diff --git a/SOURCES/cups-start-service.patch b/SOURCES/cups-start-service.patch
new file mode 100644
index 0000000..26952cf
--- /dev/null
+++ b/SOURCES/cups-start-service.patch
@@ -0,0 +1,9 @@
+diff -up cups-1.6.3/data/cups.service.in.start-service cups-1.6.3/data/cups.service.in
+--- cups-1.6.3/data/cups.service.in.start-service 2015-07-21 16:14:18.837479112 +0100
++++ cups-1.6.3/data/cups.service.in 2015-07-21 16:14:42.965396925 +0100
+@@ -8,4 +8,4 @@ PrivateTmp=true
+
+ [Install]
+ Also=cups.socket cups.path
+-WantedBy=printer.target
++WantedBy=multi-user.target printer.target
diff --git a/SOURCES/cups-str4476.patch b/SOURCES/cups-str4476.patch
new file mode 100644
index 0000000..25b76f8
--- /dev/null
+++ b/SOURCES/cups-str4476.patch
@@ -0,0 +1,504 @@
+diff -up cups-1.6.3/cups/http.c.str4476 cups-1.6.3/cups/http.c
+--- cups-1.6.3/cups/http.c.str4476 2013-06-07 02:12:52.000000000 +0100
++++ cups-1.6.3/cups/http.c 2015-06-23 14:05:39.872805417 +0100
+@@ -175,6 +175,8 @@ static int http_write_ssl(http_t *http,
+ * Local globals...
+ */
+
++static int tls_options = 0; /* Options for TLS connections */
++
+ static const char * const http_fields[] =
+ {
+ "Accept-Language",
+@@ -3722,7 +3724,10 @@ http_send(http_t *http, /* I - Con
+ if (http->encryption == HTTP_ENCRYPT_REQUIRED && !http->tls)
+ {
+ httpSetField(http, HTTP_FIELD_CONNECTION, "Upgrade");
+- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.0,SSL/2.0,SSL/3.0");
++ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0,SSL/3.0");
++ else
++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.1,TLS/1.0");
+ }
+ #endif /* HAVE_SSL */
+
+@@ -3959,6 +3964,10 @@ http_setup_ssl(http_t *http) /* I - Con
+ context = SSL_CTX_new(SSLv23_client_method());
+
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
++ if (!(tls_options & _HTTP_TLS_ALLOW_SSL3))
++ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++ if (!(tls_options & _HTTP_TLS_ALLOW_RC4))
++ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+
+ bio = BIO_new(_httpBIOMethods());
+ BIO_ctrl(bio, BIO_C_SET_FILE_PTR, 0, (char *)http);
+@@ -4018,7 +4027,16 @@ http_setup_ssl(http_t *http) /* I - Con
+ gnutls_certificate_allocate_credentials(credentials);
+
+ gnutls_init(&http->tls, GNUTLS_CLIENT);
+- gnutls_set_default_priority(http->tls);
++ if (!tls_options)
++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++ else if ((tls_options & _HTTP_TLS_ALLOW_SSL3) &&
++ (tls_options & _HTTP_TLS_ALLOW_RC4))
++ gnutls_priority_set_direct(http->tls, "NORMAL", NULL);
++ else if (tls_options & _HTTP_TLS_ALLOW_SSL3)
++ gnutls_priority_set_direct(http->tls, "NORMAL:-ARCFOUR-128", NULL);
++ else
++ gnutls_priority_set_direct(http->tls, "NORMAL:-VERS-SSL3.0", NULL);
++
+ gnutls_server_name_set(http->tls, GNUTLS_NAME_DNS, hostname,
+ strlen(hostname));
+ gnutls_credentials_set(http->tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+@@ -4433,7 +4451,10 @@ http_upgrade(http_t *http) /* I - Conne
+
+ httpClearFields(http);
+ httpSetField(http, HTTP_FIELD_CONNECTION, "upgrade");
+- httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
++ if (tls_options & _HTTP_TLS_ALLOW_SSL3)
++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0, SSL/3.0");
++ else
++ httpSetField(http, HTTP_FIELD_UPGRADE, "TLS/1.2, TLS/1.1, TLS/1.0");
+
+ if ((ret = httpOptions(http, "*")) == 0)
+ {
+@@ -4764,6 +4785,16 @@ http_write_ssl(http_t *http, /* I -
+ }
+ #endif /* HAVE_SSL */
+
++/*
++ * '_httpTLSSetOptions()' - Set TLS/SSL options.
