USN-2699-1: HPLIP vulnerability

Publication date

30 July 2015

Overview

HPLIP could be tricked into downloading a different GPG key when performing printer plugin installations.


Packages

  • hplip - HP Linux Printing and Imaging System (HPLIP)

Details

Enrico Zini discovered that HPLIP used a short GPG key ID when downloading
keys from the keyserver. An attacker could possibly use this to return a
different key with a duplicate short key id and perform a machine-in-the-middle
attack on printer plugin installations.

Enrico Zini discovered that HPLIP used a short GPG key ID when downloading
keys from the keyserver. An attacker could possibly use this to return a
different key with a duplicate short key id and perform a machine-in-the-middle
attack on printer plugin installations.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
15.04 vivid hplip-data –  3.15.2-0ubuntu4.2
14.04 trusty hplip-data –  3.14.3-0ubuntu3.4
12.04 precise hplip-data –  3.12.2-1ubuntu3.5

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›