The new release 2.4.17 contains the following security fixes:
- CVE-2026-27447: The scheduler treated local user and group names as case-
insensitive. - CVE-2026-34978: The RSS notifier could write outside the scheduler's RSS
directory. - CVE-2026-34980: The scheduler did not filter control characters from option
values. - CVE-2026-34979: The scheduler did not always allocate enough memory for a
job's options string. - CVE-2026-34990: The scheduler incorrectly allowed local certificates over the
loopback interface. - CVE-2026-39314: Fixed the range check for job password strings.
- CVE-2026-39316: Fixed a printer subscription bug in the scheduler.
- CVE-2026-NNNNN: Fixed a SNMP string conversion bug in the backends.
where the last CVE number is requested from Github for several days now, the number will be corrected once we have one, but we decided to make a release to share the other fixes.
The release includes other fixes as well, listed in CHANGES.md.
Enjoy!