++ */
++
++void
++_httpTLSSetOptions(int options)
++{
++ tls_options = options;
++}
++
+
+ /*
+ * End of "$Id: http.c 7850 2008-08-20 00:07:25Z mike $".
+diff -up cups-1.6.3/cups/http-private.h.str4476 cups-1.6.3/cups/http-private.h
+--- cups-1.6.3/cups/http-private.h.str4476 2015-06-23 14:04:45.244230171 +0100
++++ cups-1.6.3/cups/http-private.h 2015-06-23 14:05:39.873805409 +0100
+@@ -140,6 +140,10 @@ extern "C" {
+ #define _HTTP_RESOLVE_FQDN 2 /* Resolve to a FQDN */
+ #define _HTTP_RESOLVE_FAXOUT 4 /* Resolve FaxOut service? */
+
++/* care - these should be the same values as the CUPSD_SSL_* equivalents */
++#define _HTTP_TLS_ALLOW_RC4 2
++#define _HTTP_TLS_ALLOW_SSL3 4
++
+
+ /*
+ * Types and functions for SSL support...
+@@ -377,6 +381,8 @@ extern const char *_httpResolveURI(const
+ extern int _httpUpdate(http_t *http, http_status_t *status);
+ extern int _httpWait(http_t *http, int msec, int usessl);
+
++extern void _httpTLSSetOptions(int options);
++
+
+ /*
+ * C++ magic...
+diff -up cups-1.6.3/cups/usersys.c.str4476 cups-1.6.3/cups/usersys.c
+--- cups-1.6.3/cups/usersys.c.str4476 2015-06-23 14:04:45.268229986 +0100
++++ cups-1.6.3/cups/usersys.c 2015-06-23 14:05:39.873805409 +0100
+@@ -72,7 +72,8 @@ static void cups_read_client_conf(cups_f
+ #endif /* HAVE_GSSAPI */
+ const char *cups_anyroot,
+ const char *cups_expiredroot,
+- const char *cups_expiredcerts);
++ const char *cups_expiredcerts,
++ int ssl_options);
+
+
+ /*
+@@ -257,6 +258,9 @@ cupsSetEncryption(http_encryption_t e) /
+ _cups_globals_t *cg = _cupsGlobals(); /* Pointer to library globals */
+
+
++ if (cg->encryption == (http_encryption_t)-1)
++ _cupsSetDefaults();
++
+ cg->encryption = e;
+
+ if (cg->http)
+@@ -823,7 +827,36 @@ _cupsSetDefaults(void)
+ if (cg->encryption == (http_encryption_t)-1 || !cg->server[0] ||
+ !cg->user[0] || !cg->ipp_port)
+ {
++ /*
++ * Look for CUPS_SERVERROOT/client.conf...
++ */
++
++ snprintf(filename, sizeof(filename), "%s/client.conf",
++ cg->cups_serverroot);
++ fp = cupsFileOpen(filename, "r");
++
++ /*
++ * Read the configuration file and apply any environment variables; both
++ * functions handle NULL cups_file_t pointers...
++ */
++
++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++#ifdef HAVE_GSSAPI
++ cups_gssservicename,
++#endif /* HAVE_GSSAPI */
++ cups_anyroot, cups_expiredroot,
++ cups_expiredcerts, 1);
++
++ /*
++ * Then user defaults, if it is safe to do so...
++ */
++
++#ifdef HAVE_GETEUID
++ if ((geteuid() == getuid() || !getuid()) && getegid() == getgid() &&
++ (home = getenv("HOME")) != NULL)
++#else
+ if ((home = getenv("HOME")) != NULL)
++#endif
+ {
+ /*
+ * Look for ~/.cups/client.conf...
+@@ -831,33 +864,20 @@ _cupsSetDefaults(void)
+
+ snprintf(filename, sizeof(filename), "%s/.cups/client.conf", home);
+ fp = cupsFileOpen(filename, "r");
+- }
+- else
+- fp = NULL;
+
+- if (!fp)
+- {
+ /*
+- * Look for CUPS_SERVERROOT/client.conf...
++ * Read the configuration file and apply any environment variables; both
++ * functions handle NULL cups_file_t pointers...
+ */
+
+- snprintf(filename, sizeof(filename), "%s/client.conf",
+- cg->cups_serverroot);
+- fp = cupsFileOpen(filename, "r");
+- }
+-
+- /*
+- * Read the configuration file and apply any environment variables; both
+- * functions handle NULL cups_file_t pointers...
