diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md
index 7c1cb9801a3c..b3b2af8d0778 100644
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@@ -494,6 +494,8 @@
 
 - The `xdg.portal.gtkUsePortal` option has been removed, as it had been deprecated for over 2 years. Using the `GTK_USE_PORTAL` environment variable in this manner is not intended nor encouraged by the GTK developers, but can still be done manually via `environment.sessionVariables`.
 
+- Support for the legacy CUPS browsing and LDAP have been removed from `services.printing`. If `cups` or `ldap` are in the `BrowseRemoteProtocols` setting in `services.printing.browsedConf`, it needs to be removed.
+
 - The `services.trust-dns` module has been renamed to `services.hickory-dns`.
 
 - The option `services.prometheus.exporters.pgbouncer.connectionStringFile` has been removed since
diff --git a/nixos/modules/services/printing/cupsd.nix b/nixos/modules/services/printing/cupsd.nix
index ef80ffe0ad41..a1fb0b3951e4 100644
--- a/nixos/modules/services/printing/cupsd.nix
+++ b/nixos/modules/services/printing/cupsd.nix
@@ -184,8 +184,8 @@ in
         type = types.bool;
         default = false;
         description = ''
-          Whether to open the firewall for TCP/UDP ports specified in
-          listenAdrresses option.
+          Whether to open the firewall for TCP ports specified in
+          listenAddresses option.
         '';
       };
 
@@ -493,7 +493,6 @@ in
       listenPorts = parsePorts cfg.listenAddresses;
     in mkIf cfg.openFirewall {
       allowedTCPPorts = listenPorts;
-      allowedUDPPorts = listenPorts;
     };
 
   };
diff --git a/pkgs/misc/cups/filters.nix b/pkgs/misc/cups/filters.nix
index b4a7b66c02e3..d5688d3bc351 100644
--- a/pkgs/misc/cups/filters.nix
+++ b/pkgs/misc/cups/filters.nix
@@ -18,6 +18,7 @@
 , liblouis
 , libpng
 , makeWrapper
+, autoreconfHook
 , mupdf
 , perl
 , pkg-config
@@ -53,9 +54,14 @@ stdenv.mkDerivation rec {
       url = "https://github.com/OpenPrinting/libcupsfilters/commit/95576ec3d20c109332d14672a807353cdc551018.patch";
       hash = "sha256-MXWllrdWt8n7zqvumQNg34dBgWMwMTwf9lrD+ZZP8Wk=";
     })
+    (fetchpatch {
+      name = "remove-cups-ldap-browse-protocols_CVE-2024-47176_CVE-2024-47850.patch";
+      url = "https://github.com/OpenPrinting/cups-filters/commit/6fd2bdfbdce76149af531ce9fca9062304238451.patch";
+      hash = "sha256-XS1ODy7i7ilgEjsKuEvOUiRN9pqsj+bOktKoshKcg8Q=";
+    })
   ];
 
-  nativeBuildInputs = [ pkg-config makeWrapper ];
+  nativeBuildInputs = [ pkg-config makeWrapper autoreconfHook ];
 
   buildInputs = [
     cups