automake sometimes do not generate correct macros - force it

previous commit - fix for previous releases
logs need to have correct permissions
2019-02-19 14:18:14 +01:00 · 2018-12-14 12:45:19 +01:00 · 2018-12-13 18:45:51 +01:00 · 2018-12-13 14:47:37 +01:00 · 2018-12-10 16:49:01 +01:00 · 2018-12-03 12:25:17 +01:00
15 changed files with 2425 additions and 65 deletions
--- a/0001-Add-support-for-MinTLS-and-MaxTLS-options-Issue-5119.patch
+++ b/0001-Add-support-for-MinTLS-and-MaxTLS-options-Issue-5119.patch
@ -0,0 +1,497 @@
+diff -up cups-2.2.6/cups/http-private.h.remove-weak-ciphers cups-2.2.6/cups/http-private.h
+--- cups-2.2.6/cups/http-private.h.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/http-private.h	2018-08-07 11:53:54.985633959 +0200
+@@ -180,13 +180,17 @@ extern "C" {
+ 
+ #  define _HTTP_TLS_NONE	0	/* No TLS options */
+ #  define _HTTP_TLS_ALLOW_RC4	1	/* Allow RC4 cipher suites */
+-#  define _HTTP_TLS_ALLOW_SSL3	2	/* Allow SSL 3.0 */
+-#  define _HTTP_TLS_ALLOW_DH	4	/* Allow DH/DHE key negotiation */
+-#  define _HTTP_TLS_DENY_TLS10	16	/* Deny TLS 1.0 */
+-#  define _HTTP_TLS_DENY_CBC	32	/* Deny CBC cipher suites */
+-#  define _HTTP_TLS_ONLY_TLS10  64      /* Only use TLS 1.0 */
+#  define _HTTP_TLS_ALLOW_DH	2	/* Allow DH/DHE key negotiation */
+#  define _HTTP_TLS_DENY_CBC	4	/* Deny CBC cipher suites */
+ #  define _HTTP_TLS_SET_DEFAULT 128     /* Setting the default TLS options */
+ 
+#  define _HTTP_TLS_SSL3	0	/* Min/max version is SSL/3.0 */
+#  define _HTTP_TLS_1_0		1	/* Min/max version is TLS/1.0 */
+#  define _HTTP_TLS_1_1		2	/* Min/max version is TLS/1.1 */
+#  define _HTTP_TLS_1_2		3	/* Min/max version is TLS/1.2 */
+#  define _HTTP_TLS_1_3		4	/* Min/max version is TLS/1.3 */
+#  define _HTTP_TLS_MAX		5	/* Highest known TLS version */
+
+ 
+ /*
+  * Types and functions for SSL support...
+@@ -442,7 +446,7 @@ extern void		_httpTLSInitialize(void);
+ extern size_t		_httpTLSPending(http_t *http);
+ extern int		_httpTLSRead(http_t *http, char *buf, int len);
+ extern int		_httpTLSSetCredentials(http_t *http);
+-extern void		_httpTLSSetOptions(int options);
+extern void		_httpTLSSetOptions(int options, int min_version, int max_version);
+ extern int		_httpTLSStart(http_t *http);
+ extern void		_httpTLSStop(http_t *http);
+ extern int		_httpTLSWrite(http_t *http, const char *buf, int len);
+diff -up cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers cups-2.2.6/cups/tlscheck.c
+--- cups-2.2.6/cups/tlscheck.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/tlscheck.c	2018-08-07 11:53:54.987633942 +0200
+@@ -54,6 +54,8 @@ main(int  argc,				/* I - Number of comm
+   int		af = AF_UNSPEC,		/* Address family */
+ 		tls_options = _HTTP_TLS_NONE,
+ 					/* TLS options */
+		tls_min_version = _HTTP_TLS_1_0,
+		tls_max_version = _HTTP_TLS_MAX,
+ 		verbose = 0;		/* Verbosity */
+   ipp_t		*request,		/* IPP Get-Printer-Attributes request */
+ 		*response;		/* IPP Get-Printer-Attributes response */
+@@ -88,11 +90,12 @@ main(int  argc,				/* I - Number of comm
+     }
+     else if (!strcmp(argv[i], "--no-tls10"))
+     {
+-      tls_options |= _HTTP_TLS_DENY_TLS10;
+      tls_min_version = _HTTP_TLS_1_1;
+     }
+     else if (!strcmp(argv[i], "--tls10"))
+     {
+-      tls_options |= _HTTP_TLS_ONLY_TLS10;
+      tls_min_version = _HTTP_TLS_1_0;
+      tls_max_version = _HTTP_TLS_1_0;
+     }
+     else if (!strcmp(argv[i], "--rc4"))
+     {
+@@ -148,7 +151,7 @@ main(int  argc,				/* I - Number of comm
+   if (!port)
+     port = 631;
+ 
+-  _httpTLSSetOptions(tls_options);
+  _httpTLSSetOptions(tls_options, tls_min_version, tls_max_version);
+ 
+   http = httpConnect2(server, port, NULL, af, HTTP_ENCRYPTION_ALWAYS, 1, 30000, NULL);
+   if (!http)
+diff -up cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers cups-2.2.6/cups/tls-darwin.c
+--- cups-2.2.6/cups/tls-darwin.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/tls-darwin.c	2018-08-07 11:53:54.986633951 +0200
+@@ -53,7 +53,9 @@ static char		*tls_keypath = NULL;
+ 					/* Server cert keychain path */
+ static _cups_mutex_t	tls_mutex = _CUPS_MUTEX_INITIALIZER;
+ 					/* Mutex for keychain/certs */
+-static int		tls_options = -1;/* Options for TLS connections */
+static int		tls_options = -1,/* Options for TLS connections */
+			tls_min_version = _HTTP_TLS_1_0,
+			tls_max_version = _HTTP_TLS_MAX;
+ 
+ 
+ /*
+@@ -1139,10 +1141,16 @@ _httpTLSRead(http_t *http,		/* I - HTTP
+  */
+ 
+ void
+-_httpTLSSetOptions(int options)		/* I - Options */
+_httpTLSSetOptions(int options,		/* I - Options */
+                   int min_version,	/* I - Minimum TLS version */
+                   int max_version)	/* I - Maximum TLS version */
+ {
+   if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+-    tls_options = options;
+  {
+    tls_options     = options;
+    tls_min_version = min_version;
+    tls_max_version = max_version;
+  }
+ }
+ 
+ 
+@@ -1174,7 +1182,7 @@ _httpTLSStart(http_t *http)		/* I - HTTP
+   {
+     DEBUG_puts("4_httpTLSStart: Setting defaults.");
+     _cupsSetDefaults();
+-    DEBUG_printf(("4_httpTLSStart: tls_options=%x", tls_options));
+    DEBUG_printf(("4_httpTLSStart: tls_options=%x, tls_min_version=%d, tls_max_version=%d", tls_options, tls_min_version, tls_max_version));
+   }
+ 
+ #ifdef HAVE_SECKEYCHAINOPEN
+@@ -1217,22 +1225,23 @@ _httpTLSStart(http_t *http)		/* I - HTTP
+ 
+   if (!error)
+   {
+-    SSLProtocol minProtocol;
+-
+-    if (tls_options & _HTTP_TLS_DENY_TLS10)
+-      minProtocol = kTLSProtocol11;
+-    else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+-      minProtocol = kSSLProtocol3;
+-    else
+-      minProtocol = kTLSProtocol1;
+    static const SSLProtocol protocols[] =	/* Min/max protocol versions */
+    {
+      kSSLProtocol3,
+      kTLSProtocol1,
+      kTLSProtocol11,
+      kTLSProtocol12,
+      kTLSProtocol13,
+      kTLSProtocolMaxSupported
+    };
+ 
+-    error = SSLSetProtocolVersionMin(http->tls, minProtocol);
+-    DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", minProtocol, (int)error));
+    error = SSLSetProtocolVersionMin(http->tls, protocols[tls_min_version]);
+    DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMin(%d), error=%d", protocols[tls_min_version], (int)error));
+ 
+-    if (!error && (tls_options & _HTTP_TLS_ONLY_TLS10))
+    if (!error)
+     {
+-      error = SSLSetProtocolVersionMax(http->tls, kTLSProtocol1);
+-      DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(kTLSProtocol1), error=%d", (int)error));
+      error = SSLSetProtocolVersionMax(http->tls, protocols[tls_max_version]);
+      DEBUG_printf(("4_httpTLSStart: SSLSetProtocolVersionMax(%d), error=%d", protocols[tls_max_version], (int)error));
+     }
+   }
+ 
+diff -up cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers cups-2.2.6/cups/tls-gnutls.c
+--- cups-2.2.6/cups/tls-gnutls.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/tls-gnutls.c	2018-08-07 11:58:45.164114342 +0200
+@@ -35,7 +35,9 @@ static char		*tls_keypath = NULL;
+ 					/* Server cert keychain path */
+ static _cups_mutex_t	tls_mutex = _CUPS_MUTEX_INITIALIZER;
+ 					/* Mutex for keychain/certs */
+-static int		tls_options = -1;/* Options for TLS connections */
+static int		tls_options = -1,/* Options for TLS connections */
+			tls_min_version = _HTTP_TLS_1_0,
+			tls_max_version = _HTTP_TLS_MAX;
+ 
+ 
+ /*
+@@ -1224,10 +1226,16 @@ _httpTLSSetCredentials(http_t *http)	/*
+  */
+ 
+ void
+-_httpTLSSetOptions(int options)		/* I - Options */
+_httpTLSSetOptions(int options, 		/* I - Options */
+                   int min_version,             /* I - Minimum TLS version */
+                   int max_version)             /* I - Maximum TLS version */
+ {
+   if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+-    tls_options = options;
+  {
+    tls_options     = options;
+    tls_min_version = min_version;
+    tls_max_version = max_version;
+  }
+ }
+ 
+ 
+@@ -1245,6 +1253,16 @@ _httpTLSStart(http_t *http)		/* I - Conn
+ 					/* TLS credentials */
+   char			priority_string[2048];
+ 					/* Priority string */
+  int			version;	/* Current version */
+  static const char * const versions[] =/* SSL/TLS versions */
+  {
+    "VERS-SSL3.0",
+    "VERS-TLS1.0",
+    "VERS-TLS1.1",
+    "VERS-TLS1.2",
+    "VERS-TLS1.3",
+    "VERS-TLS-ALL"
+  };
+ 
+ 
+   DEBUG_printf(("3_httpTLSStart(http=%p)", http));
+@@ -1506,14 +1524,40 @@ _httpTLSStart(http_t *http)		/* I - Conn
+ 
+   strlcpy(priority_string, "NORMAL", sizeof(priority_string));
+ 
+-  if (tls_options & _HTTP_TLS_DENY_TLS10)
+-    strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-TLS1.0:-VERS-SSL3.0", sizeof(priority_string));
+-  else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+  if (tls_max_version < _HTTP_TLS_MAX)
+  {
+   /*
+    * Require specific TLS versions...
+    */
+
+    strlcat(priority_string, ":-VERS-TLS-ALL", sizeof(priority_string));
+    for (version = tls_min_version; version <= tls_max_version; version ++)
+    {
+      strlcat(priority_string, ":+", sizeof(priority_string));
+      strlcat(priority_string, versions[version], sizeof(priority_string));
+    }
+  }
+  else if (tls_min_version == _HTTP_TLS_SSL3)
+  {
+   /*
+    * Allow all versions of TLS and SSL/3.0...
+    */
+
+     strlcat(priority_string, ":+VERS-TLS-ALL:+VERS-SSL3.0", sizeof(priority_string));
+-  else if (tls_options & _HTTP_TLS_ONLY_TLS10)
+-    strlcat(priority_string, ":-VERS-TLS-ALL:-VERS-SSL3.0:+VERS-TLS1.0", sizeof(priority_string));
+  }
+   else
+-    strlcat(priority_string, ":+VERS-TLS-ALL:-VERS-SSL3.0", sizeof(priority_string));
+  {
+   /*
+    * Require a minimum version...
+    */
+
+    strlcat(priority_string, ":+VERS-TLS-ALL", sizeof(priority_string));
+    for (version = 0; version < tls_min_version; version ++)
+    {
+      strlcat(priority_string, ":-", sizeof(priority_string));
+      strlcat(priority_string, versions[version], sizeof(priority_string));
+    }
+  }
+ 
+   if (tls_options & _HTTP_TLS_ALLOW_RC4)
+     strlcat(priority_string, ":+ARCFOUR-128", sizeof(priority_string));
+diff -up cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers cups-2.2.6/cups/tls-sspi.c
+--- cups-2.2.6/cups/tls-sspi.c.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/tls-sspi.c	2018-08-07 11:53:54.986633951 +0200
+@@ -52,7 +52,9 @@
+  * Local globals...
+  */
+ 
+-static int		tls_options = -1;/* Options for TLS connections */
+static int		tls_options = -1,/* Options for TLS connections */
+			tls_min_version = _HTTP_TLS_1_0,
+			tls_max_version = _HTTP_TLS_MAX;
+ 
+ 
+ /*
+@@ -914,7 +916,11 @@ void
+ _httpTLSSetOptions(int options)		/* I - Options */
+ {
+   if (!(options & _HTTP_TLS_SET_DEFAULT) || tls_options < 0)
+-    tls_options = options;
+  {
+    tls_options     = options;
+    tls_min_version = min_version;
+    tls_max_version = max_version;
+  }
+ }
+ 
+ 
+@@ -1782,14 +1788,14 @@ http_sspi_find_credentials(
+ #else
+   if (http->mode == _HTTP_MODE_SERVER)
+   {
+-    if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    if (tls_min_version == _HTTP_TLS_SSL3)
+       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER | SP_PROT_SSL3_SERVER;
+     else
+       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_SERVER;
+   }
+   else
+   {
+-    if (tls_options & _HTTP_TLS_ALLOW_SSL3)
+    if (tls_min_version == _HTTP_TLS_SSL3)
+       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_SSL3_CLIENT;
+     else
+       SchannelCred.grbitEnabledProtocols = SP_PROT_TLS1_CLIENT;
+diff -up cups-2.2.6/cups/usersys.c.remove-weak-ciphers cups-2.2.6/cups/usersys.c
+--- cups-2.2.6/cups/usersys.c.remove-weak-ciphers	2018-08-07 11:53:54.945634283 +0200
+++ cups-2.2.6/cups/usersys.c	2018-08-07 11:53:54.987633942 +0200
+@@ -54,7 +54,9 @@
+ typedef struct _cups_client_conf_s	/**** client.conf config data ****/
+ {
+ #ifdef HAVE_SSL
+-  int			ssl_options;	/* SSLOptions values */
+  int			ssl_options,	/* SSLOptions values */
+			ssl_min_version,/* Minimum SSL/TLS version */
+			ssl_max_version;/* Maximum SSL/TLS version */
+ #endif /* HAVE_SSL */
+   int			trust_first,	/* Trust on first use? */
+ 			any_root,	/* Allow any (e.g., self-signed) root */
+@@ -957,7 +959,7 @@ _cupsSetDefaults(void)
+     cg->validate_certs = cc.validate_certs;
+ 
+ #ifdef HAVE_SSL
+-  _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT);
+  _httpTLSSetOptions(cc.ssl_options | _HTTP_TLS_SET_DEFAULT, cc.ssl_min_version, cc.ssl_max_version);
+ #endif /* HAVE_SSL */
+ }
+ 
+@@ -1336,7 +1338,9 @@ cups_set_ssl_options(
+   * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyTLS1.0] [None]
+   */
+ 
+-  int	options = _HTTP_TLS_NONE;	/* SSL/TLS options */
+  int	options = _HTTP_TLS_NONE,	/* SSL/TLS options */
+	min_version = _HTTP_TLS_1_0,	/* Minimum SSL/TLS version */
+	max_version = _HTTP_TLS_MAX;	/* Maximum SSL/TLS version */
+   char	temp[256],			/* Copy of value */
+ 	*start,				/* Start of option */
+ 	*end;				/* End of option */
+@@ -1364,20 +1368,38 @@ cups_set_ssl_options(
+     if (!_cups_strcasecmp(start, "AllowRC4"))
+       options |= _HTTP_TLS_ALLOW_RC4;
+     else if (!_cups_strcasecmp(start, "AllowSSL3"))
+-      options |= _HTTP_TLS_ALLOW_SSL3;
+      min_version = _HTTP_TLS_SSL3;
+     else if (!_cups_strcasecmp(start, "AllowDH"))
+       options |= _HTTP_TLS_ALLOW_DH;
+     else if (!_cups_strcasecmp(start, "DenyCBC"))
+       options |= _HTTP_TLS_DENY_CBC;
+     else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
+-      options |= _HTTP_TLS_DENY_TLS10;
+      min_version = _HTTP_TLS_1_1;
+    else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
+      max_version = _HTTP_TLS_1_0;
+    else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
+      max_version = _HTTP_TLS_1_1;
+    else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
+      max_version = _HTTP_TLS_1_2;
+    else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
+      max_version = _HTTP_TLS_1_3;
+    else if (!_cups_strcasecmp(start, "MinTLS1.0"))
+      min_version = _HTTP_TLS_1_0;
+    else if (!_cups_strcasecmp(start, "MinTLS1.1"))
+      min_version = _HTTP_TLS_1_1;
+    else if (!_cups_strcasecmp(start, "MinTLS1.2"))
+      min_version = _HTTP_TLS_1_2;
+    else if (!_cups_strcasecmp(start, "MinTLS1.3"))
+      min_version = _HTTP_TLS_1_3;
+     else if (!_cups_strcasecmp(start, "None"))
+       options = _HTTP_TLS_NONE;
+   }
+ 
+-  cc->ssl_options = options;
+  cc->ssl_options     = options;
+  cc->ssl_max_version = max_version;
+  cc->ssl_min_version = min_version;
+ 
+-  DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x", (void *)cc, value, options));
+  DEBUG_printf(("4cups_set_ssl_options(cc=%p, value=\"%s\") options=%x, min_version=%d, max_version=%d", (void *)cc, value, options, min_version, max_version));
+ }
+ #endif /* HAVE_SSL */
+ 
+diff -up cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers cups-2.2.6/man/client.conf.man.in
+--- cups-2.2.6/man/client.conf.man.in.remove-weak-ciphers	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/man/client.conf.man.in	2018-08-07 11:53:54.987633942 +0200
+@@ -10,7 +10,7 @@
+ .\" which should have been included with this file.  If this file is
+ .\" file is missing or damaged, see the license at "http://www.cups.org/".
+ .\"
+-.TH client.conf 5 "CUPS" "19 October 2017" "Apple Inc."
+.TH client.conf 5 "CUPS" "3 November 2017" "Apple Inc."
+ .SH NAME
+ client.conf \- client configuration file for cups
+ .SH DESCRIPTION
+@@ -56,7 +56,7 @@ Specifies the address and optionally the
+ \fBServerName \fIhostname-or-ip-address\fR[\fI:port\fR]\fB/version=1.1\fR
+ Specifies the address and optionally the port to use when connecting to a server running CUPS 1.3.12 and earlier.
+ .TP 5
+-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+ .TP 5
+ \fBSSLOptions None\fR
+ Sets encryption options (only in /etc/cups/client.conf).
+@@ -68,6 +68,9 @@ The \fIAllowRC4\fR option enables the 12
+ The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+ The \fIDenyCBC\fR option disables all CBC cipher suites.
+ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+The \fMinTLS\fR options set the minimum TLS version to support.
+The \fMaxTLS\fR options set the maximum TLS version to support.
+Not all operating systems support TLS 1.3 at this time.
+ .TP 5
+ \fBTrustOnFirstUse Yes\fR
+ .TP 5
+diff -up cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers cups-2.2.6/man/cupsd.conf.man.in
+--- cups-2.2.6/man/cupsd.conf.man.in.remove-weak-ciphers	2018-08-07 11:53:54.981633991 +0200
+++ cups-2.2.6/man/cupsd.conf.man.in	2018-08-07 11:53:54.987633942 +0200
+@@ -432,10 +432,11 @@ The default is "Minimal".
+ Listens on the specified address and port for encrypted connections.
+ .\"#SSLOptions
+ .TP 5
+-\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR]
+.TP 5
+\fBSSLOptions \fR[\fIAllowDH\fR] [\fIAllowRC4\fR] [\fIAllowSSL3\fR] [\fIDenyCBC\fR] [\fIDenyTLS1.0\fR] [\fIMaxTLS1.0\fR] [\fIMaxTLS1.1\fR] [\fIMaxTLS1.2\fR] [\fIMaxTLS1.3\fR] [\fIMinTLS1.0\fR] [\fIMinTLS1.1\fR] [\fIMinTLS1.2\fR] [\fIMinTLS1.3\fR]
+ .TP 5
+ \fBSSLOptions None\fR
+-Sets encryption options.
+Sets encryption options (only in /etc/cups/client.conf).
+ By default, CUPS only supports encryption using TLS v1.0 or higher using known secure cipher suites.
+ Security is reduced when \fIAllow\fR options are used.
+ Security is enhanced when \fIDeny\fR options are used.
+@@ -444,6 +445,9 @@ The \fIAllowRC4\fR option enables the 12
+ The \fIAllowSSL3\fR option enables SSL v3.0, which is required for some older clients that do not support TLS v1.0.
+ The \fIDenyCBC\fR option disables all CBC cipher suites.
+ The \fIDenyTLS1.0\fR option disables TLS v1.0 support - this sets the minimum protocol version to TLS v1.1.
+The \fMinTLS\fR options set the minimum TLS version to support.
+The \fMaxTLS\fR options set the maximum TLS version to support.
+Not all operating systems support TLS 1.3 at this time.
+ .\"#SSLPort
+ .TP 5
+ \fBSSLPort \fIport\fR
+diff -up cups-2.2.6/scheduler/conf.c.remove-weak-ciphers cups-2.2.6/scheduler/conf.c
+--- cups-2.2.6/scheduler/conf.c.remove-weak-ciphers	2018-08-07 11:53:54.981633991 +0200
+++ cups-2.2.6/scheduler/conf.c	2018-08-07 11:53:54.988633934 +0200
+@@ -630,7 +630,7 @@ cupsdReadConfiguration(void)
+   cupsdSetString(&ServerKeychain, "/Library/Keychains/System.keychain");
+ #  endif /* HAVE_GNUTLS */
+ 
+-  _httpTLSSetOptions(0);
+  _httpTLSSetOptions(_HTTP_TLS_NONE, _HTTP_TLS_1_0, _HTTP_TLS_MAX);
+ #endif /* HAVE_SSL */
+ 
+   language = cupsLangDefault();
+@@ -3024,7 +3024,9 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
+       * SSLOptions [AllowRC4] [AllowSSL3] [AllowDH] [DenyCBC] [DenyTLS1.0] [None]
+       */
+ 
+-      int	options = 0;		/* SSL/TLS options */
+      int	options = _HTTP_TLS_NONE,/* SSL/TLS options */
+		min_version = _HTTP_TLS_1_0,
+		max_version = _HTTP_TLS_MAX;
+ 
+       if (value)
+       {
+@@ -3048,24 +3050,40 @@ read_cupsd_conf(cups_file_t *fp)	/* I -
+ 	  * Compare...
+ 	  */
+ 
+-          if (!_cups_strcasecmp(start, "AllowRC4"))
+	  if (!_cups_strcasecmp(start, "AllowRC4"))
+ 	    options |= _HTTP_TLS_ALLOW_RC4;
+-          else if (!_cups_strcasecmp(start, "AllowSSL3"))
+-	    options |= _HTTP_TLS_ALLOW_SSL3;
+	  else if (!_cups_strcasecmp(start, "AllowSSL3"))
+	    min_version = _HTTP_TLS_SSL3;
+ 	  else if (!_cups_strcasecmp(start, "AllowDH"))
+ 	    options |= _HTTP_TLS_ALLOW_DH;
+ 	  else if (!_cups_strcasecmp(start, "DenyCBC"))
+ 	    options |= _HTTP_TLS_DENY_CBC;
+ 	  else if (!_cups_strcasecmp(start, "DenyTLS1.0"))
+-	    options |= _HTTP_TLS_DENY_TLS10;
+-          else if (!_cups_strcasecmp(start, "None"))
+-	    options = 0;
+	    min_version = _HTTP_TLS_1_1;
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.0"))
+	    max_version = _HTTP_TLS_1_0;
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.1"))
+	    max_version = _HTTP_TLS_1_1;
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.2"))
+	    max_version = _HTTP_TLS_1_2;
+	  else if (!_cups_strcasecmp(start, "MaxTLS1.3"))
+	    max_version = _HTTP_TLS_1_3;
+	  else if (!_cups_strcasecmp(start, "MinTLS1.0"))
+	    min_version = _HTTP_TLS_1_0;
+	  else if (!_cups_strcasecmp(start, "MinTLS1.1"))
+	    min_version = _HTTP_TLS_1_1;
+	  else if (!_cups_strcasecmp(start, "MinTLS1.2"))
+	    min_version = _HTTP_TLS_1_2;
+	  else if (!_cups_strcasecmp(start, "MinTLS1.3"))
+	    min_version = _HTTP_TLS_1_3;
+	  else if (!_cups_strcasecmp(start, "None"))
+	    options = _HTTP_TLS_NONE;
+ 	  else if (_cups_strcasecmp(start, "NoEmptyFragments"))
+ 	    cupsdLogMessage(CUPSD_LOG_WARN, "Unknown SSL option %s at line %d.", start, linenum);
+         }
+       }
+ 
+-      _httpTLSSetOptions(options);
+      _httpTLSSetOptions(options, min_version, max_version);
+     }
+ #endif /* HAVE_SSL */
+     else if ((!_cups_strcasecmp(line, "Port") || !_cups_strcasecmp(line, "Listen")
--- a/0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
+++ b/0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch
@ -0,0 +1,22 @@
+diff --git a/cgi-bin/var.c b/cgi-bin/var.c
+index 316b67f05..12f3c8344 100644
+--- a/cgi-bin/var.c
+++ b/cgi-bin/var.c
+@@ -1186,6 +1186,7 @@ cgi_set_sid(void)
+   const char		*remote_addr,	/* REMOTE_ADDR */
+ 			*server_name,	/* SERVER_NAME */
+ 			*server_port;	/* SERVER_PORT */