+- */
+-
+- cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
++ cups_read_client_conf(fp, cg, cups_encryption, cups_server, cups_user,
+ #ifdef HAVE_GSSAPI
+- cups_gssservicename,
++ cups_gssservicename,
+ #endif /* HAVE_GSSAPI */
+- cups_anyroot, cups_expiredroot,
+- cups_expiredcerts);
+- cupsFileClose(fp);
++ cups_anyroot, cups_expiredroot,
++ cups_expiredcerts, 0);
++ cupsFileClose(fp);
++ }
+ }
+ }
+
+@@ -879,7 +899,8 @@ cups_read_client_conf(
+ #endif /* HAVE_GSSAPI */
+ const char *cups_anyroot, /* I - CUPS_ANYROOT env var */
+ const char *cups_expiredroot, /* I - CUPS_EXPIREDROOT env var */
+- const char *cups_expiredcerts) /* I - CUPS_EXPIREDCERTS env var */
++ const char *cups_expiredcerts, /* I - CUPS_EXPIREDCERTS env var */
++ int ssl_options) /* I - Allow setting of SSLOptions? */
+ {
+ int linenum; /* Current line number */
+ char line[1024], /* Line from file */
+@@ -952,6 +973,43 @@ cups_read_client_conf(
+ cups_gssservicename = gss_service_name;
+ }
+ #endif /* HAVE_GSSAPI */
++ else if (ssl_options && !_cups_strcasecmp(line, "SSLOptions") && value)
++ {
++ /*
++ * SSLOptions [AllowRC4] [AllowSSL3] [None]
++ */
++
++ int options = 0; /* SSL/TLS options */
++ char *start, /* Start of option */
++ *end; /* End of option */
++
++ for (start = value; *start; start = end)
++ {
++ /*
++ * Find end of keyword...
++ */
++
++ end = start;
++ while (*end && !_cups_isspace(*end))
++ end++;
++
++ if (*end)
++ *end++ = '\0';
++
++ /*
++ * Compare...
++ */
++
++ if (!_cups_strcasecmp(start, "AllowRC4"))
++ options |= _HTTP_TLS_ALLOW_RC4;
++ else if (!_cups_strcasecmp(start, "AllowSSL3"))
++ options |= _HTTP_TLS_ALLOW_SSL3;
++ else if (!_cups_strcasecmp(start, "None"))
++ options = 0;
++ }
++
++ _httpTLSSetOptions(options);
++ }
+ }
+
+ /*
+diff -up cups-1.6.3/doc/help/ref-client-conf.html.str4476 cups-1.6.3/doc/help/ref-client-conf.html
+--- cups-1.6.3/doc/help/ref-client-conf.html.str4476 2013-06-25 15:38:12.000000000 +0100
++++ cups-1.6.3/doc/help/ref-client-conf.html 2015-06-23 14:05:39.873805409 +0100
+@@ -76,6 +76,26 @@ present, only the last one is used. This
+
+
+
++
++
++Examples
++
++
++SSLOptions None
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
++
++
++Description
++
++Sets encryption options (only in /etc/cups/client.conf). By
++default, CUPS only supports encryption using TLS v1.0 or higher using
++known secure cipher suites. The AllowRC4 option enables the
++128-bit RC4 cipher suites, which are required for some older clients
++that do not implement newer ones. The AllowSSL3 option enables
++SSL v3.0, which is required for some older clients that do not support
++TLS v1.0.
++
+ CUPS 1.6/OS X 10.8User
+
+ Examples
+diff -up cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476 cups-1.6.3/doc/help/ref-cupsd-conf.html.in
+--- cups-1.6.3/doc/help/ref-cupsd-conf.html.in.str4476 2013-05-10 17:52:10.000000000 +0100
++++ cups-1.6.3/doc/help/ref-cupsd-conf.html.in 2015-06-23 14:05:39.873805409 +0100
+@@ -2011,23 +2011,23 @@ SetEnv MY_ENV_VAR foo
+ variable that should be passed to child processes.
+
+
+-
++
+
+ Examples
+
+
+-SSLListen 127.0.0.1:443
+-SSLListen 192.0.2.1:443
++SSLOptions 127.0.0.1:443
++SSLOptions 192.0.2.1:443
+
+
+ Description
+
+-The SSLListen
directive specifies a network
++
The SSLOptions
directive specifies a network
+ address and port to listen for secure connections. Multiple
+-SSLListen
directives can be provided to listen on
++SSLOptions
directives can be provided to listen on
+ multiple addresses.
