course you can stop and remove cups ā¦ but the provided āchatgptā instructions are silly.
For example ā¦ no need for sudo with systemctl. Also why use stop then disable instead of disable --now ?
Furthermore ā¦ thats not what the page actually proposes for remediationā¦
As to this ā¦
Ok so since no links were shared I hunted down the CVEs that do exist now.
https://www.cve.org/CVERecord?id=CVE-2024-47176
Affects cups-browsed v. 2.0.1 **
https://www.cve.org/CVERecord?id=CVE-2024-47076
Affects libcupsfilters v. <= 2.1b1 *
https://www.cve.org/CVERecord?id=CVE-2024-47175
Affects libppd v. <= 2.1b1
https://www.cve.org/CVERecord?id=CVE-2024-47177
Affects cups-filters v. <= 2.0.1
Yes.
But it depends on the branch and the system.
In my case I dont have cups-browsed installed, etc.
* - This is fixed with 2.0.0-3.
** - This is mitigated with 2.0.1-2.
2 Likes
Are you forwarding port 631 from the internet to your local machine using CUPS, in your router?
If answer is no, I guess you only need to āworryā about local network āattackā.
1 Like
A couple of days/weeks ago we had this discussion and this CVE seems to be a valid input for that discussion
2 Likes
I wouldnāt put this into quotes. They are real attacks. How many devices are in your network? Maybe you installed a dubious app on your phone or your washing machine was owned, or your visiting Mom with her phone? Your local network is not a demilitarized zone (anymore).
3 Likes
The statement still stands I guess, anyway. The linked video also list valid sources of information to know more.
//EDIT: more info
4 Likes
To sum up the protection strategy: remove cups-browsed (not installed by default), enable firewall like (g)ufw (not enabled by default).
2 Likes
is it possible ou wanted to say :
https://archlinux.org/packages/extra/x86_64/cups-browsed/
?
Noobie question
Yes, that is what i wanted to say. I wonder however, if that functionality is only in cups-browsed (because i do no have it, but CUPS with the process cupsd is still listening to 631).
Well, i have firewall.
Iāll opine that if you open port 631 to the internet, you kind of deserve all the goodness that comes to you.
3 Likes
Wellā¦i will opine that every distro has to have the firewall enabled by default. But the myth for the unhackable Linux/Mac is circulating too long i guess.
It will suffice that someone with laptop logs in a free hotspot in a cafe, hotel, university, airport.
2 Likes
Iām pretty sure 99.9% of people using a Linux desktop, do not expose anything to the internet, because 99.9% of people are behind a router/switch that need the user to manually configure it to forward internet traffic on specific port to a specific local machine.
The issue is most likely ārealā for servers directly connected to the internet where all the traffic directed to the public IP is going to the actual server. Not the case for 99.9% of people using their ISP router/switch combo peripheral.
Basically, donāt freak out people, take preventive measure if youāre using these flawed services, but youāre probably OK without doing anything.
PS: before someone points it out, yes, the number comes directly from my 
box.
1 Like
Heh. I question the thought processes of anyone who does that, anyway.
And, I think that the vast majority of these servers do not forward port 631, either.
They donāt forward anything, if they are directly connected to the internet, and do not block incoming traffic by default, they indeed receive all traffic to that port and are vulnerable (if using these flawed services).
For example, most of my online servers are not rejecting all incoming traffic by default, for simplicity sake (not high security risk, only āentertainmentā servers, nothing critical running on them). If I was running these services on the machine I would be vulnerable.
Iāve got a PC on my TV ( Linux / Manjaro )
Iāve got a Laptop (Linux / Manjaro )
My wife is ānowā on Linux / Manjaro
my phone GrapheneOs
a lot of devices ( sensor in the fridge, alexas, Amazon stick, and the list goes on)
Sometime a Windows Laptop ( my wife work )
sometime a Window VM ( on my Work PC / Manjaro)
Long story short, I stopped the list here but I guess that yes 631 is probably not opened on most of usās router but if one of our devices or other gagdet got hacked, then, from within our LAN, we can be attackedā¦
ANyway, we all know thatā¦ Thinking outloudā¦
I was thinking about limiting some devices to talk to other of my devices on my NEtwork (using Dream Machine / https://ui.com/
I think servers with open to the internet ports other than 80 are pretty rare, but an ordinary John using his laptop with default config in a Starbucks is not that uncommon.
1 Like
I would disagree 100%
From experience, I only had one server provider where the default was all incoming traffic blocked, and I had to manually configure the software firewall from their website to start using the machine (or maybe port 22 was pre-opened I donāt recall it was a long time for this provider). All subsequent servers I owned were by default allowing all incoming traffic to the machine, that is basically the norm when you rent a server, and it us up to the owner to then create blocking/allowing rules on the machine (iptables, ufw, nftables, or whatever solution you prefer).
//EDIT: my point is people are lazy and when you can let it like that and have no issue running whatever you want on it, or highly configure network for safety but with lot of headache for everything to work, the result are not highly secured servers all over the world.
From Redhat:
1 Like
tks to all !
I Appreciate the help and discussion