+  struct timeval	curtime;	/* Current time */
+ 
+ 
+   if ((remote_addr = getenv("REMOTE_ADDR")) == NULL)
+@@ -1195,7 +1196,8 @@ cgi_set_sid(void)
+   if ((server_port = getenv("SERVER_PORT")) == NULL)
+     server_port = "SERVER_PORT";
+ 
+-  CUPS_SRAND(time(NULL));
+  gettimeofday(&curtime, NULL);
+  CUPS_SRAND(curtime.tv_sec + curtime.tv_usec);
+   snprintf(buffer, sizeof(buffer), "%s:%s:%s:%02X%02X%02X%02X%02X%02X%02X%02X",
+            remote_addr, server_name, server_port,
+ 	   (unsigned)CUPS_RAND() & 255, (unsigned)CUPS_RAND() & 255,
--- a/0001-Fix-additional-IPP-1.1-issues-with-cupsCopyDestInfo-.patch
+++ b/0001-Fix-additional-IPP-1.1-issues-with-cupsCopyDestInfo-.patch
@ -0,0 +1,532 @@
+diff -up cups-2.2.6/cups/cups-private.h.oldcupsservers2 cups-2.2.6/cups/cups-private.h
+--- cups-2.2.6/cups/cups-private.h.oldcupsservers2	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/cups-private.h	2018-09-06 10:24:15.128367008 +0200
+@@ -237,13 +237,9 @@ extern void		_cupsBufferRelease(char *b)
+ 
+ extern http_t		*_cupsConnect(void);
+ extern char		*_cupsCreateDest(const char *name, const char *info, const char *device_id, const char *device_uri, char *uri, size_t urisize);
+-extern int		_cupsGet1284Values(const char *device_id,
+-			                   cups_option_t **values);
+-extern const char	*_cupsGetDestResource(cups_dest_t *dest, char *resource,
+-			                      size_t resourcesize);
+-extern int		_cupsGetDests(http_t *http, ipp_op_t op,
+-			              const char *name, cups_dest_t **dests,
+-			              cups_ptype_t type, cups_ptype_t mask);
+extern int		_cupsGet1284Values(const char *device_id, cups_option_t **values);
+extern const char	*_cupsGetDestResource(cups_dest_t *dest, unsigned flags, char *resource, size_t resourcesize);
+extern int		_cupsGetDests(http_t *http, ipp_op_t op, const char *name, cups_dest_t **dests, cups_ptype_t type, cups_ptype_t mask);
+ extern const char	*_cupsGetPassword(const char *prompt);
+ extern void		_cupsGlobalLock(void);
+ extern _cups_globals_t	*_cupsGlobals(void);
+@@ -253,13 +249,10 @@ extern const char	*_cupsGSSServiceName(v
+ #  endif /* HAVE_GSSAPI */
+ extern int		_cupsNextDelay(int current, int *previous);
+ extern void		_cupsSetDefaults(void);
+-extern void		_cupsSetError(ipp_status_t status, const char *message,
+-			              int localize);
+extern void		_cupsSetError(ipp_status_t status, const char *message, int localize);
+ extern void		_cupsSetHTTPError(http_status_t status);
+ #  ifdef HAVE_GSSAPI
+-extern int		_cupsSetNegotiateAuthString(http_t *http,
+-			                            const char *method,
+-						    const char *resource);
+extern int		_cupsSetNegotiateAuthString(http_t *http, const char *method, const char *resource);
+ #  endif /* HAVE_GSSAPI */
+ extern char		*_cupsUserDefault(char *name, size_t namesize);
+ 
+diff -up cups-2.2.6/cups/dest.c.oldcupsservers2 cups-2.2.6/cups/dest.c
+--- cups-2.2.6/cups/dest.c.oldcupsservers2	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/dest.c	2018-09-06 10:21:28.510749030 +0200
+@@ -1106,6 +1106,7 @@ cupsGetDest(const char  *name,		/* I - D
+ const char *				/* O - Printer URI */
+ _cupsGetDestResource(
+     cups_dest_t *dest,			/* I - Destination */
+    unsigned    flags,			/* I - Destination flags */
+     char        *resource,		/* I - Resource buffer */
+     size_t      resourcesize)		/* I - Size of resource buffer */
+ {
+@@ -1135,52 +1136,64 @@ _cupsGetDestResource(
+   * Grab the printer URI...
+   */
+ 
+-  if ((uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options)) == NULL)
+  if (!(flags & CUPS_DEST_FLAGS_DEVICE))
+    uri = NULL;
+  else
+    uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
+
+  if (uri)
+  {
+    DEBUG_printf(("1_cupsGetDestResource: printer-uri-supported=\"%s\"", uri));
+  }
+  else
+   {
+     if ((uri = cupsGetOption("device-uri", dest->num_options, dest->options)) != NULL)
+     {
+ #if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+       if (strstr(uri, "._tcp"))
+      {
+         uri = cups_dnssd_resolve(dest, uri, 5000, NULL, NULL, NULL);
+
+        if (uri)
+          DEBUG_printf(("1_cupsGetDestResource: Resolved device-uri=\"%s\"", uri));
+      }
+      else
+ #endif /* HAVE_DNSSD || HAVE_AVAHI */
+
+      DEBUG_printf(("1_cupsGetDestResource: device-uri=\"%s\"", uri));
+     }
+ 
+-    if (uri)
+    if (uri && !(flags & CUPS_DEST_FLAGS_DEVICE))
+     {
+-      DEBUG_printf(("1_cupsGetDestResource: Resolved printer-uri-supported=\"%s\"", uri));
+-
+       uri = _cupsCreateDest(dest->name, cupsGetOption("printer-info", dest->num_options, dest->options), NULL, uri, resource, resourcesize);
+-    }
+ 
+-    if (uri)
+-    {
+-      DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
+      if (uri)
+      {
+	DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
+ 
+-      dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
+	dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
+ 
+-      uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
+	uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
+      }
+     }
+-    else
+-    {
+-      DEBUG_puts("1_cupsGetDestResource: No printer-uri-supported found.");
+  }
+ 
+-      if (resource)
+-        *resource = '\0';
+  if (!uri)
+  {
+    DEBUG_puts("1_cupsGetDestResource: No printer-uri-supported or device-uri found.");
+ 
+-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(ENOENT), 0);
+    if (resource)
+      *resource = '\0';
+ 
+-      return (NULL);
+-    }
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(ENOENT), 0);
+
+    return (NULL);
+   }
+   else
+   {
+-    DEBUG_printf(("1_cupsGetDestResource: printer-uri-supported=\"%s\"", uri));
+-
+-    if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme),
+-                        userpass, sizeof(userpass), hostname, sizeof(hostname),
+-                        &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
+    if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), hostname, sizeof(hostname), &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
+     {
+-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad printer-uri."), 1);
+      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad URI."), 1);
+ 
+       return (NULL);
+     }
+diff -up cups-2.2.6/cups/dest-options.c.oldcupsservers2 cups-2.2.6/cups/dest-options.c
+--- cups-2.2.6/cups/dest-options.c.oldcupsservers2	2018-09-06 10:21:28.507749055 +0200
+++ cups-2.2.6/cups/dest-options.c	2018-09-06 10:21:28.510749030 +0200
+@@ -572,6 +572,7 @@ cupsCopyDestInfo(
+     cups_dest_t *dest)			/* I - Destination */
+ {
+   cups_dinfo_t	*dinfo;			/* Destination information */
+  unsigned	dflags;			/* Destination flags */
+   ipp_t		*request,		/* Get-Printer-Attributes request */
+ 		*response;		/* Supported attributes */
+   int		tries,			/* Number of tries so far */
+@@ -581,6 +582,7 @@ cupsCopyDestInfo(
+   char		resource[1024];		/* Resource path */
+   int		version;		/* IPP version */
+   ipp_status_t	status;			/* Status of request */
+  _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
+   static const char * const requested_attrs[] =
+   {					/* Requested attributes */
+     "job-template",
+@@ -589,14 +591,25 @@ cupsCopyDestInfo(
+   };
+ 
+ 
+-  DEBUG_printf(("cupsCopyDestSupported(http=%p, dest=%p(%s))", (void *)http, (void *)dest, dest ? dest->name : ""));
+  DEBUG_printf(("cupsCopyDestInfo(http=%p, dest=%p(%s))", (void *)http, (void *)dest, dest ? dest->name : ""));
+ 
+  /*
+   * Get the default connection as needed...
+   */
+ 
+   if (!http)
+-    http = _cupsConnect();
+  {
+    http   = _cupsConnect();
+    dflags = CUPS_DEST_FLAGS_NONE;
+  }
+#ifdef AF_LOCAL
+  else if (strcmp(http->hostname, cg->server) || (httpAddrFamily(http->hostaddr) != AF_LOCAL && cg->ipp_port != httpAddrPort(http->hostaddr)))
+#else
+  else if (strcmp(http->hostname, cg->server) || cg->ipp_port != httpAddrPort(http->hostaddr))
+#endif /* AF_LOCAL */
+    dflags = CUPS_DEST_FLAGS_DEVICE;
+  else
+    dflags = CUPS_DEST_FLAGS_NONE;
+ 
+  /*
+   * Range check input...
+@@ -609,8 +622,11 @@ cupsCopyDestInfo(
+   * Get the printer URI and resource path...
+   */
+ 
+-  if ((uri = _cupsGetDestResource(dest, resource, sizeof(resource))) == NULL)
+  if ((uri = _cupsGetDestResource(dest, dflags, resource, sizeof(resource))) == NULL)
+  {
+    DEBUG_puts("1cupsCopyDestInfo: Unable to get resource.");
+     return (NULL);
+  }
+ 
+  /*
+   * Get the supported attributes...
+@@ -630,28 +646,23 @@ cupsCopyDestInfo(
+     request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
+ 
+     ippSetVersion(request, version / 10, version % 10);
+-    ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL,
+-		 uri);
+-    ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME,
+-                 "requesting-user-name", NULL, cupsUser());
+-    ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD,
+-		  "requested-attributes",
+-		  (int)(sizeof(requested_attrs) / sizeof(requested_attrs[0])),
+-		  NULL, requested_attrs);
+    ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL, uri);
+    ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "requesting-user-name", NULL, cupsUser());
+    ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD, "requested-attributes", (int)(sizeof(requested_attrs) / sizeof(requested_attrs[0])), NULL, requested_attrs);
+     response = cupsDoRequest(http, request, resource);
+     status   = cupsLastError();
+ 
+     if (status > IPP_STATUS_OK_IGNORED_OR_SUBSTITUTED)
+     {
+-      DEBUG_printf(("cupsCopyDestSupported: Get-Printer-Attributes for '%s' "
+-		    "returned %s (%s)", dest->name, ippErrorString(status),
+-		    cupsLastErrorString()));
+      DEBUG_printf(("1cupsCopyDestInfo: Get-Printer-Attributes for '%s' returned %s (%s)", dest->name, ippErrorString(status), cupsLastErrorString()));
+ 
+       ippDelete(response);
+       response = NULL;
+ 
+-      if (status == IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED && version > 11)
+      if ((status == IPP_STATUS_ERROR_BAD_REQUEST || status == IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED) && version > 11)
+      {
+         version = 11;
+      }
+       else if (status == IPP_STATUS_ERROR_BUSY)
+       {
+         sleep((unsigned)delay);
+@@ -667,7 +678,10 @@ cupsCopyDestInfo(
+   while (!response && tries < 10);
+ 
+   if (!response)
+  {
+    DEBUG_puts("1cupsCopyDestInfo: Unable to get printer attributes.");
+     return (NULL);
+  }
+ 
+  /*
+   * Allocate a cups_dinfo_t structure and return it...
+@@ -680,6 +694,8 @@ cupsCopyDestInfo(
+     return (NULL);
+   }
+ 
+  DEBUG_printf(("1cupsCopyDestInfo: version=%d, uri=\"%s\", resource=\"%s\".", version, uri, resource));
+
+   dinfo->version  = version;
+   dinfo->uri      = uri;
+   dinfo->resource = _cupsStrAlloc(resource);
+diff -up cups-2.2.6/cups/testdest.c.oldcupsservers2 cups-2.2.6/cups/testdest.c
+--- cups-2.2.6/cups/testdest.c.oldcupsservers2	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/cups/testdest.c	2018-09-06 10:25:48.271585277 +0200
+@@ -43,9 +43,12 @@ int					/* O - Exit status */
+ main(int  argc,				/* I - Number of command-line arguments */
+      char *argv[])			/* I - Command-line arguments */
+ {
+  int		i;			/* Looping var */
+   http_t	*http;			/* Connection to destination */
+   cups_dest_t	*dest = NULL;		/* Destination */
+   cups_dinfo_t	*dinfo;			/* Destination info */
+  unsigned	dflags = CUPS_DEST_FLAGS_NONE;
+					/* Destination flags */
+ 
+ 
+   if (argc < 2)
+@@ -103,9 +106,17 @@ main(int  argc,				/* I - Number of comm
+ 
+     return (0);
+   }
+-  else if (!strncmp(argv[1], "ipp://", 6) || !strncmp(argv[1], "ipps://", 7))
+-    dest = cupsGetDestWithURI(NULL, argv[1]);
+-  else if (!strcmp(argv[1], "default"))
+
+  i = 1;
+  if (!strcmp(argv[i], "--device"))
+  {
+    dflags = CUPS_DEST_FLAGS_DEVICE;
+    i ++;
+  }
+
+  if (!strncmp(argv[i], "ipp://", 6) || !strncmp(argv[i], "ipps://", 7))
+    dest = cupsGetDestWithURI(NULL, argv[i]);
+  else if (!strcmp(argv[i], "default"))
+   {
+     dest = cupsGetNamedDest(CUPS_HTTP_DEFAULT, NULL, NULL);
+     if (dest && dest->instance)
+@@ -114,67 +125,70 @@ main(int  argc,				/* I - Number of comm
+       printf("default is \"%s\".\n", dest->name);
+   }
+   else
+-    dest = cupsGetNamedDest(CUPS_HTTP_DEFAULT, argv[1], NULL);
+    dest = cupsGetNamedDest(CUPS_HTTP_DEFAULT, argv[i], NULL);
+ 
+   if (!dest)
+   {
+-    printf("testdest: Unable to get destination \"%s\": %s\n", argv[1], cupsLastErrorString());
+    printf("testdest: Unable to get destination \"%s\": %s\n", argv[i], cupsLastErrorString());
+     return (1);
+   }
+ 
+-  if ((http = cupsConnectDest(dest, CUPS_DEST_FLAGS_NONE, 30000, NULL, NULL, 0, NULL, NULL)) == NULL)
+  i ++;
+
+  if ((http = cupsConnectDest(dest, dflags, 30000, NULL, NULL, 0, NULL, NULL)) == NULL)
+   {
+-    printf("testdest: Unable to connect to destination \"%s\": %s\n", argv[1], cupsLastErrorString());
+    printf("testdest: Unable to connect to destination \"%s\": %s\n", dest->name, cupsLastErrorString());
+     return (1);
+   }
+ 
+   if ((dinfo = cupsCopyDestInfo(http, dest)) == NULL)
+   {
+-    printf("testdest: Unable to get information for destination \"%s\": %s\n", argv[1], cupsLastErrorString());
+    printf("testdest: Unable to get information for destination \"%s\": %s\n", dest->name, cupsLastErrorString());
+     return (1);
+   }
+ 
+-  if (argc == 2 || (!strcmp(argv[2], "supported") && argc < 6))
+  if (i == argc || !strcmp(argv[i], "supported"))
+   {
+-    if (argc > 3)
+-      show_supported(http, dest, dinfo, argv[3], argv[4]);
+    i ++;
+
+    if ((i + 1) < argc)
+      show_supported(http, dest, dinfo, argv[i], argv[i + 1]);
+     else if (argc > 2)
+-      show_supported(http, dest, dinfo, argv[3], NULL);
+      show_supported(http, dest, dinfo, argv[i], NULL);
+     else
+       show_supported(http, dest, dinfo, NULL, NULL);
+   }
+-  else if (!strcmp(argv[2], "conflicts") && argc > 3)
+  else if (!strcmp(argv[i], "conflicts") && (i + 1) < argc)
+   {
+-    int			i,		/* Looping var */
+-			num_options = 0;/* Number of options */
+    int			num_options = 0;/* Number of options */
+     cups_option_t	*options = NULL;/* Options */
+ 
+-    for (i = 3; i < argc; i ++)
+    for (i ++; i < argc; i ++)
+       num_options = cupsParseOptions(argv[i], num_options, &options);
+ 
+     show_conflicts(http, dest, dinfo, num_options, options);
+   }
+-  else if (!strcmp(argv[2], "default") && argc == 4)
+  else if (!strcmp(argv[i], "default") && (i + 1) < argc)
+   {
+-    show_default(http, dest, dinfo, argv[3]);
+    show_default(http, dest, dinfo, argv[i + 1]);
+   }
+-  else if (!strcmp(argv[2], "localize") && argc < 6)
+  else if (!strcmp(argv[i], "localize"))
+   {
+-    if (argc > 3)
+-      localize(http, dest, dinfo, argv[3], argv[4]);
+    i ++;
+    if ((i + 1) < argc)
+      localize(http, dest, dinfo, argv[i], argv[i + 1]);
+     else if (argc > 2)
+-      localize(http, dest, dinfo, argv[3], NULL);
+      localize(http, dest, dinfo, argv[i], NULL);
+     else
+       localize(http, dest, dinfo, NULL, NULL);
+   }
+-  else if (!strcmp(argv[2], "media"))
+  else if (!strcmp(argv[i], "media"))
+   {
+-    int		i;			/* Looping var */
+     const char	*name = NULL;		/* Media name, if any */
+     unsigned	flags = CUPS_MEDIA_FLAGS_DEFAULT;
+ 					/* Media selection flags */
+ 
+-    for (i = 3; i < argc; i ++)
+    for (i ++; i < argc; i ++)
+     {
+       if (!strcmp(argv[i], "borderless"))
+ 	flags = CUPS_MEDIA_FLAGS_BORDERLESS;
+@@ -192,19 +206,19 @@ main(int  argc,				/* I - Number of comm
+ 
+     show_media(http, dest, dinfo, flags, name);
+   }
+-  else if (!strcmp(argv[2], "print") && argc > 3)
+  else if (!strcmp(argv[i], "print") && (i + 1) < argc)
+   {
+-    int			i,		/* Looping var */
+-			num_options = 0;/* Number of options */
+    int			num_options = 0;/* Number of options */
+     cups_option_t	*options = NULL;/* Options */
+    const char		*filename = argv[i + 1];
+ 
+-    for (i = 4; i < argc; i ++)
+    for (i += 2; i < argc; i ++)
+       num_options = cupsParseOptions(argv[i], num_options, &options);
+ 
+-    print_file(http, dest, dinfo, argv[3], num_options, options);
+    print_file(http, dest, dinfo, filename, num_options, options);
+   }
+   else
+-    usage(argv[2]);
+    usage(argv[i]);
+ 
+   return (0);
+ }
+@@ -740,9 +754,9 @@ usage(const char *arg)			/* I - Argument
+     printf("testdest: Unknown option \"%s\".\n", arg);
+ 
+   puts("Usage:");
+-  puts("  ./testdest name [operation ...]");
+-  puts("  ./testdest ipp://... [operation ...]");
+-  puts("  ./testdest ipps://... [operation ...]");
+  puts("  ./testdest [--device] name [operation ...]");
+  puts("  ./testdest [--device] ipp://... [operation ...]");
+  puts("  ./testdest [--device] ipps://... [operation ...]");
+   puts("  ./testdest --enum [grayscale] [color] [duplex] [staple] [small]\n"
+        "                    [medium] [large]");
+   puts("");
+diff -up cups-2.2.6/test/ippserver.c.oldcupsservers2 cups-2.2.6/test/ippserver.c
+--- cups-2.2.6/test/ippserver.c.oldcupsservers2	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/test/ippserver.c	2018-09-06 10:21:28.512749014 +0200
+@@ -461,6 +461,7 @@ static AvahiClient	*DNSSDClient = NULL;
+ #endif /* HAVE_DNSSD */
+ 
+ static int		KeepFiles = 0,
+			MaxVersion = 20,
+ 			Verbosity = 0;
+ 
+ 
+@@ -533,6 +534,23 @@ main(int  argc,				/* I - Number of comm
+               pin = 1;
+               break;
+ 
+          case 'V' : /* -V max-version */
+	      i ++;
+	      if (i >= argc)
+	        usage(1);
+
+              if (!strcmp(argv[i], "2.2"))
+                MaxVersion = 22;
+	      else if (!strcmp(argv[i], "2.1"))
+                MaxVersion = 21;
+	      else if (!strcmp(argv[i], "2.0"))
+                MaxVersion = 20;
+	      else if (!strcmp(argv[i], "1.1"))
+                MaxVersion = 11;
+	      else
+	        usage(1);
+              break;
+
+ 	  case 'a' : /* -a attributes-file */
+ 	      i ++;
+ 	      if (i >= argc)
+@@ -1324,9 +1342,10 @@ create_printer(const char *servername,	/
+   };
+   static const char * const versions[] =/* ipp-versions-supported values */
+   {
+-    "1.0",
+     "1.1",
+-    "2.0"
+    "2.0",
+    "2.1",
+    "2.2"
+   };
+   static const char * const features[] =/* ipp-features-supported values */
+   {
+@@ -1738,7 +1757,12 @@ create_printer(const char *servername,	/
+ 
+   /* ipp-versions-supported */
+   if (!ippFindAttribute(printer->attrs, "ipp-versions-supported", IPP_TAG_ZERO))
+-    ippAddStrings(printer->attrs, IPP_TAG_PRINTER, IPP_CONST_TAG(IPP_TAG_KEYWORD), "ipp-versions-supported", sizeof(versions) / sizeof(versions[0]), NULL, versions);
+  {
+    int num_versions = MaxVersion == 11 ? 1 : MaxVersion == 20 ? 2 : MaxVersion == 21 ? 3 : 4;
+					/* Number of supported versions */
+
+    ippAddStrings(printer->attrs, IPP_TAG_PRINTER, IPP_CONST_TAG(IPP_TAG_KEYWORD), "ipp-versions-supported", num_versions, NULL, versions);
+  }
+ 
+   /* job-account-id-default */
+   if (!ippFindAttribute(printer->attrs, "job-account-id-default", IPP_TAG_ZERO))
+@@ -5800,15 +5824,24 @@ process_ipp(_ipp_client_t *client)	/* I
+     * Return an error, since we only support IPP 1.x and 2.x.
+     */
+ 
+-    respond_ipp(client, IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED,
+-                "Bad request version number %d.%d.", major, minor);
+    respond_ipp(client, IPP_STATUS_ERROR_VERSION_NOT_SUPPORTED, "Bad request version number %d.%d.", major, minor);
+  }
+  else if ((major * 10 + minor) > MaxVersion)
+  {
+    if (httpGetState(client->http) != HTTP_STATE_POST_SEND)
+      httpFlush(client->http);		/* Flush trailing (junk) data */
+
+    respond_http(client, HTTP_STATUS_BAD_REQUEST, NULL, NULL, 0);
+    return (0);
+   }
+   else if (ippGetRequestId(client->request) <= 0)
+-    respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST, "Bad request-id %d.",
+-                ippGetRequestId(client->request));
+  {
+    respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST, "Bad request-id %d.", ippGetRequestId(client->request));
+  }
+   else if (!ippFirstAttribute(client->request))
+-    respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST,
+-                "No attributes in request.");
+  {
+    respond_ipp(client, IPP_STATUS_ERROR_BAD_REQUEST, "No attributes in request.");
+  }
+   else
+   {
+    /*
+@@ -6877,8 +6910,7 @@ usage(int status)			/* O - Exit status *
+ {
+   if (!status)
+   {
+-    puts(CUPS_SVERSION " - Copyright 2010-2015 by Apple Inc. All rights "
+-         "reserved.");
+    puts(CUPS_SVERSION " - Copyright (c) 2010-2018 by Apple Inc. All rights reserved.");
+     puts("");
+   }
+ 
+@@ -6888,6 +6920,7 @@ usage(int status)			/* O - Exit status *
+   puts("-2                      Supports 2-sided printing (default=1-sided)");
+   puts("-M manufacturer         Manufacturer name (default=Test)");
+   puts("-P                      PIN printing mode");
+  puts("-V max-version          Set maximum supported IPP version");
+   puts("-a attributes-file      Load printer attributes from file");
+   puts("-c command              Run command for every print job");
