[OSGeo-Discuss] MapServer 6.0.1, 5.6.7 and 4.10.7 releases with security fixes
Daniel Morissette
dmorissette at mapgears.com
Wed Jul 13 08:39:30 PDT 2011
The MapServer team announces the release of MapServer versions 6.0.1,
5.6.7 and 4.10.7.
No new functionality has been added. 6.0.1 is a maintence release that
fixes a few issues including recently discovered security
vulnerabilities. The list of fixes since 6.0.0 is included at the end of
this message.
Versions 5.6.7 and 4.10.7 include fixes for the security vulnerabilities
described below plus a few bug fixes that may have occurred since the
last official release. See the respective HISTORY.TXT files for
additional information.
IMPORTANT SECURITY FIXES:
-------------------------
MapServer developers have discovered flaws in the OGC filter support in
MapServer. That code is used in support of WFS, WMS-SLD and SOS
specifications.
All versions may be susceptible to SQL injection under certain
circumstances. The extent of the vulnerability depends on the MapServer
version, relational database and mapfile configuration being used. All
users are ** strongly encouraged ** to upgrade to these latest releases.
The 5.6.7 and 4.10.7 releases also address one significant potentially
exploitable buffer overflow (6.0 branch is not vulneralble).
These fixes do not affect the functionality of MapServer and no changes
will be necessary for configurations/applications using the same base
branch (e.g. 5.6).
Even though we release 6.0.1, 5.6.7 and 4.10.7 today, these security
fixes have also been backported to all stable branches (going back to
4.10) in MapServer's Subversion (SVN) source code repository, so if you
work from source and would like to patch your local MapServer source
tree, the changeset (i.e. patch file) for each stable release can be
obtained through the following Trac ticket:
- http://trac.osgeo.org/mapserver/ticket/3903
Special thanks to Even Rouault for his work identifying the issues and
the subsequent patching and testing he did.
Source and binary downloads:
----------------------------
The source code is available at:
http://mapserver.org/download.html
The binary distributions listed in the download page should be updated
with binaries for the new 6.0.1 release (and in some cases 5.6.7) in the
next few hours, if not already done.
We have also submitted security patches to the Ubuntu and Debian
supported distributions that are in the process of being reviewed.
The MapServer Team
Version 6.0.1 (2011-07-12):
---------------------------
IMPORTANT SECURITY FIXES:
- Fixes to prevent SQL injections through OGC filter encoding (in WMS, WFS
and SOS), as well as a potential SQL injection in WMS time support.
Your system may be vulnerable if it has MapServer with OGC protocols
enabled, with layers connecting to an SQL RDBMS backend, either
natively or via OGR (#3903)
- Applied patch for ticket (symbol writing issues) (#3589)
- Fix performance issue with Oracle and scrollable cursors (#3905)
- Fix attribute binding for layer styles (#3941)
- Added missing fclose() when writing query files (#3943)
- Fix double-free in msAddImageSymbol() when filename is a http resource
(#3939)
- Fix rendering of lines with outlinewidth set if not on first style (#3935)
- Added writing of cluster object when saving map. Also improved handling of
cluster parsing errors (#3934)
- Fix for the cluster processing if the shape bounds doesn't overlap
with the given extent (#3913)
- OGC Filter: fix segfault when a ows_varname_type or wfs_varname_type is
defined but not a gml_varname_type (#3902)
- Fix regression of MapServer 6.0.0 when specifying a time range in WMS time
requests on a Postgis layer (#3909)
- Fixed order of metadata lookup for WMS GML GetFeatureInfo. 'ows' should
come last, not first (#3636).
- Fixed mssql2008 to return correct geometries with chart layer type (#3894)
- Write SYMBOLSET/END tags when saving a symbol file (#3885)
- Make java threadtests work again (#3887)
- Fix segfault on malformed <PropertyIsLike> filters (#3888)
- Fixed the query handling problem with the Oracle spatial driver (#3878)
- Fixed potential crash with AVERAGE resampling and crazy reprojection
(#3886)
- Fix for the warnings in mapunion.c (#3880)
- Fixed the build problem in mapunion.c (#3877)
- Union layer: Fixed the crash when styling source layers using
attributes (#3870)
- Improve rangeset item checking so that Bands=1,2,3 is supported with
WCS 1.0
(#3919).
- Fix GetMapserverUnitUsingProj() for proj=latlong (#3883)
More information about the Discuss
mailing list