+
+-The SSLListen
directive is similar to the The SSLOptions
directive is similar to the SSLPort
directive but allows you
+ to restrict access to specific interfaces or networks.
+
+@@ -2039,15 +2039,22 @@ to restrict access to specific interface
+
+ SSLOptions None
+ SSLOptions NoEmptyFragments
++SSLOptions AllowSSL3
++SSLOptions AllowRC4
+
+
+ Description
+
+ The SSLOptions
directive specifies additional SSL/TLS
+-protocol options to use for encrypted connected. Currently only two
+-options are supported - None
(the default) for the most
+-secure mode and NoEmptyFragments
to allow CUPS to work with
+-Microsoft Windows with the FIPS conformance mode enabled.
++protocol options to use for encrypted connected. By default, CUPS only
++supports encryption using TLS v1.0 or higher using known secure cipher
++suites. The NoEmptyFragments
option allows CUPS to work
++with Microsoft Windows with the FIPS conformance mode
++enabled. The AllowRC4
option enables the 128-bit RC4
++cipher suites, which are required for some older clients that do not
++implement newer ones. The AllowSSL3
option enables SSL
++v3.0, which is required for some older clients that do not support TLS
++v1.0.
+
+
+
+diff -up cups-1.6.3/man/client.conf.man.in.str4476 cups-1.6.3/man/client.conf.man.in
+--- cups-1.6.3/man/client.conf.man.in.str4476 2013-06-25 15:38:12.000000000 +0100
++++ cups-1.6.3/man/client.conf.man.in 2015-06-23 14:05:39.874805401 +0100
+@@ -53,6 +53,15 @@ Specifies the address and optionally the
+ server running CUPS 1.3.12 and earlier. \fBNote: Not supported on OS X 10.7 or
+ later.\fR
+ .TP 5
++SSLOptions \fR[\fIAllowRC4\fR] [\fIAllow SSL3\fR]
++.br
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fIAllowRC4\fR option enables the 128-bit
++RC4 cipher suites, which are required for some older clients that do
++not implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
++.TP 5
+ User name
+ .br
+ Specifies the default user name to use for requests.
+diff -up cups-1.6.3/man/cupsd.conf.man.in.str4476 cups-1.6.3/man/cupsd.conf.man.in
+--- cups-1.6.3/man/cupsd.conf.man.in.str4476 2015-06-23 14:04:45.278229909 +0100
++++ cups-1.6.3/man/cupsd.conf.man.in 2015-06-23 14:05:39.874805401 +0100
+@@ -480,9 +480,16 @@ Listens on the specified address and por
+ .TP 5
+ SSLOptions None
+ .TP 5
+-SSLOptions NoEmptyFragments
++SSLOptions \fR[\fINoEmptyFragments\fR] [\fIAllowRC4\fR] [\fIAllow SSL3\fR]
+ .br
+-Sets SSL/TLS protocol options for encrypted connections.
++Sets SSL/TLS protocol options for encrypted connections. By default,
++CUPS only supports encryption using TLS v1.0 or higher using known
++secure cipher suites. The \fINoEmptyFragments\fR option allows CUPS to
++work with Microsoft Windows with the FIPS conformance mode
++enabled. The \fIAllowRC4\fR option enables the 128-bit RC4 cipher
++suites, which are required for some older clients that do not
++implement newer ones. The \fIAllowSSL3\fR option enables SSL v3.0,
++which is required for some older clients that do not support TLS v1.0.
+ .TP 5
+ SSLPort
+ .br
+diff -up cups-1.6.3/scheduler/conf.c.str4476 cups-1.6.3/scheduler/conf.c
+--- cups-1.6.3/scheduler/conf.c.str4476 2015-06-23 14:04:45.298229754 +0100
++++ cups-1.6.3/scheduler/conf.c 2015-06-23 14:05:39.874805401 +0100
+@@ -3361,17 +3361,54 @@ read_cupsd_conf(cups_file_t *fp) /* I -
+ else if (!_cups_strcasecmp(line, "SSLOptions"))
+ {
+ /*
++ * SSLOptions [AllowRC4] [AllowSSL3] [NoEmptyFragments] [None]
++ */
++
++ int options = 0; /* SSL/TLS options */
++
++ /*
+ * SSLOptions options
+ */
+
+- if (!value || !_cups_strcasecmp(value, "none"))
+- SSLOptions = CUPSD_SSL_NONE;
+- else if (!_cups_strcasecmp(value, "noemptyfragments"))
+- SSLOptions = CUPSD_SSL_NOEMPTY;
+- else
+- cupsdLogMessage(CUPSD_LOG_ERROR,
+- "Unknown value \"%s\" for SSLOptions directive on "
+- "line %d.", value, linenum);
++ if (value)
++ {
++ char *start, /* Start of option */
++ *end; /* End of option */
++
++ for (start = value; *start; start = end)
++ {
++ /*
++ * Find end of keyword...