+   printf("-d spool-directory      Spool directory "
--- a/0001-Fix-default-TLS-versions.patch
+++ b/0001-Fix-default-TLS-versions.patch
@ -0,0 +1,25 @@
+diff -up cups-2.2.6/cups/usersys.c.defaulttls cups-2.2.6/cups/usersys.c
+--- cups-2.2.6/cups/usersys.c.defaulttls	2018-09-03 12:10:36.111230611 +0200
+++ cups-2.2.6/cups/usersys.c	2018-09-03 12:12:41.307074414 +0200
+@@ -1166,11 +1166,16 @@ cups_init_client_conf(
+ 
+   memset(cc, 0, sizeof(_cups_client_conf_t));
+ 
+-  cc->encryption     = (http_encryption_t)-1;
+-  cc->trust_first    = -1;
+-  cc->any_root       = -1;
+-  cc->expired_certs  = -1;
+-  cc->validate_certs = -1;
+#ifdef HAVE_SSL
+  cc->ssl_options = _HTTP_TLS_NONE;
+  cc->ssl_min_version = _HTTP_TLS_1_0;
+  cc->ssl_max_version = _HTTP_TLS_MAX;
+#endif /* HAVE_SSL */
+  cc->encryption      = (http_encryption_t)-1;
+  cc->trust_first     = -1;
+  cc->any_root        = -1;
+  cc->expired_certs   = -1;
+  cc->validate_certs  = -1;
+ 
+  /*
+   * Load settings from the org.cups.PrintingPrefs plist (which trump
--- a/0001-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
+++ b/0001-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
@ -0,0 +1,481 @@
+From d47f6aec436e0e9df6554436e391471097686ecc Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Tue, 8 May 2018 15:24:21 -0700
+Subject: [PATCH] Fix local privilege escalation to root and sandbox bypasses
+ in scheduler (rdar://37836779, rdar://37836995, rdar://37837252,
+ rdar://37837581)
+
+---
+ man/cups-files.conf.man.in |  10 ++
+ man/cupsd.conf.man.in      |   8 --
+ scheduler/conf.c           | 201 +++++++++++++++++++++++--------------
+ scheduler/job.c            |  12 +++
+ scheduler/process.c        |  16 +--
+ scheduler/server.c         |  20 +++-
+ test/run-stp-tests.sh      |  11 +-
+ 7 files changed, 179 insertions(+), 99 deletions(-)
+
+diff --git a/man/cups-files.conf.man.in b/man/cups-files.conf.man.in
+index 7b96d687d..baf3cb6af 100644
+--- a/man/cups-files.conf.man.in
+++ b/man/cups-files.conf.man.in
+@@ -153,6 +153,11 @@ The server name may be included in filenames using the string "%s", for example:
+ 
+ .fi
+ The default is "/var/log/cups/page_log".
+.\"#PassEnv
+.TP 5
+\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
+Passes the specified environment variable(s) to child processes.
+Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
+ .\"#RemoteRoot
+ .TP 5
+ \fBRemoteRoot \fIusername\fR
+@@ -187,6 +192,11 @@ macOS uses its keychain database to store certificates and keys while other plat
+ \fBServerRoot \fIdirectory\fR
+ Specifies the directory containing the server configuration files.
+ The default is "/etc/cups".
+.\"#SetEnv
+.TP 5
+\fBSetEnv \fIvariable value\fR
+Set the specified environment variable to be passed to child processes.
+Note: the standard CUPS filter and backend environment variables cannot be overridden using this directive.
+ .\"#StateDir
+ .TP 5
+ \fBStateDir \fIdirectory\fR
+diff --git a/man/cupsd.conf.man.in b/man/cupsd.conf.man.in
+index 3ffc80e42..36c849398 100644
+--- a/man/cupsd.conf.man.in
+++ b/man/cupsd.conf.man.in
+@@ -349,10 +349,6 @@ The default is "1048576" (1MB).
+ \fBMultipleOperationTimeout \fIseconds\fR
+ Specifies the maximum amount of time to allow between files in a multiple file print job.
+ The default is "300" (5 minutes).
+-.\"#PassEnv
+-.TP 5
+-\fBPassEnv \fIvariable \fR[ ... \fIvariable \fR]
+-Passes the specified environment variable(s) to child processes.
+ .\"#Policy
+ .TP 5
+ \fB<Policy \fIname\fB> \fR... \fB</Policy>\fR
+@@ -433,10 +429,6 @@ Specifies what information is included in the Server header of HTTP responses.
+ command.
+ "Full" reports "CUPS 2.0.0 (UNAME) IPP/2.0".
+ The default is "Minimal".
+-.\"#SetEnv
+-.TP 5
+-\fBSetEnv \fIvariable value\fR
+-Set the specified environment variable to be passed to child processes.
+ .\"#SSLListen
+ .TP 5
+ \fBSSLListen \fIipv4-address\fB:\fIport\fR
+diff --git a/scheduler/conf.c b/scheduler/conf.c
+index 67a91e7a6..b51c6060c 100644
+--- a/scheduler/conf.c
+++ b/scheduler/conf.c
+@@ -2929,13 +2929,10 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 					/* Line from file */
+ 			temp[HTTP_MAX_BUFFER],
+ 					/* Temporary buffer for value */
+-			*value,		/* Pointer to value */
+-			*valueptr;	/* Pointer into value */
+			*value;		/* Pointer to value */
+   int			valuelen;	/* Length of value */
+   http_addrlist_t	*addrlist,	/* Address list */
+ 			*addr;		/* Current address */
+-  cups_file_t		*incfile;	/* Include file */
+-  char			incname[1024];	/* Include filename */
+ 
+ 
+  /*
+@@ -2950,28 +2947,7 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+     * Decode the directive...
+     */
+ 
+-    if (!_cups_strcasecmp(line, "Include") && value)
+-    {
+-     /*
+-      * Include filename
+-      */
+-
+-      if (value[0] == '/')
+-        strlcpy(incname, value, sizeof(incname));
+-      else
+-        snprintf(incname, sizeof(incname), "%s/%s", ServerRoot, value);
+-
+-      if ((incfile = cupsFileOpen(incname, "rb")) == NULL)
+-        cupsdLogMessage(CUPSD_LOG_ERROR,
+-	                "Unable to include config file \"%s\" - %s",
+-	                incname, strerror(errno));
+-      else
+-      {
+-        read_cupsd_conf(incfile);
+-	cupsFileClose(incfile);
+-      }
+-    }
+-    else if (!_cups_strcasecmp(line, "<Location") && value)
+    if (!_cups_strcasecmp(line, "<Location") && value)
+     {
+      /*
+       * <Location path>
+@@ -3367,31 +3343,6 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 	cupsdLogMessage(CUPSD_LOG_WARN, "Unknown ServerTokens %s on line %d of %s.",
+                         value, linenum, ConfigurationFile);
+     }
+-    else if (!_cups_strcasecmp(line, "PassEnv") && value)
+-    {
+-     /*
+-      * PassEnv variable [... variable]
+-      */
+-
+-      for (; *value;)
+-      {
+-        for (valuelen = 0; value[valuelen]; valuelen ++)
+-	  if (_cups_isspace(value[valuelen]) || value[valuelen] == ',')
+-	    break;
+-
+-        if (value[valuelen])
+-        {
+-	  value[valuelen] = '\0';
+-	  valuelen ++;
+-	}
+-
+-        cupsdSetEnv(value, NULL);
+-
+-        for (value += valuelen; *value; value ++)
+-	  if (!_cups_isspace(*value) || *value != ',')
+-	    break;
+-      }
+-    }
+     else if (!_cups_strcasecmp(line, "ServerAlias") && value)
+     {
+      /*
+@@ -3420,30 +3371,6 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ 	    break;
+       }
+     }
+-    else if (!_cups_strcasecmp(line, "SetEnv") && value)
+-    {
+-     /*
+-      * SetEnv variable value
+-      */
+-
+-      for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++);
+-
+-      if (*valueptr)
+-      {
+-       /*
+-        * Found a value...
+-	*/
+-
+-        while (isspace(*valueptr & 255))
+-	  *valueptr++ = '\0';
+-
+-        cupsdSetEnv(value, valueptr);
+-      }
+-      else
+-        cupsdLogMessage(CUPSD_LOG_ERROR,
+-	                "Missing value for SetEnv directive on line %d of %s.",
+-	                linenum, ConfigurationFile);
+-    }
+     else if (!_cups_strcasecmp(line, "AccessLog") ||
+              !_cups_strcasecmp(line, "CacheDir") ||
+              !_cups_strcasecmp(line, "ConfigFilePerm") ||
+@@ -3457,6 +3384,7 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+              !_cups_strcasecmp(line, "LogFilePerm") ||
+              !_cups_strcasecmp(line, "LPDConfigFile") ||
+              !_cups_strcasecmp(line, "PageLog") ||
+             !_cups_strcasecmp(line, "PassEnv") ||
+              !_cups_strcasecmp(line, "Printcap") ||
+              !_cups_strcasecmp(line, "PrintcapFormat") ||
+              !_cups_strcasecmp(line, "RemoteRoot") ||
+@@ -3466,6 +3394,7 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+              !_cups_strcasecmp(line, "ServerKey") ||
+              !_cups_strcasecmp(line, "ServerKeychain") ||
+              !_cups_strcasecmp(line, "ServerRoot") ||
+             !_cups_strcasecmp(line, "SetEnv") ||
+              !_cups_strcasecmp(line, "SMBConfigFile") ||
+              !_cups_strcasecmp(line, "StateDir") ||
+              !_cups_strcasecmp(line, "SystemGroup") ||
+@@ -3495,10 +3424,49 @@ read_cupsd_conf(cups_file_t *fp)	/* I - File to read from */
+ static int				/* O - 1 on success, 0 on failure */
+ read_cups_files_conf(cups_file_t *fp)	/* I - File to read from */
+ {
+-  int		linenum;		/* Current line number */
+  int		i,			/* Looping var */
+		linenum;		/* Current line number */
+   char		line[HTTP_MAX_BUFFER],	/* Line from file */
+ 		*value;			/* Value from line */
+   struct group	*group;			/* Group */
+  static const char * const prohibited_env[] =
+  {					/* Prohibited environment variables */
+    "APPLE_LANGUAGE",
+    "AUTH_DOMAIN",
+    "AUTH_INFO_REQUIRED",
+    "AUTH_NEGOTIATE",
+    "AUTH_PASSWORD",
+    "AUTH_UID",
+    "AUTH_USERNAME",
+    "CHARSET",
+    "CLASS",
+    "CLASSIFICATION",
+    "CONTENT_TYPE",
+    "CUPS_CACHEDIR",
+    "CUPS_DATADIR",
+    "CUPS_DOCROOT",
+    "CUPS_FILETYPE",
+    "CUPS_FONTPATH",
+    "CUPS_MAX_MESSAGE",
+    "CUPS_REQUESTROOT",
+    "CUPS_SERVERBIN",
+    "CUPS_SERVERROOT",
+    "CUPS_STATEDIR",
+    "DEVICE_URI",
+    "FINAL_CONTENT_TYPE",
+    "HOME",
+    "LANG",
+    "PPD",
+    "PRINTER",
+    "PRINTER_INFO",
+    "PRINTER_LOCATION",
+    "PRINTER_STATE_REASONS",
+    "RIP_CACHE",
+    "SERVER_ADMIN",
+    "SOFTWARE",
+    "TMPDIR",
+    "USER"
+  };
+ 
+ 
+  /*
+@@ -3536,6 +3504,47 @@ read_cups_files_conf(cups_file_t *fp)	/* I - File to read from */
+ 	}
+       }
+     }
+    else if (!_cups_strcasecmp(line, "PassEnv") && value)
+    {
+     /*
+      * PassEnv variable [... variable]
+      */
+
+      int valuelen;			/* Length of variable name */
+
+      for (; *value;)
+      {
+        for (valuelen = 0; value[valuelen]; valuelen ++)
+	  if (_cups_isspace(value[valuelen]) || value[valuelen] == ',')
+	    break;
+
+        if (value[valuelen])
+        {
+	  value[valuelen] = '\0';
+	  valuelen ++;
+	}
+
+        for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++)
+        {
+          if (!strcmp(value, prohibited_env[i]))
+          {
+	    cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be passed through on line %d of %s.", value, linenum, CupsFilesFile);
+
+	    if (FatalErrors & CUPSD_FATAL_CONFIG)
+	      return (0);
+	    else
+	      break;
+          }
+	}
+
+        if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])))
+          cupsdSetEnv(value, NULL);
+
+        for (value += valuelen; *value; value ++)
+	  if (!_cups_isspace(*value) || *value != ',')
+	    break;
+      }
+    }
+     else if (!_cups_strcasecmp(line, "PrintcapFormat") && value)
+     {
+      /*
+@@ -3581,6 +3590,46 @@ read_cups_files_conf(cups_file_t *fp)	/* I - File to read from */
+           return (0);
+       }
+     }
+    else if (!_cups_strcasecmp(line, "SetEnv") && value)
+    {
+     /*
+      * SetEnv variable value
+      */
+
+      char *valueptr;			/* Pointer to environment variable value */
+
+      for (valueptr = value; *valueptr && !isspace(*valueptr & 255); valueptr ++);
+
+      if (*valueptr)
+      {
+       /*
+        * Found a value...
+	*/
+
+        while (isspace(*valueptr & 255))
+	  *valueptr++ = '\0';
+
+        for (i = 0; i < (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])); i ++)
+        {
+          if (!strcmp(value, prohibited_env[i]))
+          {
+	    cupsdLogMessage(CUPSD_LOG_ERROR, "Environment variable \"%s\" cannot be set  on line %d of %s.", value, linenum, CupsFilesFile);
+
+	    if (FatalErrors & CUPSD_FATAL_CONFIG)
+	      return (0);
+	    else
+	      break;
+          }
+	}
+
+        if (i >= (int)(sizeof(prohibited_env) / sizeof(prohibited_env[0])))
+	  cupsdSetEnv(value, valueptr);
+      }
+      else
+        cupsdLogMessage(CUPSD_LOG_ERROR,
+	                "Missing value for SetEnv directive on line %d of %s.",
+	                linenum, ConfigurationFile);
+    }
+     else if (!_cups_strcasecmp(line, "SystemGroup") && value)
+     {
+      /*
+diff --git a/scheduler/job.c b/scheduler/job.c
+index 61cda44e2..5ced0b9d1 100644
+--- a/scheduler/job.c
+++ b/scheduler/job.c
+@@ -4779,6 +4779,18 @@ start_job(cupsd_job_t     *job,		/* I - Job ID */
+   job->profile  = cupsdCreateProfile(job->id, 0);
+   job->bprofile = cupsdCreateProfile(job->id, 1);
+ 
+#ifdef HAVE_SANDBOX_H
+  if ((!job->profile || !job->bprofile) && UseSandboxing && Sandboxing != CUPSD_SANDBOXING_OFF)
+  {
+   /*
+    * Failure to create the sandbox profile means something really bad has
+    * happened and we need to shutdown immediately.
+    */
+
+    return;
+  }
+#endif /* HAVE_SANDBOX_H */
+
+  /*
+   * Create the status pipes and buffer...
+   */
+diff --git a/scheduler/process.c b/scheduler/process.c
+index b8d49d8f0..3c1c6ba4f 100644
+--- a/scheduler/process.c
+++ b/scheduler/process.c
+@@ -98,9 +98,13 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
+ 
+   if ((fp = cupsTempFile2(profile, sizeof(profile))) == NULL)
+   {
+   /*
+    * This should never happen, and is fatal when sandboxing is enabled.
+    */
+
+     cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdCreateProfile(job_id=%d, allow_networking=%d) = NULL", job_id, allow_networking);
+-    cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to create security profile: %s",
+-                    strerror(errno));
+    cupsdLogMessage(CUPSD_LOG_EMERG, "Unable to create security profile: %s", strerror(errno));
+    kill(getpid(), SIGTERM);
+     return (NULL);
+   }
+ 
+@@ -197,10 +201,8 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
+ 		 " #\"^%s/\""		/* TempDir/... */
+ 		 " #\"^%s$\""		/* CacheDir */
+ 		 " #\"^%s/\""		/* CacheDir/... */
+-		 " #\"^%s$\""		/* StateDir */
+-		 " #\"^%s/\""		/* StateDir/... */
+ 		 "))\n",
+-		 temp, temp, cache, cache, state, state);
+		 temp, temp, cache, cache);
+   /* Read common folders */
+   cupsFilePrintf(fp,
+                  "(allow file-read-data file-read-metadata\n"
+@@ -242,8 +244,10 @@ cupsdCreateProfile(int job_id,		/* I - Job ID or 0 for none */
+ 		 " #\"^%s/\""		/* ServerBin/... */
+ 		 " #\"^%s$\""		/* ServerRoot */
+ 		 " #\"^%s/\""		/* ServerRoot/... */
+		 " #\"^%s$\""		/* StateDir */
+		 " #\"^%s/\""		/* StateDir/... */
+ 		 "))\n",
+-		 request, request, bin, bin, root, root);
+		 request, request, bin, bin, root, root, state, state);
+   if (Sandboxing == CUPSD_SANDBOXING_RELAXED)
+   {
+     /* Limited write access to /Library/Printers/... */
+diff --git a/scheduler/server.c b/scheduler/server.c
+index cecbabe67..a4033791b 100644
+--- a/scheduler/server.c
+++ b/scheduler/server.c
+@@ -34,16 +34,28 @@ void
+ cupsdStartServer(void)
+ {
+  /*
+-  * Start color management (as needed)...
+  * Create the default security profile...
+   */
+ 
+-  cupsdStartColor();
+  DefaultProfile = cupsdCreateProfile(0, 1);
+
+#ifdef HAVE_SANDBOX_H
+  if (!DefaultProfile && UseSandboxing && Sandboxing != CUPSD_SANDBOXING_OFF)
+  {
+   /*
+    * Failure to create the sandbox profile means something really bad has
+    * happened and we need to shutdown immediately.
+    */
+
+    return;
+  }
+#endif /* HAVE_SANDBOX_H */
+ 
+  /*
+-  * Create the default security profile...
+  * Start color management (as needed)...
+   */
+ 
+-  DefaultProfile = cupsdCreateProfile(0, 1);
+  cupsdStartColor();
+ 
+  /*
+   * Startup all the networking stuff...
+diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh
+index 7eb269a67..f83bd5d91 100755
+--- a/test/run-stp-tests.sh
+++ b/test/run-stp-tests.sh
+@@ -489,11 +489,6 @@ StrictConformance Yes
+ Browsing Off
+ Listen localhost:$port
+ Listen $BASE/sock
+-PassEnv DYLD_LIBRARY_PATH
+-PassEnv LD_LIBRARY_PATH
+-PassEnv LD_PRELOAD
+-PassEnv LOCALEDIR
+-PassEnv SHLIB_PATH
+ MaxSubscriptions 3
+ MaxLogSize 0
+ AccessLogLevel actions
+@@ -529,6 +524,12 @@ TempDir $BASE/spool/temp
+ AccessLog $BASE/log/access_log
+ ErrorLog $BASE/log/error_log
+ PageLog $BASE/log/page_log
+
+PassEnv DYLD_LIBRARY_PATH
+PassEnv LD_LIBRARY_PATH
+PassEnv LD_PRELOAD
+PassEnv LOCALEDIR
+PassEnv SHLIB_PATH
+ EOF
+ 
+ if test $ssltype != 0 -a `uname` = Darwin; then
+-- 
+2.17.1
+
--- a/0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch
+++ b/0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch
@ -0,0 +1,206 @@
+diff --git a/backend/ipp.c b/backend/ipp.c
+index 32eb3aaa4..2a880bd75 100644
+--- a/backend/ipp.c
+++ b/backend/ipp.c
+@@ -3612,6 +3612,8 @@ update_reasons(ipp_attribute_t *attr,	/* I - printer-state-reasons or NULL */
+     }
+   }
+ 
+  cupsArrayDelete(new_reasons);
+
+   _cupsMutexUnlock(&report_mutex);
+ 
+  /*
+diff --git a/cgi-bin/search.c b/cgi-bin/search.c
+index 3956afc33..ad1f5ed0e 100644
+--- a/cgi-bin/search.c
+++ b/cgi-bin/search.c
+@@ -361,4 +362,5 @@ void
+ cgiFreeSearch(void *search)		/* I - Search context */
+ {
+   regfree((regex_t *)search);
+  free(search);
+ }
+diff --git a/cups/http-addrlist.c b/cups/http-addrlist.c
+index 5d510140b..688901a7d 100644
+--- a/cups/http-addrlist.c
+++ b/cups/http-addrlist.c
+@@ -612,6 +613,7 @@ httpAddrGetList(const char *hostname,	/* I - Hostname, IP address, or NULL for p
+ 	  if (!temp)
+ 	  {
+ 	    httpAddrFreeList(first);
+	    freeaddrinfo(results);
+ 	    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
+ 	    return (NULL);
+ 	  }
+diff --git a/cups/http.c b/cups/http.c
+index a9235b087..d9332cc83 100644
+--- a/cups/http.c
+++ b/cups/http.c
+@@ -3915,7 +3915,7 @@ http_create(
+   if ((http = calloc(sizeof(http_t), 1)) == NULL)
+   {
+     _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(errno), 0);
+-    httpAddrFreeList(addrlist);
+    httpAddrFreeList(myaddrlist);
+     return (NULL);
+   }
+ 
+diff --git a/ppdc/ppdc-source.cxx b/ppdc/ppdc-source.cxx
+index be24cebae..4e8cba7bb 100644
+--- a/ppdc/ppdc-source.cxx
+++ b/ppdc/ppdc-source.cxx
+@@ -2665,6 +2666,7 @@ ppdcSource::scan_file(ppdcFile   *fp,	// I - File to read
+       // Add it to the current option...
+       if (!o)
+       {
+        c->release();
+         _cupsLangPrintf(stderr,
+ 	                _("ppdc: Choice found on line %d of %s with no "
+ 			  "Option."), fp->line, fp->filename);
+diff --git a/scheduler/cups-driverd.cxx b/scheduler/cups-driverd.cxx
+index 657eee0a0..b518a9325 100644
+--- a/scheduler/cups-driverd.cxx
+++ b/scheduler/cups-driverd.cxx
+@@ -153,7 +153,7 @@ static ppd_info_t	*add_ppd(const char *filename, const char *name,
+ 				 size_t size, int model_number, int type,
+ 				 const char *scheme);
+ static int		cat_drv(const char *name, int request_id);
+-static int		cat_ppd(const char *name, int request_id);
+static void		cat_ppd(const char *name, int request_id);
+ static int		cat_static(const char *name, int request_id);
+ static int		cat_tar(const char *name, int request_id);
+ static int		compare_inodes(struct stat *a, struct stat *b);
+@@ -163,12 +163,12 @@ static int		compare_names(const ppd_info_t *p0,
+ 			              const ppd_info_t *p1);
+ static int		compare_ppds(const ppd_info_t *p0,
+ 			             const ppd_info_t *p1);
+-static int		dump_ppds_dat(const char *filename);
+static void		dump_ppds_dat(const char *filename);
+ static void		free_array(cups_array_t *a);
+ static cups_file_t	*get_file(const char *name, int request_id,
+ 			          const char *subdir, char *buffer,
+ 			          size_t bufsize, char **subfile);
+-static int		list_ppds(int request_id, int limit, const char *opt);
+static void		list_ppds(int request_id, int limit, const char *opt);
+ static int		load_drivers(cups_array_t *include,
+ 			             cups_array_t *exclude);
+ static int		load_drv(const char *filename, const char *name,
+@@ -204,13 +204,13 @@ main(int  argc,				/* I - Number of command-line args */
+   */
+ 
+   if (argc == 3 && !strcmp(argv[1], "cat"))
+-    return (cat_ppd(argv[2], 0));
+    cat_ppd(argv[2], 0);
+   else if ((argc == 2 || argc == 3) && !strcmp(argv[1], "dump"))
+-    return (dump_ppds_dat(argv[2]));
+    dump_ppds_dat(argv[2]);
+   else if (argc == 4 && !strcmp(argv[1], "get"))
+-    return (cat_ppd(argv[3], atoi(argv[2])));
+    cat_ppd(argv[3], atoi(argv[2]));
+   else if (argc == 5 && !strcmp(argv[1], "list"))
+-    return (list_ppds(atoi(argv[2]), atoi(argv[3]), argv[4]));
+    list_ppds(atoi(argv[2]), atoi(argv[3]), argv[4]);
+   else
+   {
+     fputs("Usage: cups-driverd cat ppd-name\n", stderr);
+@@ -428,7 +428,7 @@ cat_drv(const char *name,		/* I - PPD name */
+  * 'cat_ppd()' - Copy a PPD file to stdout.
+  */
+ 
+-static int				/* O - Exit code */
+static void
+ cat_ppd(const char *name,		/* I - PPD name */
+         int        request_id)		/* I - Request ID for response? */
+ {
+@@ -445,7 +445,7 @@ cat_ppd(const char *name,		/* I - PPD name */
+   if (strstr(name, "../"))
+   {
+     fputs("ERROR: Invalid PPD name.\n", stderr);
+-    return (1);
+    exit(1);
+   }
+ 
+   strlcpy(scheme, name, sizeof(scheme));
+@@ -475,11 +475,11 @@ cat_ppd(const char *name,		/* I - PPD name */
+     puts("Content-Type: application/ipp\n");
+ 
+   if (!scheme[0])
+-    return (cat_static(name, request_id));
+    exit(cat_static(name, request_id));
+   else if (!strcmp(scheme, "drv"))
+-    return (cat_drv(name, request_id));
+    exit(cat_drv(name, request_id));
+   else if (!strcmp(scheme, "file"))
+-    return (cat_tar(name, request_id));
+    exit(cat_tar(name, request_id));
