Print Provider version 109.27.0.6568
Print Deploy server version 1.7.2336
New Features:
Introduced a new security hardening feature designed to uplift default security and provide additional layers of protection. We’ve added configuration and new defaults to make it hard for attackers to initiate a chained attack.
This includes a new security.properties file to separate the configuration of some components from the web administration interface. These include:
- Print Scripting and Device Scripting settings, such as the ability to run executables and unsafe code from scripts
- Explicit granting of permission to run external executables such as those used with custom authentication providers and other plugins
For the vast majority of customers, no action will be required after the upgrade. Please see the PaperCut MF/NG 22.1.1 upgrade checklist for more information. PO-1327
Security:
- Addressed a Path Traversal vulnerability in the Application Server and Site Server. Under specific conditions, this could potentially allow an attacker read-only access to the server’s file system. CVE-2023-31046. PO-1277
- Addressed a Cross-Site Request Forgery (CSRF) vulnerability in the Application Server, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes. CVE-2023-2533. PO-1366
- Introduced security hardening layer through
security.properties files - as per new features section above.
For more information refer to the June Security Bulletin.
Fixes:
- Fixed an issue that caused ancillary PaperCut executables including the PC-Client to crash with an error when run in some Windows environments. PO-1295
- Fixed an issue that was causing the Accessible UI for PaperCut 22.0.11 and 22.0.12 to display a blank screen after login. PO-1400
Other notes:
- If you are running v22.0.10 or later, there is NO database upgrade.
|