@BrodieOnLinux When I first heard about it, I thought "sounds like bullshit".
When liblzma or regresshion happened, we knew exactly *what* was affected and how to roll mitigations before the official patch.
Here the author went "OMG THE BIGGEST CVE EVER DISCOVERED IN LINUX" without providing any details, essentially fearmongering. To put it bluntly, childish and irresponsible.
In the end the vulnerability was in CUPS (completely separate project from Linux, also used by Apple on macOS), and relied on port 631 being open.
Not only most home users don't have printers anymore, most RHEL-like distros like Rocky/Alma or Fedora block it by default in firewalld.
Therefore, you can:
- Change CUPS settings to disable listening on that port
- Block the port on firewall, use localhost:631 or use SSH as SOCKS proxy on remote machine (i.e print server in the office)
- Simply disable CUPS if you don't actively need it, you can start the service when you need to print something and stop it afterwards
Actual Linux vulnerability would be something related to netfilter, bpf and so on. This is honestly just a joke (the way it was described and disclosed).
When liblzma or regresshion happened, we knew exactly *what* was affected and how to roll mitigations before the official patch.
Here the author went "OMG THE BIGGEST CVE EVER DISCOVERED IN LINUX" without providing any details, essentially fearmongering. To put it bluntly, childish and irresponsible.
In the end the vulnerability was in CUPS (completely separate project from Linux, also used by Apple on macOS), and relied on port 631 being open.
Not only most home users don't have printers anymore, most RHEL-like distros like Rocky/Alma or Fedora block it by default in firewalld.
Therefore, you can:
- Change CUPS settings to disable listening on that port
- Block the port on firewall, use localhost:631 or use SSH as SOCKS proxy on remote machine (i.e print server in the office)
- Simply disable CUPS if you don't actively need it, you can start the service when you need to print something and stop it afterwards
Actual Linux vulnerability would be something related to netfilter, bpf and so on. This is honestly just a joke (the way it was described and disclosed).