SUSE-SU-2026:20535-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2026/suse-su-202620535-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:20535-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2026:20535-1
Upstream
Related
Published
2026-03-02T14:17:19Z
Modified
2026-03-04T22:17:29.306019Z
Summary
Security update for cups
Details

This update for cups fixes the following issues:

Update to version 2.4.16.

Security issues fixed:

  • CVE-2025-58436: single client sending slow messages to cupsd can delay the application and make it unusable for other clients (bsc#1244057).
  • CVE-2025-58060: authentication bypass with AuthType negotiate (bsc#1249049).
  • CVE-2025-58364: unsafe deserialization and validation of printer attributes can lead to null dereference (bsc#1249128).
  • CVE-2025-61915: local denial-of-service via cupsd.conf update and related issues (bsc#1253783).

Other updates and bugfixes:

  • Version upgrade to 2.4.16:

    • 'cupsUTF8ToCharset' didn't validate 2-byte UTF-8 sequences, potentially reading past the end of the source string (Issue #1438)
    • The web interface did not support domain usernames fully (Issue #1441)
    • Fixed an infinite loop issue in the GTK+ print dialog (Issue #1439 bsc#1254353)
    • Fixed stopping scheduler on unknown directive in configuration (Issue #1443)

  • Version upgrade to 2.4.15:

    • Fixed potential crash in 'cups-driverd' when there are duplicate PPDs (Issue #1355)
    • Fixed error recovery when scanning for PPDs in 'cups-driverd' (Issue #1416)

  • Fix packages for Immutable Mode - cups (jsc#PED-14775,jsc#PED-14688)

  • Version upgrade to 2.4.14.

  • Version upgrade to 2.4.13:

    • Added 'print-as-raster' printer and job attributes for forcing rasterization (Issue #1282)
    • Updated documentation (Issue #1086)
    • Updated IPP backend to try a sanitized user name if the printer/server does not like the value (Issue #1145)
    • Updated the scheduler to send the "printer-added" or "printer-modified" events whenever an IPP Everywhere PPD is installed (Issue #1244)
    • Updated the scheduler to send the "printer-modified" event whenever the system default printer is changed (Issue #1246)
    • Fixed a memory leak in 'httpClose' (Issue #1223)
    • Fixed missing commas in 'ippCreateRequestedArray' (Issue #1234)
    • Fixed subscription issues in the scheduler and D-Bus notifier (Issue #1235)
    • Fixed media-default reporting for custom sizes (Issue #1238)
    • Fixed support for IPP/PPD options with periods or underscores (Issue #1249)
    • Fixed parsing of real numbers in PPD compiler source files (Issue #1263)
    • Fixed scheduler freezing with zombie clients (Issue #1264)
    • Fixed support for the server name in the ErrorLog filename (Issue #1277)
    • Fixed job cleanup after daemon restart (Issue #1315)
    • Fixed handling of buggy DYMO USB printer serial numbers (Issue #1338)
    • Fixed unreachable block in IPP backend (Issue #1351)
    • Fixed memory leak in _cupsConvertOptions (Issue #1354)

  • Version upgrade to 2.4.12:

    • GnuTLS follows system crypto policies now (Issue #1105)
    • Added NoSystem SSLOptions value (Issue #1130)
    • Now we raise alert for certificate issues (Issue #1194)
    • Added Kyocera USB quirk (Issue #1198)
    • The scheduler now logs a job's debugging history if the backend fails (Issue #1205)
    • Fixed a potential timing issue with cupsEnumDests (Issue #1084)
    • Fixed a potential "lost PPD" condition in the scheduler (Issue #1109)
    • Fixed a compressed file error handling bug (Issue #1070)
    • Fixed a bug in the make-and-model whitespace trimming code (Issue #1096)
    • Fixed a removal of IPP Everywhere permanent queue if installation failed (Issue #1102)
    • Fixed ServerToken None in scheduler (Issue #1111)
    • Fixed invalid IPP keyword values created from PPD option names (Issue #1118)
    • Fixed handling of "media" and "PageSize" in the same print request (Issue #1125)
    • Fixed client raster printing from macOS (Issue #1143)
    • Fixed the default User-Agent string.
    • Fixed a recursion issue in ippReadIO.
    • Fixed handling incorrect radix in scan_ps() (Issue #1188)
    • Fixed validation of dateTime values with time zones more than UTC+11 (Issue #1201)
    • Fixed attributes returned by the Create-Xxx-Subscriptions requests (Issue #1204)
    • Fixed ippDateToTime when using a non GMT/UTC timezone (Issue #1208)
    • Fixed job-completed event notifications for jobs that are cancelled before started (Issue #1209)
    • Fixed DNS-SD discovery with ippfind (Issue #1211)
References

Affected packages

SUSE:Linux Micro 6.1 / cups

Package

Name
cups
Purl
pkg:rpm/suse/cups&distro=SUSE%20Linux%20Micro%206.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.16-slfo.1.1_1.1

Ecosystem specific 

{
    "binaries": [
        {
            "libcups2": "2.4.16-slfo.1.1_1.1",
            "cups-config": "2.4.16-slfo.1.1_1.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:20535-1.json"