++ */
++
++ end = start;
++ while (*end && !_cups_isspace(*end))
++ end++;
++
++ if (*end)
++ *end++ = '\0';
++
++ /*
++ * Compare...
++ */
++
++ if (!_cups_strcasecmp(start, "NoEmptyFragments"))
++ options |= CUPSD_SSL_NOEMPTY;
++ else if (!_cups_strcasecmp(start, "AllowRC4"))
++ options |= CUPSD_SSL_ALLOW_RC4;
++ else if (!_cups_strcasecmp(start, "AllowSSL3"))
++ options |= CUPSD_SSL_ALLOW_SSL3;
++ else if (!_cups_strcasecmp(start, "None"))
++ options = 0;
++ else
++ cupsdLogMessage(CUPSD_LOG_ERROR,
++ "Unknown value \"%s\" for SSLOptions directive on "
++ "line %d.", start, linenum);
++ }
++ }
++
++ SSLOptions = options;
++ _httpTLSSetOptions (SSLOptions & ~CUPSD_SSL_NOEMPTY);
+ }
+ #endif /* HAVE_SSL */
+ else if (!_cups_strcasecmp(line, "AccessLog") ||
+diff -up cups-1.6.3/scheduler/conf.h.str4476 cups-1.6.3/scheduler/conf.h
+--- cups-1.6.3/scheduler/conf.h.str4476 2015-06-23 14:04:45.298229754 +0100
++++ cups-1.6.3/scheduler/conf.h 2015-06-23 14:05:39.874805401 +0100
+@@ -78,6 +78,8 @@ typedef enum
+
+ #define CUPSD_SSL_NONE 0 /* No special options */
+ #define CUPSD_SSL_NOEMPTY 1 /* Do not insert empty fragments */
++#define CUPSD_SSL_ALLOW_RC4 2 /* Allow RC4 cipher suites */
++#define CUPSD_SSL_ALLOW_SSL3 4 /* Allow SSL 3.0 */
+
+
+ /*
+diff -up cups-1.6.3/scheduler/tls-gnutls.c.str4476 cups-1.6.3/scheduler/tls-gnutls.c
+--- cups-1.6.3/scheduler/tls-gnutls.c.str4476 2013-06-07 02:12:52.000000000 +0100
++++ cups-1.6.3/scheduler/tls-gnutls.c 2015-06-23 14:05:39.874805401 +0100
+@@ -114,7 +114,15 @@ cupsdStartTLS(cupsd_client_t *con) /* I
+ ServerKey, GNUTLS_X509_FMT_PEM);
+
+ gnutls_init(&con->http.tls, GNUTLS_SERVER);
+- gnutls_set_default_priority(con->http.tls);
++ if (!SSLOptions)
++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128:-VERS-SSL3.0", NULL);
++ else if ((SSLOptions & CUPSD_SSL_ALLOW_SSL3) &&
++ (SSLOptions & CUPSD_SSL_ALLOW_RC4))
++ gnutls_priority_set_direct(con->http.tls, "NORMAL", NULL);
++ else if (SSLOptions & CUPSD_SSL_ALLOW_SSL3)
++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-ARCFOUR-128", NULL);
++ else
++ gnutls_priority_set_direct(con->http.tls, "NORMAL:-VERS-SSL3.0", NULL);
+
+ gnutls_credentials_set(con->http.tls, GNUTLS_CRD_CERTIFICATE, *credentials);
+ gnutls_transport_set_ptr(con->http.tls, (gnutls_transport_ptr)HTTP(con));
+diff -up cups-1.6.3/scheduler/tls-openssl.c.str4476 cups-1.6.3/scheduler/tls-openssl.c
+--- cups-1.6.3/scheduler/tls-openssl.c.str4476 2013-06-07 02:12:52.000000000 +0100
++++ cups-1.6.3/scheduler/tls-openssl.c 2015-06-23 14:05:39.875805393 +0100
+@@ -107,6 +107,10 @@ cupsdStartTLS(cupsd_client_t *con) /* I
+ SSL_CTX_set_options(context, SSL_OP_NO_SSLv2); /* Only use SSLv3 or TLS */
+ if (SSLOptions & CUPSD_SSL_NOEMPTY)
+ SSL_CTX_set_options(context, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS);
++ if (!(SSLOptions & CUPSD_SSL_ALLOW_SSL3))
++ SSL_CTX_set_options(context, SSL_OP_NO_SSLv3); /* Don't use SSLv3 */
