<div dir="ltr"><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><font face="arial, sans-serif">The MapServer team is pleased (kinda) to announce the 7.6.3 security and maintenance release.<br></font></pre><pre style="white-space:pre-wrap;color:rgb(0,0,0)"><pre style="white-space:pre-wrap"><font face="arial, sans-serif">Importantly, this release addresses a flaw, discovered by project developers, in MapServer CGI mapfile loading that makes it possible to bypass security controls (ticket #6313). This flaw makes it difficult to easily limit where MapServer can load a mapfile from and affects versions 4.10 and later. This is a critical issue and all users are encouraged to update as soon as possible.</font></pre><pre style="white-space:pre-wrap"><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);white-space:normal"><font face="arial, sans-serif">What does this mean for you?</font></p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);white-space:normal"></p><ol><li><font face="arial, sans-serif">If you've not used MS_MAP_PATTERN or MS_MAP_NO_PATH as part of securing your installation then this doesn't have much impact since you're not using the controls. That said, this is a critical configuration step and you should upgrade and make use of those controls to limit where mapfiles can be accessed.</font></li><li><font face="arial, sans-serif">If you've relied on MS_MAP_PATTERN exclusively, you should upgrade and be in good shape. However, it's a great time to review and test MS_MAP_PATTERN.</font></li><li><font face="arial, sans-serif">If you've relied on MS_MAP_NO_PATH primarily (like me), you should upgrade and set a value for MS_MAP_PATTERN.</font></li></ol><div><font face="arial, sans-serif">We are simultaneously releasing versions 7.0.8, 7.2.3 and 7.4.5 as well. Updates to binary distributions will follow ASAP.</font></div><p></p></pre><pre style="white-space:pre-wrap"><font face="arial, sans-serif">For the list of additional changes see the Changelog at <a href="https://mapserver.org/development/changelog/changelog-7-6.html">https://mapserver.org/development/changelog/changelog-7-6.html</a>
Or head to Download at <a href="https://mapserver.org/download.html">https://mapserver.org/download.html</a>
For those wanting searchable offline documentation, the updated PDF is available at <a href="https://download.osgeo.org/mapserver/docs/MapServer.pdf">https://download.osgeo.org/mapserver/docs/MapServer.pdf</a></font></pre><pre style="white-space:pre-wrap"><font face="arial, sans-serif">--
The MapServer Team</font></pre>
</pre></div>