diff --git a/SOURCES/cups-deprecate-drivers.patch b/SOURCES/cups-deprecate-drivers.patch
index afcfa59..c5a31f7 100644
--- a/SOURCES/cups-deprecate-drivers.patch
+++ b/SOURCES/cups-deprecate-drivers.patch
@@ -167,11 +167,11 @@ index 4498a8c..8776874 100755
count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
-if test $count != 8; then
- echo "FAIL: $count warning messages, expected 8."
-+if test $count != 10; then
-+ echo "FAIL: $count warning messages, expected 10."
++if test $count != 9; then
++ echo "FAIL: $count warning messages, expected 9."
$GREP '^W ' $BASE/log/error_log
- echo " FAIL: $count warning messages, expected 8.
" >>$strfile
-+ echo " FAIL: $count warning messages, expected 10.
" >>$strfile
++ echo " FAIL: $count warning messages, expected 9.
" >>$strfile
echo " " >>$strfile
$GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&/g' -e '1,$s/>$strfile
echo "
" >>$strfile
diff --git a/SPECS/cups.spec b/SPECS/cups.spec
index a7acb64..7b7eb9c 100644
--- a/SPECS/cups.spec
+++ b/SPECS/cups.spec
@@ -7,6 +7,13 @@
# but we use lib for compatibility with 3rd party drivers (at upstream request).
%global cups_serverbin %{_exec_prefix}/lib/cups
+# we still need something for python2...
+%if 0%{?rhel} >= 8 || 0%{?fedora}
+%bcond_without python3
+%else
+%bcond_with python3
+%endif
+
#%%global prever rc1
#%%global VERSION %%{version}%%{prever}
%global VERSION %{version}
@@ -17,7 +24,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 2.3.3%{OP_VER}
-Release: 13%{?dist}.1
+Release: 24%{?dist}
License: ASL 2.0
Url: http://www.cups.org/
# Apple stopped uploading the new versions into github, use OpenPrinting fork
@@ -26,6 +33,8 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
Source1: cupsprinter.png
# cups_serverbin macro definition for use during builds
Source2: macros.cups
+# CVE-2023-32360 migration script
+Source3: upgrade_get_document.py.in
# PAM enablement, very old patch, not even git can track when or why
# the patch was added.
@@ -97,8 +106,32 @@ Patch25: cups-fips-restrict-md5.patch
# Memory leak fixes (bug #1964975)
# https://github.com/OpenPrinting/cups/pull/322
Patch26: 0001-cups-http-encode-memleaks-fixes-issue-322.patch
+# 2073266 - 30-second delays printing to Windows 2016 server via HTTPS
+Patch27: 0001-cups-tls-gnutls.c-Use-always-GNUTLS_SHUT_WR.patch
+# 2091997 - manpage update to acknowledge order dependency of -h option
+Patch28: 0001-Update-man-pages-for-h-option-Issue-357.patch
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
-Patch27: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
+Patch29: 0001-scheduler-cert.c-Fix-string-comparison-fixes-CVE-202.patch
+# 2189919 - CGI scripts don't work with local Negotiate authentication
+Patch30: cups-local-negotiate.patch
+# 2217177 - Delays printing to lpd when reserved ports are exhausted
+Patch31: 0001-Fix-delays-printing-to-lpd-when-reserved-ports-are-e.patch
+# 2217284 - The command "cancel -x " does not remove job files
+Patch32: 0001-Use-purge-job-instead-of-purge-jobs-when-canceling-a.patch
+# 2217954 - Enlarge backlog queue for listen() in cupsd
+Patch33: 0001-cups-http-addr.c-Set-listen-backlog-size-to-INT_MAX-.patch
+# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+Patch34: 0001-Log-result-of-httpGetHostname-BEFORE-closing-the-con.patch
+# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
+Patch35: 0001-cups-strlcpy-handle-zero-size.patch
+# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
+Patch36: 0001-Require-authentication-for-CUPS-Get-Document.patch
+# RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
+Patch37: cups-preservejobfiles-leak.patch
+# RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost
+Patch38: 0001-scheduler-conf.c-Print-to-stderr-if-we-don-t-open-cu.patch
+# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
+Patch39: 0001-httpAddrConnect2-Check-for-error-if-POLLHUP-is-in-va.patch
##### Patches removed because IMHO they aren't no longer needed
@@ -165,6 +198,13 @@ Requires(post): grep, sed
Requires(preun): systemd
Requires(postun): systemd
+# for upgrade-get-document script
+%if %{with python3}
+Requires(post): python3
+%else
+Requires(post): python
+%endif
+
%package client
Summary: CUPS printing system - client programs
@@ -327,9 +367,32 @@ to CUPS daemon. This solution will substitute printer drivers and raw queues in
%patch25 -p1 -b .restrict-md5
# 1964975 - Memory leak fixes
%patch26 -p1 -b .memleak-fixes
+# 2073266 - 30-second delays printing to Windows 2016 server via HTTPS
+%patch27 -p1 -b .gnutlsbye
+# 2091997 - manpage update to acknowledge order dependency of -h option
+%patch28 -p1 -b .manpage-update
# CVE-2022-26691 cups: authorization bypass when using "local" authorization
-%patch27 -p1 -b .cve26691
-
+%patch29 -p1 -b .cve26691
+# 2189919 - CGI scripts don't work with local Negotiate authentication
+%patch30 -p1 -b .local-negotiate
+# 2217177 - Delays printing to lpd when reserved ports are exhausted
+%patch31 -p1 -b .lpd-delay
+# 2217284 - The command "cancel -x " does not remove job files
+%patch32 -p1 -b .purge-job
+# 2217954 - Enlarge backlog queue for listen() in cupsd
+%patch33 -p1 -b .listen-backlog
+# CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+%patch34 -p1 -b .cve34241
