cups: A localhost.localdomain whitelist entry in valid_host() (CVE-2017-18190)
A localhost.localdomain whitelist entry in valid_host() in
scheduler/client.c in CUPS before 2.2.2 allows remote attackers to
IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often
resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).
(from redmine: issue id 8584, created on 2018-02-27, closed on 2018-03-05)