+   else
+   {
+    /*
+@@ -517,7 +517,7 @@ cat_ppd(const char *name,		/* I - PPD name */
+         cupsdSendIPPTrailer();
+       }
+ 
+-      return (1);
+      exit(1);
+     }
+ 
+    /*
+@@ -547,15 +547,15 @@ cat_ppd(const char *name,		/* I - PPD name */
+ 
+       fprintf(stderr, "ERROR: [cups-driverd] Unable to execute \"%s\" - %s\n",
+               line, strerror(errno));
+-      return (1);
+      exit(1);
+     }
+   }
+ 
+  /*
+-  * Return with no errors...
+  * Exit with no errors...
+   */
+ 
+-  return (0);
+  exit(0);
+ }
+ 
+ 
+@@ -778,7 +778,7 @@ compare_ppds(const ppd_info_t *p0,	/* I - First PPD file */
+  * 'dump_ppds_dat()' - Dump the contents of the ppds.dat file.
+  */
+ 
+-static int				/* O - Exit status */
+static void
+ dump_ppds_dat(const char *filename)	/* I - Filename */
+ {
+   char		temp[1024];		/* ppds.dat filename */
+@@ -810,7 +810,7 @@ dump_ppds_dat(const char *filename)	/* I - Filename */
+ 	   ppd->record.make_and_model, ppd->record.device_id,
+ 	   ppd->record.scheme);
+ 
+-  return (0);
+  exit(0);
+ }
+ 
+ 
+@@ -1004,7 +1004,7 @@ get_file(const char *name,		/* I - Name */
+  * 'list_ppds()' - List PPD files.
+  */
+ 
+-static int				/* O - Exit code */
+static void
+ list_ppds(int        request_id,	/* I - Request ID */
+           int        limit,		/* I - Limit */
+ 	  const char *opt)		/* I - Option argument */
+@@ -1566,7 +1566,7 @@ list_ppds(int        request_id,	/* I - Request ID */
+   if (request_id)
+     cupsdSendIPPTrailer();
+ 
+-  return (0);
+  exit(0);
+ }
+ 
+ 
+-- 
+2.17.1
+
--- a/0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
+++ b/0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
@ -0,0 +1,56 @@
+diff --git a/backend/socket.c b/backend/socket.c
+index 675061dd9..68379e95b 100644
+--- a/backend/socket.c
+++ b/backend/socket.c
+@@ -397,8 +397,10 @@ main(int  argc,				/* I - Number of command-line arguments (6 or 7) */
+       lseek(print_fd, 0, SEEK_SET);
+     }
+ 
+-    tbytes = backendRunLoop(print_fd, device_fd, snmp_fd, &(addrlist->addr), 1,
+-                            0, backendNetworkSideCB);
+    if ((bytes = backendRunLoop(print_fd, device_fd, snmp_fd, &(addrlist->addr), 1, 0, backendNetworkSideCB)) < 0)
+      tbytes = -1;
+    else
+      tbytes = bytes;
+ 
+     if (print_fd != 0 && tbytes >= 0)
+       _cupsLangPrintFilter(stderr, "INFO", _("Print file sent."));
+@@ -406,7 +408,7 @@ main(int  argc,				/* I - Number of command-line arguments (6 or 7) */
+ 
+   fputs("STATE: +cups-waiting-for-job-completed\n", stderr);
+ 
+-  if (waiteof)
+  if (waiteof && tbytes >= 0)
+   {
+    /*
+     * Shutdown the socket and wait for the other end to finish...
+@@ -443,7 +445,7 @@ main(int  argc,				/* I - Number of command-line arguments (6 or 7) */
+   if (print_fd != 0)
+     close(print_fd);
+ 
+-  return (CUPS_BACKEND_OK);
+  return (tbytes >= 0 ? CUPS_BACKEND_OK : CUPS_BACKEND_FAILED);
+ }
+ 
+ 
+diff --git a/scheduler/main.c b/scheduler/main.c
+index 4b3914ade..472b9946d 100644
+--- a/scheduler/main.c
+++ b/scheduler/main.c
+@@ -1472,9 +1472,16 @@ process_children(void)
+               (!job->filters[i] && WIFEXITED(old_status)))
+           {				/* Backend and filter didn't crash */
+ 	    if (job->filters[i])
+	    {
+ 	      job->status = status;	/* Filter failed */
+	    }
+ 	    else
+	    {
+ 	      job->status = -status;	/* Backend failed */
+
+	      if (job->current_file < job->num_files)
+	        cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_FORCE, "Canceling multi-file job due to backend failure.");
+	    }
+           }
+ 
+ 	  if (job->state_value == IPP_JOB_PROCESSING &&
--- a/0001-One-more-fix-for-_cupsGetDestResource-Issue-5211.patch
+++ b/0001-One-more-fix-for-_cupsGetDestResource-Issue-5211.patch
@ -0,0 +1,138 @@
+From 27551f043a74fdba2817ec77519e1226c16ccc1b Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michael.r.sweet@gmail.com>
+Date: Wed, 31 Jan 2018 20:21:26 -0500
+Subject: [PATCH] One more fix for _cupsGetDestResource (Issue #5211)
+
+---
+ cups/dest.c | 81 ++++++++++++++++++++++++++++-------------------------
+ 1 file changed, 43 insertions(+), 38 deletions(-)
+
+diff --git a/cups/dest.c b/cups/dest.c
+index b90be7b3a..090970c79 100644
+--- a/cups/dest.c
+++ b/cups/dest.c
+@@ -1094,14 +1094,16 @@ cupsGetDest(const char  *name,		/* I - Destination name or @code NULL@ for the d
+  * '_cupsGetDestResource()' - Get the resource path and URI for a destination.
+  */
+ 
+-const char *				/* O - Printer URI */
+const char *				/* O - URI */
+ _cupsGetDestResource(
+     cups_dest_t *dest,			/* I - Destination */
+     unsigned    flags,			/* I - Destination flags */
+     char        *resource,		/* I - Resource buffer */
+     size_t      resourcesize)		/* I - Size of resource buffer */
+ {
+-  const char	*uri;			/* Printer URI */
+  const char	*uri,			/* URI */
+		*device_uri,		/* Device URI */
+		*printer_uri;		/* Printer URI */
+   char		scheme[32],		/* URI scheme */
+ 		userpass[256],		/* Username and password (unused) */
+ 		hostname[256];		/* Hostname */
+@@ -1124,48 +1126,54 @@ _cupsGetDestResource(
+   }
+ 
+  /*
+-  * Grab the printer URI...
+  * Grab the printer and device URIs...
+   */
+ 
+-  if (!(flags & CUPS_DEST_FLAGS_DEVICE))
+-    uri = NULL;
+-  else
+-    uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
+  device_uri  = cupsGetOption("device-uri", dest->num_options, dest->options);
+  printer_uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
+ 
+-  if (uri)
+-  {
+-    DEBUG_printf(("1_cupsGetDestResource: printer-uri-supported=\"%s\"", uri));
+-  }
+-  else
+  DEBUG_printf(("1_cupsGetDestResource: device-uri=\"%s\", printer-uri-supported=\"%s\".", device_uri, printer_uri));
+
+#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+  if (((flags & CUPS_DEST_FLAGS_DEVICE) || !printer_uri) && strstr(device_uri, "._tcp"))
+   {
+-    if ((uri = cupsGetOption("device-uri", dest->num_options, dest->options)) != NULL)
+    if ((device_uri = cups_dnssd_resolve(dest, device_uri, 5000, NULL, NULL, NULL)) != NULL)
+     {
+-#if defined(HAVE_DNSSD) || defined(HAVE_AVAHI)
+-      if (strstr(uri, "._tcp"))
+-      {
+-        uri = cups_dnssd_resolve(dest, uri, 5000, NULL, NULL, NULL);
+      DEBUG_printf(("1_cupsGetDestResource: Resolved device-uri=\"%s\".", device_uri));
+    }
+    else
+    {
+      DEBUG_puts("1_cupsGetDestResource: Unable to resolve device.");
+ 
+-        if (uri)
+-          DEBUG_printf(("1_cupsGetDestResource: Resolved device-uri=\"%s\"", uri));
+-      }
+-      else
+-#endif /* HAVE_DNSSD || HAVE_AVAHI */
+      if (resource)
+	*resource = '\0';
+
+      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, strerror(ENOENT), 0);
+ 
+-      DEBUG_printf(("1_cupsGetDestResource: device-uri=\"%s\"", uri));
+      return (NULL);
+     }
+  }
+#endif /* HAVE_DNSSD || HAVE_AVAHI */
+ 
+-    if (uri && !(flags & CUPS_DEST_FLAGS_DEVICE))
+-    {
+-      uri = _cupsCreateDest(dest->name, cupsGetOption("printer-info", dest->num_options, dest->options), NULL, uri, resource, resourcesize);
+  if (flags & CUPS_DEST_FLAGS_DEVICE)
+  {
+    uri = device_uri;
+  }
+  else if (printer_uri)
+  {
+    uri = printer_uri;
+  }
+  else
+  {
+    uri = _cupsCreateDest(dest->name, cupsGetOption("printer-info", dest->num_options, dest->options), NULL, device_uri, resource, resourcesize);
+ 
+-      if (uri)
+-      {
+-	DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
+    if (uri)
+    {
+      DEBUG_printf(("1_cupsGetDestResource: Local printer-uri-supported=\"%s\"", uri));
+ 
+-	dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
+      dest->num_options = cupsAddOption("printer-uri-supported", uri, dest->num_options, &dest->options);
+ 
+-	uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
+-      }
+      uri = cupsGetOption("printer-uri-supported", dest->num_options, dest->options);
+     }
+   }
+ 
+@@ -1180,14 +1188,11 @@ _cupsGetDestResource(
+ 
+     return (NULL);
+   }
+-  else
+  else if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), hostname, sizeof(hostname), &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
+   {
+-    if (httpSeparateURI(HTTP_URI_CODING_ALL, uri, scheme, sizeof(scheme), userpass, sizeof(userpass), hostname, sizeof(hostname), &port, resource, (int)resourcesize) < HTTP_URI_STATUS_OK)
+-    {
+-      _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad URI."), 1);
+    _cupsSetError(IPP_STATUS_ERROR_INTERNAL, _("Bad URI."), 1);
+ 
+-      return (NULL);
+-    }
+    return (NULL);
+   }
+ 
+   DEBUG_printf(("1_cupsGetDestResource: resource=\"%s\"", resource));
+-- 
+2.17.1
+
--- a/0001-Printing-to-old-CUPS-servers-has-been-fixed-Issue-52.patch
+++ b/0001-Printing-to-old-CUPS-servers-has-been-fixed-Issue-52.patch
@ -0,0 +1,27 @@
+From 6a3d63e63841e91e75ca2e3e7626f8785da758dc Mon Sep 17 00:00:00 2001
+From: Michael R Sweet <michaelrsweet@gmail.com>
+Date: Thu, 11 Jan 2018 11:32:01 -0500
+Subject: [PATCH] Printing to old CUPS servers has been fixed (Issue #5211)
+
+cups/dest-options.c:
+- Fix IPP version check in cupsCopyDestInfo.
+---
+ cups/dest-options.c | 4 ++
+1 file changed, 2 insertions(+)
+
+diff --git a/cups/dest-options.c b/cups/dest-options.c
+index 18abebf06..11a1b10fb 100644
+--- a/cups/dest-options.c
+++ b/cups/dest-options.c
+@@ -722,6 +722,8 @@ cupsCopyDestInfo(
+     */
+ 
+     request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
+
+    ippSetVersion(request, version / 10, version % 10);
+     ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri", NULL,
+ 		 uri);
+     ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME,
+-- 
+2.17.1
+
--- a/0001-The-scheduler-could-crash-while-adding-an-IPP-Everyw.patch
+++ b/0001-The-scheduler-could-crash-while-adding-an-IPP-Everyw.patch
@ -0,0 +1,22 @@
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index 649995bb5..2396c9b58 100644
+--- a/scheduler/ipp.c
+++ b/scheduler/ipp.c
+@@ -4873,6 +4873,8 @@ copy_printer_attrs(
+   * and document-format attributes that may be provided by the client.
+   */
+ 
+  _cupsRWLockRead(&printer->lock);
+
+   curtime = time(NULL);
+ 
+   if (!ra || cupsArrayFind(ra, "marker-change-time"))
+@@ -5034,6 +5036,8 @@ copy_printer_attrs(
+   if (printer->ppd_attrs)
+     copy_attrs(con->response, printer->ppd_attrs, ra, IPP_TAG_ZERO, 0, NULL);
+   copy_attrs(con->response, CommonData, ra, IPP_TAG_ZERO, IPP_TAG_COPY, NULL);
+
+  _cupsRWUnlock(&printer->lock);
+ }
+ 
+ 
--- a/cups-dbus_crash.patch
+++ b/cups-dbus_crash.patch
@ -1,28 +0,0 @@
-diff --git a/scheduler/ipp.c b/scheduler/ipp.c
-index 02dc392..9aa8b80 100644
--- a/scheduler/ipp.c
-+++ b/scheduler/ipp.c
-@@ -1636,6 +1636,14 @@ add_job(cupsd_client_t  *con,		/* I - Client connection */
-     return (NULL);
-   }
- 
-+  if (attr && !ippValidateAttribute(attr))
-+  {
-+    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
-+    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
-+      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
-+    return (NULL);
-+  }
-+
- #ifdef WITH_LSPP
-   if (is_lspp_config())
-   {
-@@ -1736,6 +1744,8 @@ add_job(cupsd_client_t  *con,		/* I - Client connection */
-   }
- #endif /* WITH_LSPP */
- 
-+
-+
-   if ((job = cupsdAddJob(priority, printer->name)) == NULL)
-   {
-     send_ipp_status(con, IPP_INTERNAL_ERROR,
--- a/cups-journal-history.patch
+++ b/cups-journal-history.patch
@ -0,0 +1,111 @@
+diff -up cups-2.2.6/scheduler/log.c.journal-history cups-2.2.6/scheduler/log.c
+--- cups-2.2.6/scheduler/log.c.journal-history	2018-06-11 16:39:09.323688006 +0200
+++ cups-2.2.6/scheduler/log.c	2018-06-11 17:08:17.393764901 +0200
+@@ -598,48 +598,17 @@ cupsdLogJob(cupsd_job_t *job,		/* I - Jo
+     return (1);
+ 
+ #ifdef HAVE_SYSTEMD_SD_JOURNAL_H
+-  if (!strcmp(ErrorLog, "syslog"))
+-  {
+-    cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL;
+-    static const char * const job_states[] =
+-    {					/* job-state strings */
+-      "Pending",
+-      "PendingHeld",
+-      "Processing",
+-      "ProcessingStopped",
+-      "Canceled",
+-      "Aborted",
+-      "Completed"
+-    };
+-
+-    va_start(ap, message);
+-
+-    do
+-    {
+-      va_copy(ap2, ap);
+-      status = format_log_line(message, ap2);
+-      va_end(ap2);
+-    }
+-    while (status == 0);
+-
+-    va_end(ap);
+-
+-    if (job)
+-      sd_journal_send("MESSAGE=%s", log_line,
+-		      "PRIORITY=%i", log_levels[level],
+-		      PWG_Event"=JobStateChanged",
+-		      PWG_ServiceURI"=%s", printer ? printer->uri : "",
+-		      PWG_JobID"=%d", job->id,
+-		      PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING],
+-		      PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0),
+-		      NULL);
+-    else
+-      sd_journal_send("MESSAGE=%s", log_line,
+-		      "PRIORITY=%i", log_levels[level],
+-		      NULL);
+-
+-    return (1);
+-  }
+  cupsd_printer_t *printer = job ? (job->printer ? job->printer : (job->dest ? cupsdFindDest(job->dest) : NULL)) : NULL;
+  static const char * const job_states[] =
+  {					/* job-state strings */
+    "Pending",
+    "PendingHeld",
+    "Processing",
+    "ProcessingStopped",
+    "Canceled",
+    "Aborted",
+    "Completed"
+  };
+ #endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
+ 
+  /*
+@@ -705,7 +674,29 @@ cupsdLogJob(cupsd_job_t *job,		/* I - Jo
+       return (1);
+     }
+     else if (level <= LogLevel)
+    {
+#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
+      if (!strcmp(ErrorLog, "syslog"))
+      {
+        if (job)
+          sd_journal_send("MESSAGE=%s", log_line,
+    		      "PRIORITY=%i", log_levels[level],
+    		      PWG_Event"=JobStateChanged",
+    		      PWG_ServiceURI"=%s", printer ? printer->uri : "",
+    		      PWG_JobID"=%d", job->id,
+    		      PWG_JobState"=%s", job->state_value < IPP_JSTATE_PENDING ? "" : job_states[job->state_value - IPP_JSTATE_PENDING],
+    		      PWG_JobImpressionsCompleted"=%d", ippGetInteger(job->impressions, 0),
+    		      NULL);
+        else
+          sd_journal_send("MESSAGE=%s", log_line,
+    		      "PRIORITY=%i", log_levels[level],
+    		      NULL);
+    
+        return (1);
+      }
+#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
+       return (cupsdWriteErrorLog(level, log_line));
+    }
+     else
+       return (1);
+   }
+@@ -989,7 +980,7 @@ cupsdLogPage(cupsd_job_t *job,		/* I - J
+   *bufptr = '\0';
+ 
+ #ifdef HAVE_SYSTEMD_SD_JOURNAL_H
+-  if (!strcmp(ErrorLog, "syslog"))
+  if (!strcmp(PageLog, "syslog"))
+   {
+     static const char * const job_states[] =
+     {					/* job-state strings */
+@@ -1186,7 +1177,7 @@ cupsdLogRequest(cupsd_client_t *con,	/*
+   }
+ 
+ #ifdef HAVE_SYSTEMD_SD_JOURNAL_H
+-  if (!strcmp(ErrorLog, "syslog"))
+  if (!strcmp(AccessLog, "syslog"))
+   {
+     sd_journal_print(LOG_INFO, "REQUEST %s - %s \"%s %s HTTP/%d.%d\" %d " CUPS_LLFMT " %s %s", con->http->hostname, con->username[0] != '\0' ? con->username : "-", states[con->operation], _httpEncodeURI(temp, con->uri, sizeof(temp)), con->http->version / 100, con->http->version % 100, code, CUPS_LLCAST con->bytes, con->request ? ippOpString(con->request->request.op.operation_id) : "-", con->response ? ippErrorString(con->response->request.status.status_code) : "-");
+     return (1);
--- a/cups-substitute-bad-attrs.patch
+++ b/cups-substitute-bad-attrs.patch
@ -0,0 +1,141 @@
+diff -up cups-2.2.7/scheduler/ipp.c.substitute-bad-attrs cups-2.2.7/scheduler/ipp.c
+--- cups-2.2.7/scheduler/ipp.c.substitute-bad-attrs	2018-04-03 15:55:45.974344993 +0200
+++ cups-2.2.7/scheduler/ipp.c	2018-04-03 16:15:06.723859881 +0200
+@@ -164,6 +164,7 @@ cupsdProcessIPPRequest(
+   ipp_attribute_t	*uri = NULL;	/* Printer or job URI attribute */
+   ipp_attribute_t	*username;	/* requesting-user-name attr */
+   int			sub_id;		/* Subscription ID */
+  int			valid = 1;	/* Valid request? */
+ 
+ 
+   cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdProcessIPPRequest(%p[%d]): operation_id=%04x(%s)", con, con->number, con->request->request.op.operation_id, ippOpString(con->request->request.op.operation_id));
+@@ -423,20 +424,55 @@ cupsdProcessIPPRequest(
+       else
+       {
+        /*
+-	* OK, all the checks pass so far; make sure requesting-user-name is
+-	* not "root" from a remote host...
+	* OK, all the checks pass so far; validate "requesting-user-name"
+	* attribute value...
+ 	*/
+ 
+-        if ((username = ippFindAttribute(con->request, "requesting-user-name",
+-	                                 IPP_TAG_NAME)) != NULL)
+-	{
+-	 /*
+-	  * Check for root user...
+-	  */
+-
+-	  if (!strcmp(username->values[0].string.text, "root") &&
+-	      _cups_strcasecmp(con->http->hostname, "localhost") &&
+-	      strcmp(con->username, "root"))
+        if ((username = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_ZERO)) != NULL)
+        {
+         /*
+          * Validate "requesting-user-name"...
+          */
+
+          if (username->group_tag != IPP_TAG_OPERATION && StrictConformance)
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute in wrong group.", IPP_STATUS_ERROR_BAD_REQUEST, con->http->hostname);
+	    send_ipp_status(con, IPP_STATUS_ERROR_BAD_REQUEST, _("\"requesting-user-name\" attribute in wrong group."));
+	    valid = 0;
+          }
+          else if (username->value_tag != IPP_TAG_NAME && username->value_tag != IPP_TAG_NAMELANG)
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with wrong syntax.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
+	    send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
+	    if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
+	      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+	    valid = 0;
+          }
+          else if (!ippValidateAttribute(username))
+          {
+	    cupsdAddEvent(CUPSD_EVENT_SERVER_AUDIT, NULL, NULL, "%04X %s \"requesting-user-name\" attribute with bad value.", IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, con->http->hostname);
+
+            if (StrictConformance)
+            {
+             /*
+              * Throw an error...
+              */
+
+	      send_ipp_status(con, IPP_STATUS_ERROR_ATTRIBUTES_OR_VALUES, _("\"requesting-user-name\" attribute with wrong syntax."));
+              if ((attr = ippCopyAttribute(con->response, username, 0)) != NULL)
+                attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+	      valid = 0;
+	    }
+	    else
+	    {
+	     /*
+	      * Map bad "requesting-user-name" to 'anonymous'...
+	      */
+
+              ippSetString(con->request, &username, 0, "anonymous");
+	    }
+          }
+          else if (!strcmp(username->values[0].string.text, "root") && _cups_strcasecmp(con->http->hostname, "localhost") && strcmp(con->username, "root"))
+ 	  {
+ 	   /*
+ 	    * Remote unauthenticated user masquerading as local root...
+@@ -452,6 +488,8 @@ cupsdProcessIPPRequest(
+ 	else
+ 	  sub_id = 0;
+ 
+        if (valid)
+        {
+        /*
+         * Then try processing the operation...
+ 	*/
+@@ -655,6 +693,7 @@ cupsdProcessIPPRequest(
+ 			      ippOpString(
+ 			          con->request->request.op.operation_id));
+ 	      break;
+        }
+ 	}
+       }
+     }
+@@ -1615,27 +1654,34 @@ add_job(cupsd_client_t  *con,		/* I - Cl
+                     _("Bad job-name value: Wrong type or count."));
+     if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+       attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+-    return (NULL);
+
+    if (StrictConformance)
+      return (NULL);
+
+    /* Don't use invalid attribute */
+    ippDeleteAttribute(con->request, attr);
+
+    ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
+   }
+   else if (!ippValidateAttribute(attr))
+   {
+     send_ipp_status(con, IPP_ATTRIBUTES, _("Bad job-name value: %s"),
+                     cupsLastErrorString());
+
+     if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+       attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+-    return (NULL);
+-  }
+ 
+-  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+    if (StrictConformance)
+      return (NULL);
+ 
+-  if (attr && !ippValidateAttribute(attr))
+-  {
+-    send_ipp_status(con, IPP_ATTRIBUTES, _("Bad requesting-user-name value: %s"), cupsLastErrorString());
+-    if ((attr = ippCopyAttribute(con->response, attr, 0)) != NULL)
+-      attr->group_tag = IPP_TAG_UNSUPPORTED_GROUP;
+-    return (NULL);
+    /* Don't use invalid attribute */
+    ippDeleteAttribute(con->request, attr);
+
+    ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "job-name", NULL, "Untitled");
+   }
+ 
+  attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+
+ #ifdef WITH_LSPP
+   if (is_lspp_config())
+   {
--- a/cups-systemd-socket.patch
+++ b/cups-systemd-socket.patch
@ -1,6 +1,6 @@
-diff -up cups-2.2.5/scheduler/main.c.systemd-socket cups-2.2.5/scheduler/main.c
--- cups-2.2.5/scheduler/main.c.systemd-socket	2017-10-17 18:59:53.732431498 +0200
-+++ cups-2.2.5/scheduler/main.c	2017-10-17 19:02:13.132275861 +0200
+diff -up cups-2.2.6/scheduler/main.c.systemd-socket cups-2.2.6/scheduler/main.c
+--- cups-2.2.6/scheduler/main.c.systemd-socket	2018-09-19 12:38:00.602843492 +0200
+++ cups-2.2.6/scheduler/main.c	2018-09-19 12:38:00.629843255 +0200
@@ -691,8 +691,16 @@ main(int  argc,				/* I - Number of comm
 
