[mapserver-dev] Motion: Adopt RFC-56 and release MapServer 4.10.4 and 5.2.2

Jeff McKenna jmckenna at gatewaygeomatics.com
Thu Mar 26 14:26:22 EDT 2009


Daniel Morissette wrote:
> Some security vulnerabilities have been found and reported to us 
> following an audit of MapServer's mapserv CGI. We have worked on this 
> off-list with other PSC members to come up with a solution before making 
> anything public.
> 
> The outcome of this is five tickets (#2939, #2941, #2942, #2943, #2944) 
> and corresponding fixes:
>   http://trac.osgeo.org/mapserver/ticket/2939
>   http://trac.osgeo.org/mapserver/ticket/2941
>   http://trac.osgeo.org/mapserver/ticket/2942
>   http://trac.osgeo.org/mapserver/ticket/2943
>   http://trac.osgeo.org/mapserver/ticket/2944
> 
> as well as a new RFC-56 about tightening up control of access to 
> mapfiles and templates:
>   http://mapserver.org/development/rfc/ms-rfc-56.html
> 
> 
> Motion:
> 
> I hereby motion that we release MapServer 5.2.2 and 4.10.4 ASAP with 
> fixes for tickets (#2939, #2941, #2942, #2943, #2944) and the 
> implementation of RFC-56. MapServer 5.4.0 beta4 should also follow 
> within a few days with the same fixes.
> 
> I start with my +1
> 
> Daniel

+1

A few days ago I tested with the 5.2 branch and ticket#2941 broke all of 
my mapfiles (and applications), and it will probably break all of the 
MS4W add-on packages as well.  But I agree it's a good find and we must 
go through with it right away.

-jeff


-- 
Jeff McKenna
FOSS4G Consulting and Training Services
http://www.gatewaygeomatics.com/




More information about the mapserver-dev mailing list