libcurl security vulnerability

Daniel Morissette dmorissette at DMSOLUTIONS.CA
Mon Oct 24 18:27:37 EDT 2005

After sending the message below, Tom has reported that MapServer did not 
build with libcurl 7.15.0. It turns out that there is a bug in the 
curl-config script that will be fixed in the next release of curl.

Anyone interested in using libcurl 7.15.0 with MapServer should patch 
their copy of curl, for all the details see:


Daniel Morissette wrote:
> FYI, a security vulnerability in libcurl has recently been reported and 
> is fixed in libcurl 7.15.0 and later:
> I don't think MapServer users are at high risk since libcurl is only 
> used to connect to remote WMS and WFS servers which are in general 
> friendly or well-known hosts, and there is no known curl exploit at this 
> time. However a risk could still exists for those using untrusted WMS 
> servers in their apps, or allowing loading of arbitrary Web Map Contexts 
> in their apps.
> If you consider yourself at risk then you might want to upgrade to 
> libcurl 7.15.0 or to a patched libcurl version that may be available for 
> your OS.
> Future builds (FGS and MS4W) will be based on the latest 
> version of Curl.
> Daniel

  Daniel Morissette               dmorissette at
  DM Solutions Group    

More information about the mapserver-dev mailing list