 #ifdef HAVE_ONDEMAND
@ -19,22 +19,21 @@ diff -up cups-2.2.5/scheduler/main.c.systemd-socket cups-2.2.5/scheduler/main.c
 #endif /* HAVE_ONDEMAND */
   if (fg)
     cupsdAddEvent(CUPSD_EVENT_SERVER_STARTED, NULL, NULL, "Scheduler started in foreground.");
-diff -up cups-2.2.5/scheduler/org.cups.cupsd.path.in.systemd-socket cups-2.2.5/scheduler/org.cups.cupsd.path.in
--- cups-2.2.5/scheduler/org.cups.cupsd.path.in.systemd-socket	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.5/scheduler/org.cups.cupsd.path.in	2017-10-17 18:59:53.732431498 +0200
-@@ -3,7 +3,7 @@ Description=CUPS Scheduler
- PartOf=org.cups.cupsd.service
+diff -up cups-2.2.6/scheduler/org.cups.cupsd.path.in.systemd-socket cups-2.2.6/scheduler/org.cups.cupsd.path.in
+--- cups-2.2.6/scheduler/org.cups.cupsd.path.in.systemd-socket	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/scheduler/org.cups.cupsd.path.in	2018-09-19 12:38:00.630843246 +0200
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=CUPS Scheduler
+-PartOf=org.cups.cupsd.service
+PartOf=cups.service
 
