SUSE alert openSUSE-SU-2026:20858-1 (hplip)
| From: | null@suse.de | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:20858-1: critical: Security update for hplip | |
| Date: | Tue, 02 Jun 2026 17:51:14 +0200 | |
| Message-ID: | <20260602155114.85A05FCE1@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE security update: security update for hplip ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20858-1 Rating: critical References: * bsc#1250481 * bsc#1257529 * bsc#1266023 * bsc#1266024 * bsc#1266031 Cross-References: * CVE-2025-43023 * CVE-2026-8631 * CVE-2026-8632 CVSS scores: * CVE-2025-43023 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-43023 ( SUSE ): 7.5 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2026-8631 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-8631 ( SUSE ): 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-8632 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2026-8632 ( SUSE ): 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 3 vulnerabilities and has 5 bug fixes can now be installed. Description: This update for hplip fixes the following issues: Changes in hplip: - Update to HPLIP 3.26.4 * CVE-2026-8631: Fixed privileges escalation and/or arbitrary code execution via an integer overflow in the hpcups processing path (bsc#1266023) * CVE-2026-8632: Fixed privileges escalation and/or arbitrary code execution via operating system command injection (bsc#1266024) - Add support for the following new printers: * HP LaserJet Pro MFP 3106sdw * HP LaserJet Pro MFP 3105sdw * HP Envy 6500e series * HP Envy 6500 series * HP OfficeJet Pro 9730 Series * HP OfficeJet Pro 9730e Series * HP OfficeJet Pro 9720 Series * HP OfficeJet Pro 9720e Series * HP OfficeJet Pro 8130e All-in-One series * HP OfficeJet Pro 8130 All-in-One series * HP OfficeJet 8130e All-in-One series * HP OfficeJet 8130 All-in-One series * HP OfficeJet Pro 8120e All-in-One series * HP OfficeJet Pro 8120 All-in-One series * HP OfficeJet 8120e All-in-One series * HP OfficeJet 8120 All-in-One series * HP DeskJet Ink Advantage ultra 5800 All-in-One Printer series * HP DeskJet Ink Advantage ultra 5100 All-in-One Printer series * HP DeskJet 4300e All-in-One Printer series * HP DeskJet Ink Advantage 4300 All-in-One Printer series * HP DeskJet 4300 All-in-One Printer series * HP DeskJet 2900e All-in-One Printer series * HP DeskJet Ink Advantage 2900 All-in-One Printer series * HP DeskJet 2900 All-in-One Printer series - Update to HPLIP 3.25.8 - Added support for the following new Printers: * HP LaserJet Enterprise Flow MFP 8601z * HP LaserJet Enterprise 5501 * HP LaserJet Enterprise MFP 5601dn * HP LaserJet Enterprise 6500dn * HP LaserJet Enterprise 5501n * HP LaserJet Enterprise MFP 5601 * HP LaserJet Enterprise 6500 * HP LaserJet Enterprise 5502dn * HP LaserJet Enterprise MFP 5602dn * HP LaserJet Enterprise 6500n * HP LaserJet Enterprise 5502 * HP LaserJet Enterprise MFP 5602f * HP LaserJet Enterprise 6501dn * HP LaserJet Enterprise X50452dn * HP LaserJet Enterprise Flow MFP 5602zfw * HP LaserJet Enterprise 6501 * HP LaserJet Enterprise X50452 * HP LaserJet Enterprise MFP 5602 * HP LaserJet Enterprise X60257dn * HP LaserJet Enterprise MFP X53052dn * HP LaserJet Enterprise Flow MFP X530 * HP LaserJet Enterprise X60257 * HP LaserJet Enterprise MFP X53052 * HP LaserJet Enterprise X60357dn * HP LaserJet Enterprise X60357 * HP LaserJet Enterprise MFP 6600dn * HP LaserJet Enterprise Flow MFP 6600zfw * HP LaserJet Enterprise MFP 6600 * HP LaserJet Enterprise Flow MFP 6600zfsw * HP LaserJet Enterprise MFP X62757dn * HP LaserJet Enterprise Flow MFP X62757zs * HP LaserJet Enterprise MFP X62757 * DEX D50452dn * DEX MFP D53052dn - Fix handling of readfp() and read_filke() for ConfigParser objects, avoiding confusing error messages (lp#2139771) - Fix compiler warnings on SLE15 - Fix "Found No Section" error with python (lp#2095776) - Fix PPD lookup by moving PPDs from manufacturer-PPDs/hplip-fax to manufacturer-PPDs/hplip/fax etc (boo#1257529) - Move more utilities from hplip-utils to hplip-base. * hplip-base now contains all utilities that are not totally useless and can run without the Qt GUI. - Update fix for support of new GPG key, as the key has now been uploaded to GPG keyservers (lp#2120738) - This fixes CVE-2025-43023 (bsc#1266031) - Drop dependency on cups-ppdc. It isn't necessary, as PPD generation on target system is done by cups-driverd. - The old and outdated 'hpijs' driver support is finally dropped (the 'hpcups' driver is the default driver since 2009) so that there is no need for foomatic-filters (boo#1250481) - Continue refactoring: * move GUI tools to "hplip-utils" subpackage * convert "hplip" into an empty metapackage that pulls in hplip-utils and all drivers / PPDs (except hpijs PPDs). - Refactor package structure: * hplip: full set of utilities. Pulls in almost all subpackages to deliver the "traditional" hplip experience * hplip-base: small set of basic utilities that can be run without GUI. Includes hp-probe and hp-plugin * hplip-cups: minimal package for printing, without PPDs or setup helpers * hplip-sane: scanning support (unchanged) * hplip-driver-hpcups: hpcups.drv for generating hpcups PPDs on the fly (requires ppdc). The functionality of this package is similar to the old (misnamed) "hplip-hpijs" package. * hplip-driver-hpijs: hpijs.drv for generating PPDs for the deprecated hpijs / foomatic_rip filter. Note that this functionality was not part of the late hplip-hpijs package, because upstream hasn't ship foomatic PPDs since hplip 3.17.11. * hplip-ppds-{hpcups,hpps,postscript,hpijs,fax,plugin}: static PPD files for different printer types. hplip-ppds-hpcups is an alternative to hplip-driver-hpcups. * libhplip0: shared library package, used by hplip-cups and hplip-sane * hplip-common: configuration files and directories used by all hplip packages. - Other spec file changes: * Skip deprecated suse_update_desktop_file by default on TW * Don't mess with sane configuration in udev rules * Only the hpijs packages depend on foomatic-rip, which is only provided by cups-filters-1.x. The other packages can be used with cups-filters2. * Remove Obsoletes: for ancient predecessor packages * Remove outdated comments from spec file * Shorten package descriptions * Fix a couple of rpmlint issues - Fix printer probing using avahi (lp#2120947) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-packagehub-288=1 Package List: - openSUSE Leap 16.0: hplip-3.26.4-bp160.1.1 hplip-base-3.26.4-bp160.1.1 hplip-common-3.26.4-bp160.1.1 hplip-cups-3.26.4-bp160.1.1 hplip-devel-3.26.4-bp160.1.1 hplip-driver-hpcups-3.26.4-bp160.1.1 hplip-ppds-fax-3.26.4-bp160.1.1 hplip-ppds-hpcups-3.26.4-bp160.1.1 hplip-ppds-hpps-3.26.4-bp160.1.1 hplip-ppds-plugin-3.26.4-bp160.1.1 hplip-ppds-postscript-3.26.4-bp160.1.1 hplip-sane-3.26.4-bp160.1.1 hplip-utils-3.26.4-bp160.1.1 libhplip0-3.26.4-bp160.1.1 References: * https://www.suse.com/security/cve/CVE-2025-43023.html * https://www.suse.com/security/cve/CVE-2026-8631.html * https://www.suse.com/security/cve/CVE-2026-8632.html