++ if (!(SSLOptions & CUPSD_SSL_ALLOW_RC4))
++ SSL_CTX_set_cipher_list(context, "DEFAULT:-RC4");
+ SSL_CTX_use_PrivateKey_file(context, ServerKey, SSL_FILETYPE_PEM);
+ SSL_CTX_use_certificate_chain_file(context, ServerCertificate);
+
diff --git a/SOURCES/cups-str4591.patch b/SOURCES/cups-str4591.patch
new file mode 100644
index 0000000..69bd762
--- /dev/null
+++ b/SOURCES/cups-str4591.patch
@@ -0,0 +1,56 @@
+diff -up cups-1.6.3/scheduler/conf.c.str4591 cups-1.6.3/scheduler/conf.c
+--- cups-1.6.3/scheduler/conf.c.str4591 2015-06-23 14:05:39.874805401 +0100
++++ cups-1.6.3/scheduler/conf.c 2015-06-23 14:10:38.364395201 +0100
+@@ -1245,6 +1245,19 @@ cupsdReadConfiguration(void)
+
+ cupsdUpdateEnv();
+
++ /*
++ * Validate the default error policy...
++ */
++
++ if (strcmp(ErrorPolicy, "retry-current-job") &&
++ strcmp(ErrorPolicy, "abort-job") &&
++ strcmp(ErrorPolicy, "retry-job") &&
++ strcmp(ErrorPolicy, "stop-printer"))
++ {
++ cupsdLogMessage(CUPSD_LOG_ALERT, "Invalid ErrorPolicy \"%s\", resetting to \"stop-printer\".", ErrorPolicy);
++ cupsdSetString(&ErrorPolicy, "stop-printer");
++ }
++
+ /*
+ * Update default paper size setting as needed...
+ */
+diff -up cups-1.6.3/scheduler/printers.c.str4591 cups-1.6.3/scheduler/printers.c
+--- cups-1.6.3/scheduler/printers.c.str4591 2015-06-23 14:04:45.301229731 +0100
++++ cups-1.6.3/scheduler/printers.c 2015-06-23 14:10:52.717276314 +0100
+@@ -3,7 +3,7 @@
+ *
+ * Printer routines for the CUPS scheduler.
+ *
+- * Copyright 2007-2012 by Apple Inc.
++ * Copyright 2007-2015 by Apple Inc.
+ * Copyright 1997-2007 by Easy Software Products, all rights reserved.
+ *
+ * These coded instructions, statements, and computer programs are the
+@@ -1303,10 +1303,17 @@ cupsdLoadAllPrinters(void)
+ else if (!_cups_strcasecmp(line, "ErrorPolicy"))
+ {
+ if (value)
+- cupsdSetString(&p->error_policy, value);
++ {
++ if (strcmp(value, "retry-current-job") &&
++ strcmp(value, "abort-job") &&
++ strcmp(value, "retry-job") &&
++ strcmp(value, "stop-printer"))
++ cupsdLogMessage(CUPSD_LOG_ALERT, "Invalid ErrorPolicy \"%s\" on line %d or printers.conf.", ErrorPolicy, linenum);
++ else
++ cupsdSetString(&p->error_policy, value);
++ }
+ else
+- cupsdLogMessage(CUPSD_LOG_ERROR,
+- "Syntax error on line %d of printers.conf.", linenum);
++ cupsdLogMessage(CUPSD_LOG_ERROR, "Syntax error on line %d of printers.conf.", linenum);
+ }
+ else if (!_cups_strcasecmp(line, "Attribute") && value)
+ {
diff --git a/SOURCES/cups-str4646.patch b/SOURCES/cups-str4646.patch
new file mode 100644
index 0000000..b0f15c3
--- /dev/null
+++ b/SOURCES/cups-str4646.patch
@@ -0,0 +1,13 @@
+diff -up cups-1.6.3/scheduler/job.c.str4646 cups-1.6.3/scheduler/job.c
+--- cups-1.6.3/scheduler/job.c.str4646 2015-06-29 10:03:10.922536717 +0100
++++ cups-1.6.3/scheduler/job.c 2015-06-29 10:03:16.930638827 +0100
+@@ -456,7 +456,9 @@ cupsdCheckJobs(void)
+ * Start the job...