 [Path]
-PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
-+PathExistsGlob=@CUPS_REQUESTS@/d*
- 
- [Install]
- WantedBy=multi-user.target
-diff -up cups-2.2.5/scheduler/org.cups.cupsd.service.in.systemd-socket cups-2.2.5/scheduler/org.cups.cupsd.service.in
--- cups-2.2.5/scheduler/org.cups.cupsd.service.in.systemd-socket	2017-10-13 20:22:26.000000000 +0200
-+++ cups-2.2.5/scheduler/org.cups.cupsd.service.in	2017-10-17 18:59:53.732431498 +0200
-@@ -1,10 +1,11 @@
+ PathExists=@CUPS_CACHEDIR@/org.cups.cupsd
+diff -up cups-2.2.6/scheduler/org.cups.cupsd.service.in.systemd-socket cups-2.2.6/scheduler/org.cups.cupsd.service.in
+--- cups-2.2.6/scheduler/org.cups.cupsd.service.in.systemd-socket	2018-09-19 12:38:00.630843246 +0200
+++ cups-2.2.6/scheduler/org.cups.cupsd.service.in	2018-09-19 12:39:39.550975966 +0200
+@@ -1,11 +1,13 @@
 [Unit]
 Description=CUPS Scheduler
 Documentation=man:cupsd(8)
@ -44,6 +43,31 @@ diff -up cups-2.2.5/scheduler/org.cups.cupsd.service.in.systemd-socket cups-2.2.
 ExecStart=@sbindir@/cupsd -l
 -Type=simple
 +Type=notify
+Restart=on-failure
 
