[mapserver-users] MapServer 5.2.2 and 4.10.4 released with security fixes

Steve Lime Steve.Lime at dnr.state.mn.us
Thu Mar 26 22:40:02 EDT 2009


MapServer 5.2.2 and 4.10.4 have been released. (Version 5.4 will contain all of these
fixes at the start and a beta 4 release will be available in a day or so.)

The releases contain fixes for issues discovered in an audit of the CGI by a 3rd party 
(tickets #2939, #2941, #2942, #2943 and #2944). The issues are detailed at:

  http://trac.osgeo.org/mapserver/ticket/2939
  http://trac.osgeo.org/mapserver/ticket/2941
  http://trac.osgeo.org/mapserver/ticket/2942
  http://trac.osgeo.org/mapserver/ticket/2943
  http://trac.osgeo.org/mapserver/ticket/2944

Also provided is support for RFC-56 that addresses tightening up the control of 
access to mapfiles and templates:

  http://mapserver.org/development/rfc/ms-rfc-56.html

Most of these defects have been present for a number of releases and the potential
impact depends on your individual setup. Users of the mapserv CGI are strongly advised
to upgrade to the latest release. The  changes do not directly affect MapScript however
as a result of the changes all users may have to modify their applications to upgrade.

To upgrade you must:

1 - make sure map files are well-formed, that is, the first token is MAP. Comments
can come before the MAP token.

2 - make sure symbol files are well-formed, that is, the first token is SYMBOLSET. Like
mapfiles, comments can come before the SYMBOLSET token.

3 - MapServer templates, browse and query, now must include the magic string -
"MapServer Template". The string is not case sensitive but must be present in the first
line of the template or MapServer will reject it. The first line is not output with the template.

Finally, please consider using the new environment variables detailed in the RFC to further 
secure your installation.  

Upgrade tips:

In many cases items 1-3 above can be completed prior to updating your software. For templates,
you can enclose the magic string in comments appropriate to the template type (see the RFC
above for examples). The magic string will be output until you complete the upgrade but the
browser will ignore them as comments.

The source packages are available in the MapServer downloads page:

  http://mapserver.org/download/

and can be downloaded directly at:

  http://download.osgeo.org/mapserver/mapserver-5.2.2.tar.gz 
  http://download.osgeo.org/mapserver/mapserver-4.10.4.tar.gz

Precompiled binaries should be available shortly at the usual locations (also linked from the 
download page above).  Existing MS4W users can go to the MS4W downloads page and use 
the "MapServer version 5.2.2 Upgrade" package.

If you have questions, comments or concerns please contact me directly or send a message 
to the -dev list. Thanks to the folks at Positron Security for their assistance.

Steve




More information about the mapserver-users mailing list