+ */
+
++ cupsArraySave(ActiveJobs);
+ start_job(job, printer);
++ cupsArrayRestore(ActiveJobs);
+ }
+ }
+ }
diff --git a/SOURCES/cups-str4648.patch b/SOURCES/cups-str4648.patch
new file mode 100644
index 0000000..0072bae
--- /dev/null
+++ b/SOURCES/cups-str4648.patch
@@ -0,0 +1,61 @@
+diff -up cups-1.6.3/scheduler/ipp.c.str4648 cups-1.6.3/scheduler/ipp.c
+--- cups-1.6.3/scheduler/ipp.c.str4648 2015-07-08 10:24:31.389942557 +0100
++++ cups-1.6.3/scheduler/ipp.c 2015-07-08 10:24:51.042104284 +0100
+@@ -3392,6 +3392,8 @@ cancel_all_jobs(cupsd_client_t *con, /*
+ }
+
+ con->response->request.status.status_code = IPP_OK;
++
++ cupsdCheckJobs();
+ }
+
+
+diff -up cups-1.6.3/scheduler/job.c.str4648 cups-1.6.3/scheduler/job.c
+--- cups-1.6.3/scheduler/job.c.str4648 2015-07-08 10:24:31.399942636 +0100
++++ cups-1.6.3/scheduler/job.c 2015-07-08 10:24:51.043104293 +0100
+@@ -267,8 +267,6 @@ cupsdCancelJobs(const char *dest, /* I -
+ "Job canceled by user.");
+ }
+ }
+-
+- cupsdCheckJobs();
+ }
+
+
+@@ -3488,13 +3486,6 @@ finalize_job(cupsd_job_t *job, /* I - J
+
+ job->printer->job = NULL;
+ job->printer = NULL;
+-
+- /*
+- * Try printing another job...
+- */
+-
+- if (printer_state != IPP_PRINTER_STOPPED)
+- cupsdCheckJobs();
+ }
+
+
+@@ -4744,6 +4735,8 @@ update_job(cupsd_job_t *job) /* I - Job
+ *ptr; /* Pointer update... */
+ int loglevel, /* Log level for message */
+ event = 0; /* Events? */
++ cupsd_printer_t *printer = job->printer;
++ /* Printer */
+ static const char * const levels[] = /* Log levels */
+ {
+ "NONE",
+@@ -5063,10 +5056,11 @@ update_job(cupsd_job_t *job) /* I - Job
+ finalize_job(job, 1);
+
+ /*
+- * Check for new jobs...
++ * Try printing another job...
+ */
+
+- cupsdCheckJobs();
++ if (printer->state != IPP_PRINTER_STOPPED)
++ cupsdCheckJobs();
+ }
+ }
+
diff --git a/SPECS/cups.spec b/SPECS/cups.spec
index bb0a912..d346be9 100644
--- a/SPECS/cups.spec
+++ b/SPECS/cups.spec
@@ -11,7 +11,7 @@ Summary: CUPS printing system
Name: cups
Epoch: 1
Version: 1.6.3
-Release: 17%{?dist}.1
+Release: 22%{?dist}
License: GPLv2
Group: System Environment/Daemons
Url: http://www.cups.org/
@@ -85,6 +85,11 @@ Patch54: cups-str4475.patch
Patch55: cups-failover-backend.patch
Patch56: cups-str4609.patch
Patch57: cups-str4551.patch
+Patch58: cups-str4476.patch
+Patch59: cups-str4591.patch
+Patch60: cups-str4646.patch
+Patch61: cups-str4648.patch
+Patch62: cups-start-service.patch
Patch100: cups-lspp.patch
@@ -330,10 +335,20 @@ Sends IPP requests to the specified URI and tests and/or displays the results.
