From: Ian Darwin Subject: Re: Remote execution in CUPS To: ports@openbsd.org Date: Fri, 27 Sep 2024 11:19:47 -0400 On 9/27/24 11:05 AM, Kirill A. Korinsky wrote: > On Fri, 27 Sep 2024 14:43:21 +0200, > Chris Narkiewicz wrote: >> https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/ >> >> Is the cups in ports vulnerable as well? > OpenBSD mises quite import pices of this attack: cups-browsed > > Without it, it isn't so dramatic. > Cups is is ports/packages so it is not part of the base system, at all. And we have cups-browsed in ports/packages and it is a run-depend of cups, so it does get installed whenever cups is installed. However, it is not enabled by default (you have to enable it with rcctl enable cups-browsed or by editing /etc/rc.conf.local), and I hope nobody is doing so.