 [Install]
- Also=org.cups.cupsd.socket org.cups.cupsd.path
+-Also=org.cups.cupsd.socket org.cups.cupsd.path
+Also=cups.socket cups.path
+ WantedBy=printer.target
+diff -up cups-2.2.6/scheduler/org.cups.cupsd.socket.in.systemd-socket cups-2.2.6/scheduler/org.cups.cupsd.socket.in
+--- cups-2.2.6/scheduler/org.cups.cupsd.socket.in.systemd-socket	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/scheduler/org.cups.cupsd.socket.in	2018-09-19 12:38:00.630843246 +0200
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=CUPS Scheduler
+-PartOf=org.cups.cupsd.service
+PartOf=cups.service
+ 
+ [Socket]
+ ListenStream=@CUPS_DEFAULT_DOMAINSOCKET@
+diff -up cups-2.2.6/scheduler/org.cups.cups-lpd.socket.systemd-socket cups-2.2.6/scheduler/org.cups.cups-lpd.socket
+--- cups-2.2.6/scheduler/org.cups.cups-lpd.socket.systemd-socket	2017-11-01 15:57:53.000000000 +0100
+++ cups-2.2.6/scheduler/org.cups.cups-lpd.socket	2018-09-19 12:38:00.630843246 +0200
+@@ -1,6 +1,6 @@
+ [Unit]
+ Description=CUPS LPD Server Socket
+-PartOf=org.cups.cups-lpd.service
+PartOf=cups-lpd.service
+ 
+ [Socket]
+ ListenStream=515
--- a/cups.spec
+++ b/cups.spec
@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.2.6
-Release: 13%{?dist}
+Release: 31%{?dist}
 License: GPLv2
 Url: http://www.cups.org/
 Source0: https://github.com/apple/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
@ -61,14 +61,33 @@ Patch35: cups-ipp-multifile.patch
 Patch36: cups-web-devices-timeout.patch
 Patch37: cups-synconclose.patch
 Patch38: cups-ypbind.patch
-Patch39: cups-moved-logs.patch
-Patch40: cups-dbus_crash.patch
+Patch39: cups-substitute-bad-attrs.patch
+# 1589593 - cupsd LogLevel ignored when logging to journald (syslog)
+Patch40: cups-journal-history.patch
+# 1607293 - CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 cups: various flaws [fedora-all] 
+Patch41: 0001-Fix-local-privilege-escalation-to-root-and-sandbox-b.patch
+# 1613251 - Remove weak SSL/TLS ciphers from CUPS
+Patch42: 0001-Add-support-for-MinTLS-and-MaxTLS-options-Issue-5119.patch
+# 1625296 - newer cups clients fails to connect to older cups servers (<1.4)
+# from upstream issue https://github.com/apple/cups/issues/5211 - 3 patches
+Patch43: 0001-Printing-to-old-CUPS-servers-has-been-fixed-Issue-52.patch
+Patch44: 0001-Fix-additional-IPP-1.1-issues-with-cupsCopyDestInfo-.patch
+Patch45: 0001-One-more-fix-for-_cupsGetDestResource-Issue-5211.patch
+# 1621949, 1620114, 1619240 - TLS versions and options needs to be initialized all the time
+# from upstream
+Patch46: 0001-Fix-default-TLS-versions.patch
+# coverity scan fixes from upstream
+Patch47: 0001-Fix-memory-leaks-found-by-Coverity-Issue-5375.patch
+Patch48: 0001-Fix-stuck-multi-file-jobs-Issue-5359-Issue-5413.patch
+Patch49: 0001-The-scheduler-could-crash-while-adding-an-IPP-Everyw.patch
+Patch50: 0001-CVE-2018-4700-Linux-session-cookies-used-a-predictab.patch