%patch55 -p1 -b .failover-backend
# Improper Update of Reference Count -- CVE-2015-1158
# Cross-Site Scripting -- CVE-2015-1159
-# (bug #1229984)
+# (bug #1229985)
%patch56 -p1 -b .str4609
-# cupsRasterReadPixels buffer overflow -- CVE-2014-9679 (bug #1229984).
+# cupsRasterReadPixels buffer overflow -- CVE-2014-9679 (bug #1229985).
%patch57 -p1 -b .str4551
+# Don't use SSLv3 by default (bug #1161172, STR #4476).
+%patch58 -p1 -b .str4476
+# Validate ErrorPolicy in configuration (bug #1196218, STR #4591).
+%patch59 -p1 -b .str4591
+# Fix slow resume of jobs after restart (bug #1233006, STR #4646).
+%patch60 -p1 -b .str4646
+# Don't start jobs while cancelling others (bug #1233002, STR #4648).
+%patch61 -p1 -b .str4648
+# Start cups.service in multi-user target by default (bug #1236184).
+%patch62 -p1 -b .start-service
%if %lspp
# LSPP support.
@@ -479,14 +494,14 @@ for keyword in AccessLog CacheDir ConfigFilePerm \
RemoteRoot RequestRoot ServerBin ServerCertificate \
ServerKey ServerRoot SMBConfigFile StateDir \
SystemGroup SystemGroupAuthKey TempDir User; do
- if ! [ -f "$IN" ] || ! /bin/grep -iq ^$keyword "$IN"; then continue; fi
+ if ! [ -f "$IN" ] || ! /bin/grep -wiq ^$keyword "$IN"; then continue; fi
copy=yes
- if /bin/grep -iq ^$keyword "$OUT"; then
- if [ "`/bin/grep -i ^$keyword "$IN"`" == \
- "`/bin/grep -i ^$keyword "$OUT"`" ]; then
+ if /bin/grep -wiq ^$keyword "$OUT"; then
+ if [ "`/bin/grep -wi ^$keyword "$IN"`" == \
+ "`/bin/grep -wi ^$keyword "$OUT"`" ]; then
copy=no
else
- /bin/sed -i -e "s,^$keyword,#$keyword,i" "$OUT" || :
+ /bin/sed -i -e "s,^$keyword\b,#$keyword,i" "$OUT" || :
fi
fi
if [ "$copy" == "yes" ]; then
@@ -498,11 +513,17 @@ EOF
) || :
fi
- (/bin/grep -i ^$keyword "$IN" >> "$OUT") || :
+ (/bin/grep -wi ^$keyword "$IN" >> "$OUT") || :
copiedany=yes
fi
- /bin/sed -i -e "s,^$keyword,#$keyword,i" "$IN" || :
+ /bin/sed -i -e "s,^$keyword\b,#$keyword,i" "$IN" || :
+done
+
+# Comment out mistaken move of AccessLogLevel to
+# cups-files.conf (bug #1235035).
+for keyword in AccessLogLevel PageLogFormat; do
+ /bin/sed -i -e "s,^$keyword\b,#$keyword,i" "$OUT" || :
done
exit 0
@@ -738,8 +759,24 @@ rm -f %{cups_serverbin}/backend/smb
%{_mandir}/man5/ipptoolfile.5.gz
%changelog
-* Wed Jun 10 2015 Jiri Popelka - 1:1.6.3-17.1
-- CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229984).
+* Tue Jul 21 2015 Tim Waugh - 1:1.6.3-22
+- Start cups.service in multi-user target by default (bug #1236184),
+ not just cups.socket.
+
+* Wed Jul 8 2015 Tim Waugh - 1:1.6.3-21
+- Use upstream patch for STR #4648 (bug #1233002).
+
+* Tue Jun 30 2015 Tim Waugh - 1:1.6.3-20
+- Don't start jobs while cancelling others (bug #1233002, STR #4648).
+- Fix slow resume of jobs after restart (bug #1233006, STR #4646).
+- Fixes for post-install scriptlet (bug #1235035).
+
+* Tue Jun 23 2015 Tim Waugh - 1:1.6.3-19
+- Validate ErrorPolicy in configuration (bug #1196218, STR #4591).
+- Don't use SSLv3 by default (bug #1161172, STR #4476).
+
+* Wed Jun 10 2015 Jiri Popelka - 1:1.6.3-18
+- CVE-2015-1158, CVE-2015-1159, CVE-2014-9679 (bug #1229985).
* Tue Oct 21 2014 Tim Waugh - 1:1.6.3-17
- Support for failover without load-balancing (bug #1115219).