libcurl security vulnerability
Daniel Morissette
dmorissette at DMSOLUTIONS.CA
Mon Oct 24 18:27:37 EDT 2005
After sending the message below, Tom has reported that MapServer did not
build with libcurl 7.15.0. It turns out that there is a bug in the
curl-config script that will be fixed in the next release of curl.
Anyone interested in using libcurl 7.15.0 with MapServer should patch
their copy of curl, for all the details see:
http://mapserver.gis.umn.edu/bugs/show_bug.cgi?id=1504#c4
Daniel
Daniel Morissette wrote:
> FYI, a security vulnerability in libcurl has recently been reported and
> is fixed in libcurl 7.15.0 and later:
> http://curl.haxx.se/docs/security.html
>
> I don't think MapServer users are at high risk since libcurl is only
> used to connect to remote WMS and WFS servers which are in general
> friendly or well-known hosts, and there is no known curl exploit at this
> time. However a risk could still exists for those using untrusted WMS
> servers in their apps, or allowing loading of arbitrary Web Map Contexts
> in their apps.
>
> If you consider yourself at risk then you might want to upgrade to
> libcurl 7.15.0 or to a patched libcurl version that may be available for
> your OS.
>
> Future maptools.org builds (FGS and MS4W) will be based on the latest
> version of Curl.
>
> Daniel
--
------------------------------------------------------------
Daniel Morissette dmorissette at dmsolutions.ca
DM Solutions Group http://www.dmsolutions.ca/
------------------------------------------------------------
More information about the mapserver-dev
mailing list