 Patch100: cups-lspp.patch

 Requires: %{name}-filesystem = %{epoch}:%{version}-%{release}
 Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
 Requires: %{name}-client%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-ipptool%{?_isa} = %{epoch}:%{version}-%{release}

 Provides: cupsddk cupsddk-drivers

@ -83,6 +102,8 @@ BuildRequires: systemd
 BuildRequires: pkgconfig(libsystemd)
 BuildRequires: pkgconfig(dbus-1)
 BuildRequires: automake
+# needed for decompressing functions for opening gzipped ppds
+BuildRequires: zlib-devel

 # gcc and gcc-c++ is no longer in buildroot by default
 # gcc for most of files
@ -264,10 +285,29 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
 %patch100 -p1 -b .lspp
 %endif

-# Move log files into journal (bug #1519331)
-%patch39 -p1 -b .moved-logs
-
-%patch40 -p1 -b .dbus_notify
+# substitute default values for invalid job attributes (upstream #5186 and #5229)
+%patch39 -p1 -b .substitute-bad-attrs
+# 1589593 - cupsd LogLevel ignored when logging to journald (syslog)
+%patch40 -p1 -b .journal-history
+# 1607293 - CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 cups: various flaws [fedora-all]
+%patch41 -p1 -b .privilege-escalation
+# 1613251 - Remove weak SSL/TLS ciphers from CUPS
+%patch42 -p1 -b .remove-weak-ciphers
+# 1625296 - newer cups client doesn't communicate with old cups servers < 1.4,
+# 3 patches from upstream
+%patch43 -p1 -b .oldcupsservers1
+%patch44 -p1 -b .oldcupsservers2
+%patch45 -p1 -b .oldcupsservers3
+# 1621949, 1620114. 1619240 - TLS versions and options needs to be initiliazed everytime
+# part of the patch is from upstream, other is reported to upstream https://github.com/apple/cups/pull/5393
+%patch46 -p1 -b .defaulttls
+# covscan fixes from upstream
+%patch47 -p1 -b .covscan
+%patch48 -p1 -b .multifile-stuck
+# cupsd can crash when adding ipp everywhere printer
+%patch49 -p1 -b .ipp-eve-add-crash
+# 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
+%patch50 -p1 -b .predictable-cookie

 sed -i -e '1iMaxLogSize 0' conf/cupsd.conf.in

@ -291,7 +331,7 @@ iconv -f MACINTOSH -t UTF-8 "$f"~ > "$f"
 rm -f "$f"~

 aclocal -I config-scripts
-autoconf -I config-scripts
+autoconf -f -I config-scripts

 %build
 # add Fedora specific flags to DSOFLAGS
@ -435,14 +475,24 @@ lognames=( "error_log" "access_log" "page_log" )
 message="This CUPS log has been moved into journal by default unless changes have     been made in /etc/cups/cups-files.conf. Log messages can be got by \"$ journalctl -u  cups -e\""
 for ((i=0;i<${#confignames[@]};i++));
 do
-  found=`grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
+  found=`%{_bindir}/grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
  if [ ! -z "$found" ]
  then
    if [ ! -f %{_localstatedir}/log/cups/${lognames[i]} ]
    then
      %{_bindir}/touch %{_localstatedir}/log/cups/${lognames[i]} || :
    fi
-    lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | grep "$message"`
+    perms=`%{_bindir}/ls -lah %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep -v -e "\-rw-------" -e "root lp"`
+    if [ ! -z "$perms" ]
+    then
+      # we need to set correct permissions and ownership because of possible
+      # security issues
+      # we need to have it here, because previous CUPS releases had the bug.
+      # Checking permissions and ownership here fixes it.
+      %{_bindir}/chown root:lp %{_localstatedir}/log/cups/${lognames[i]} || :
+      %{_bindir}/chmod 600 %{_localstatedir}/log/cups/${lognames[i]} || :
+    fi
+    lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep "$message"`
    if [ -z "$lastmessage" ]
    then
      %{_bindir}/echo $message >> %{_localstatedir}/log/cups/${lognames[i]} || :
@ -540,15 +590,18 @@ rm -f %{cups_serverbin}/backend/smb
 %dir %{_datadir}/%{name}/www/ru
 %{_datadir}/%{name}/www/images
 %{_datadir}/%{name}/www/*.css
-%doc %{_datadir}/%{name}/www/index.html
-%doc %{_datadir}/%{name}/www/help
-%doc %{_datadir}/%{name}/www/robots.txt
-%doc %{_datadir}/%{name}/www/de/index.html
-%doc %{_datadir}/%{name}/www/es/index.html
-%doc %{_datadir}/%{name}/www/ja/index.html
-%doc %{_datadir}/%{name}/www/ru/index.html
-%doc %{_datadir}/%{name}/www/pt_BR/index.html
-%doc %{_datadir}/%{name}/www/apple-touch-icon.png
+# 1658673 - html files cannot be docs, because CUPS web ui will not have
+# introduction page on Fedora Docker image (because rpms are installed
+# without docs there because of space reasons)
+%{_datadir}/%{name}/www/index.html
+%{_datadir}/%{name}/www/help
+%{_datadir}/%{name}/www/robots.txt
+%{_datadir}/%{name}/www/de/index.html
+%{_datadir}/%{name}/www/es/index.html
+%{_datadir}/%{name}/www/ja/index.html
+%{_datadir}/%{name}/www/ru/index.html
+%{_datadir}/%{name}/www/pt_BR/index.html
+%{_datadir}/%{name}/www/apple-touch-icon.png
 %dir %{_datadir}/%{name}/usb
 %{_datadir}/%{name}/usb/org.cups.usb-quirks
 %{_unitdir}/%{name}.service
@ -659,6 +712,59 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man5/ipptoolfile.5.gz

 %changelog
+* Tue Feb 19 2019 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-31
+- automake sometimes do not generate correct macros - force it
+
+* Fri Dec 14 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-30
+- previous commit - fix for previous releases
+
+* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-29
+- logs need to have correct permissions
+
+* Thu Dec 13 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-28
+- 1658673 - Main index.html of web interface doesn't get installed when not installing documentation
+
+* Mon Dec 10 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-27
+- 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
+
+* Mon Dec 03 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-26
+- 1654827 - cupsd crash on startup in ippCopyAttribute
+
+* Fri Nov 09 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-25
+- 1622432 - Jobs with multiple files don't complete when backend fails
+- 1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal
+
+* Fri Sep 21 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-24
+- fixing coverity issues
+
+* Wed Sep 19 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-23
+- 1618018 - Make cups systemd unit files more upstream-like
+
+* Thu Sep 06 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-22
+- 1621949, 1620114 and 1619240 - TLS versions and options need to be initialized everytime
+
+* Thu Sep 06 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-20
+- 1625296 - cups 2.2.6 lpr command fails against old cups 1.3.9 server
+
+* Fri Aug 31 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-19
+- remove previous patch for now, it issues several connection problems - #1621949, #1620114 and #1619240
+
+* Tue Aug 07 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-18
+- 1613251 - Remove weak SSL/TLS ciphers from CUPS 
+
+* Mon Aug 06 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-17
+- 1612935 - cups doesn't restart after cupsctl command
+
+* Mon Jul 23 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-16
+- 1607293 - CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 cups: various flaws [fedora-all]
+
+* Tue Jun 12 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-15
+- 1589593 - cupsd LogLevel ignored when logging to journald (syslog)
+- 1590123 - cups-driverd doesn't recognize static gzipped ppds 
+
+* Tue Apr 03 2018 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.2.6-14
+- substitute default values for invalid job attributes (upstream #5186 and #5229)
+
 * Thu Mar 29 2018 Pavel Zhukov <pzhukov@redhat.com> - 1:2.2.6-13
 - Use dbus fix instead of general attr delete (upstream)
Author	SHA1	Message	Date
Zdenek Dohnal	e379c2751a	automake sometimes do not generate correct macros - force it	2019-02-19 14:18:14 +01:00
Zdenek Dohnal	78742c5bec	previous commit - fix for previous releases	2018-12-14 12:45:19 +01:00
Zdenek Dohnal	98ef83e116	logs need to have correct permissions	2018-12-13 18:45:51 +01:00
Zdenek Dohnal	fa8bd39eb8	1658673 - Main index.html of web interface doesn't get installed when not installing documentation	2018-12-13 14:47:37 +01:00
Zdenek Dohnal	4bdaf3c78c	1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]	2018-12-10 16:49:01 +01:00
Zdenek Dohnal	818477f54a	1654827 - cupsd crash on startup in ippCopyAttribute	2018-12-03 12:25:17 +01:00
Zdenek Dohnal	ede8ecee72	1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal	2018-11-09 17:09:08 +01:00
Zdenek Dohnal	8efc7404d8	1622432 - Jobs with multiple files don't complete when backend fails	2018-11-09 17:07:07 +01:00
Zdenek Dohnal	f5d6636c22	fixing coverity issues	2018-09-21 10:49:14 +02:00
Zdenek Dohnal	9d9b4f1948	1618018 - Make cups systemd unit files more upstream-like	2018-09-19 12:46:39 +02:00
Zdenek Dohnal	ee75f7d599	1621949, 1620114 and 1619240 - TLS versions and options need to be initialized everytime	2018-09-06 12:25:24 +02:00
Zdenek Dohnal	8d4b6080a8	1625296 - cups 2.2.6 lpr command fails against old cups 1.3.9 server	2018-09-06 10:54:24 +02:00
Zdenek Dohnal	30b873f0fd	remove previous patch for now, it issues several connection problems - #1621949 , #1620114 and #1619240	2018-08-31 13:50:05 +02:00
Zdenek Dohnal	64d608a123	1613251 - Remove weak SSL/TLS ciphers from CUPS	2018-08-07 12:42:09 +02:00
Zdenek Dohnal	0a2acd71f7	1612935 - cups doesn't restart after cupsctl command	2018-08-06 17:21:17 +02:00
Zdenek Dohnal	529fc9e071	1607293 - CVE-2018-4180 CVE-2018-4181 CVE-2018-4182 CVE-2018-4183 cups: various flaws [fedora-all]	2018-07-23 13:47:02 +02:00
Zdenek Dohnal	7bc3c73006	1590123 - cups-driverd doesn't recognize static gzipped ppds	2018-06-12 15:44:23 +02:00
Zdenek Dohnal	c5bce140dd	1589593 - cupsd LogLevel ignored when logging to journald (syslog)	2018-06-12 15:41:41 +02:00
Zdenek Dohnal	da772b1f3a	substitute default values for invalid job attributes (upstream #5186 and #5229 )	2018-04-03 16:55:29 +02:00
Zdenek Dohnal	496ef6757c	Merge #5 `Apply proper patch`	2018-04-03 11:10:38 +00:00
Pavel Zhukov	7ce4415f7b	Apply proper patch	2018-03-29 12:49:36 +02:00