[mapserver-announce] MapServer 5.6.4 and 4.10.6 released with important security fixes

Daniel Morissette dmorissette at mapgears.com
Fri Jul 9 09:57:29 EDT 2010


The MapServer team announces the release of MapServer version 5.6.4 and
4.10.6.

No new functionality has been added. 5.6.4 is a maintenance release that
fixes a few issues (including a potential security vulnerability) that
were found since the release of 5.6.3. The list of fixes since 5.6.3 is
included at the end of this message.

With respect to the 4.10.6 release, it only includes the security fixes
described below.


SECURITY FIXES:
---------------

As part of a security audit of MapServer 5.6 it was reported that some
of the mapserv CGI command-line arguments used by developers for
debugging and testing the software constitute a security risk that could
potentially be exploited remotely. We are not aware of any exploit for
this issue at the moment, but it is strongly advised that users of past
releases upgrade to the latest releases that disable the potentially
insecure command-line args.

We will not disclose any of the details here, but potential
vulnerabilities were demonstrated to our team and it was recommended
that we take actions to avoid command-line arguments in CGI programs. As
a result and to create the smallest possible amount of disruption in
point releases, for this release we simply disabled all mapserv
command-line debug args by default, except for "-v" which is useful to
get mapserv version on an installed system, as well as "-nh" and
"QUERY_STRING=..." which add no risk and/or are used by msautotests and
in some docs.

This change does not affect functionality for regular mapserv CGI users
working through HTTP, it only impacts developers that use those
command-line arguments to debug and test the software. It should be
noted that the use of command-line args for testing and debugging the
software may be deprecated and replaced by a different mechanism in
future releases.

This release also fixes at least one important buffer overflow.

Even if we release only 5.6.4 and 4.10.6 today, these security fixes
have also been backported to all stable branches (going back to 4.10) in
MapServer's Subversion (SVN) source code repository, so if you work from
source and would like to patch your local MapServer source tree, the
changeset (i.e. patch file) for each stable release can be obtained
through the Trac ticket for each issue:
- http://trac.osgeo.org/mapserver/ticket/3484
- http://trac.osgeo.org/mapserver/ticket/3485


Source and binary downloads:
----------------------------

The source code is available at:

    http://mapserver.org/download.html

The binary distributions listed in the download page should be updated
with binaries for the new 5.6.4 release in the next few hours.

We are also in the process of submitting security patches to the Ubuntu
and Debian supported distributions.


Version 5.6.4 (2010-07-08):
---------------------------

IMPORTANT SECURITY FIXES:

- Disabled some insecure (and potentially exploitable) mapserv command-line
  debug arguments (#3485). The --enable-cgi-cl-debug-args configure switch
  can be used to re-enable them for devs who really cannot get away without
  them and who understand the potential security risk (not recommended for
  production servers or those who don't understand the security
implications).

- Fixed possible buffer overflow in msTmpFile() (#3484)

Other fixes:

- Fixed possible race condition with connectiontype WFS layers (#3137)

- Modified mapserver units enum order to fix some problems with external
  packages (#3173)

- fix blending of transparent layers with AGG on MSB archs (#3471)

- Fixed imageObj->saveImage() sends unnecessary headers (#3418)

- Correct PropertyName parsing for wfs post requests (#3235)

- Ensure mapwmslayer.c does not unlink file before closing connection on
  it (#3451)

- Fix security exception issue in C# with MSVC2010 (#3438)

- Write out join CONNECTIONTYPE when saving a mapfile. (#3435)

- Fixed attribute queries to use an extent stored (and cached) as part of
  the queryObj rather than the map->extent. (#3424)

- Reverted msLayerWhichItems() to 5.4-like behavior although still
supporting
  retrieving all items (#3356,#3342)

- Grid layer: remove drawing of unnecessary gird lines (#3433)

- OGC Filters for spatial dbs should be enclosed in parentheses (#3430)

- Improve the handling of simple string comparisons for raster classified
  values (#3425)

- Add the ogc namspace to filters generated by Mapserver (#3414)

- Fix MS_NONSQUARE to work in mode=map (#3413)

- Improve error message when loadQuery() filename extension check fails
(#3302)

- Fix GetLegendGraphic using keyimages (#3398)

- Fix getFeatureInfo queries on WFS layers (#3403)

- Fixed mapstring.c build problem related to errno (#3401).

- Correct ungeoreferenced defaults via GetExtent() on raster layer (#3368)

- More adjustments to how TLOCK_GDAL held around msGetGDALGeoTransform
(#3368)


More information about the mapserver-announce mailing list