+# CVE-2023-32324 cups: heap buffer overflow may lead to DoS
+%patch35 -p1 -b .cve32324
+# CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
+%patch36 -p1 -b .get-document-auth
+# RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
+%patch37 -p1 -b .preservejobfiles-leak
+# RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost
+%patch38 -p1 -b .log-stderr
+# RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
+%patch39 -p1 -b .cupsgetjobs-pollhup
%if %{lspp}
# LSPP support.
@@ -493,6 +556,15 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
/^\([^%].*\)/d
' > %{name}.lang
+# install get-document upgrade script
+install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
+
+%if %{with python3}
+ sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python3,' %{buildroot}%{_sbindir}/upgrade_get_document
+%else
+ sed -i 's,@PYTHON_SHEBANG@,#!/usr/bin/python,' %{buildroot}%{_sbindir}/upgrade_get_document
+%endif
+
%post
%systemd_post %{name}.path %{name}.socket %{name}.service
@@ -540,6 +612,8 @@ do
done
%endif
+%{_sbindir}/upgrade_get_document
+
exit 0
%post client
@@ -753,9 +827,50 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man7/ippeveps.7.gz
%changelog
-* Thu May 26 2022 Zdenek Dohnal - 1:2.3.3op2-13.1
+* Mon Feb 26 2024 Zdenek Dohnal - 1:2.3.3op2-24
+- revert RHEL-19205 - new packages are not needed
+
+* Wed Dec 20 2023 Zdenek Dohnal - 1:2.3.3op2-23
+- RHEL-19205 Recommend new cups-filters subpackages with weak dep for better upgrade exp
+- RHEL-19495 cupsGetJobs fails to connect if poll() gets POLLOUT|POLLHUP in revents
+
+* Thu Nov 02 2023 Zdenek Dohnal - 1:2.3.3op2-22
+- RHEL-14931 cupsd memory leak in cupsdDeleteJob() with "PreserveJobHistory Off"
+- RHEL-15308 cupsd fails to open cups-files.conf and the resulting error message is lost
+
+* Tue Aug 29 2023 Zdenek Dohnal - 1:2.3.3op2-21
+- bump the spec because the previous build was made with buildroot 9.2
+
+* Tue Aug 29 2023 Zdenek Dohnal - 1:2.3.3op2-20
+- CVE-2023-32360 cups: Information leak through Cups-Get-Document operation
+
+* Thu Jun 29 2023 Zdenek Dohnal - 1:2.3.3op2-19
+- CVE-2023-34241 cups: use-after-free in cupsdAcceptClient() in scheduler/client.c
+- CVE-2023-32324 cups: heap buffer overflow may lead to DoS
+
+* Wed Jun 28 2023 Zdenek Dohnal - 1:2.3.3op2-19
+- 2217177 - Delays printing to lpd when reserved ports are exhausted
+- 2217284 - The command "cancel -x " does not remove job files
+- 2217954 - Enlarge backlog queue for listen() in cupsd
+
+* Wed Apr 26 2023 Zdenek Dohnal - 1:2.3.3op2-18
+- 2189919 - CGI scripts don't work with local Negotiate authentication
+
+* Mon Apr 03 2023 Zdenek Dohnal - 1:2.3.3op2-17
+- RHEL-314 - Enable fmf tests in centos stream
+
+* Thu Mar 23 2023 Zdenek Dohnal - 1:2.3.3op2-17
+- RHEL-317 - upstream test suite fails due uncorrect number of expected warnings
+
+* Thu Jun 16 2022 Zdenek Dohnal - 1:2.3.3op2-16
- CVE-2022-26691 cups: authorization bypass when using "local" authorization
+* Fri Jun 10 2022 Richard Lescak - 1:2.3.3op2-15
+- 2091997 - update man pages to mention order dependency of -h option
+
+* Fri Apr 08 2022 Zdenek Dohnal - 1:2.3.3op2-14
+- 2073266 - 30-second delays printing to Windows 2016 server via HTTPS
+
* Thu Feb 24 2022 Richard Lescak - 1:2.3.3op2-13
- 1964975 - added fix for uninit jump into the leaks patch