[mapserver-dev] MapServer 6.0.1, 5.6.7 and 4.10.7 releases with security fixes

Daniel Morissette dmorissette at mapgears.com
Wed Jul 13 08:21:44 EDT 2011 

The MapServer team announces the release of MapServer versions 6.0.1, 
5.6.7 and 4.10.7.

No new functionality has been added. 6.0.1 is a maintence release that 
fixes a few issues including recently discovered security 
vulnerabilities. The list of fixes since 6.0.0 is included at the end of 
this message.

Versions 5.6.7 and 4.10.7 include fixes for the security vulnerabilities 
described below plus a few bug fixes that may have occurred since the 
last official release. See the respective HISTORY.TXT files for 
additional information.

IMPORTANT SECURITY FIXES:
-------------------------

MapServer developers have discovered flaws in the OGC filter support in 
MapServer. That code is used in support of WFS, WMS-SLD and SOS 
specifications.

All versions may be susceptible to SQL injection under certain 
circumstances. The extent of the vulnerability depends on the MapServer 
version, relational database and mapfile configuration being used. All 
users are ** strongly encouraged ** to upgrade to these latest releases.

The 5.6.7 and 4.10.7 releases also address one significant potentially 
exploitable buffer overflow (6.0 branch is not vulneralble).

These fixes do not affect the functionality of MapServer and no changes 
will be necessary for configurations/applications using the same base 
branch (e.g. 5.6).

Even though we release 6.0.1, 5.6.7 and 4.10.7 today, these security 
fixes have also been backported to all stable branches (going back to 
4.10) in MapServer's Subversion (SVN) source code repository, so if you 
work from source and would like to patch your local MapServer source 
tree, the changeset (i.e. patch file) for each stable release can be 
obtained through the following Trac ticket:

   - http://trac.osgeo.org/mapserver/ticket/3903

Special thanks to Even Rouault for his work identifying the issues and 
the subsequent patching and testing he did.

Source and binary downloads:
----------------------------

The source code is available at:

     http://mapserver.org/download.html

The binary distributions listed in the download page should be updated
with binaries for the new 6.0.1 release (and in some cases 5.6.7) in the 
next few hours, if not already done.

We have also submitted security patches to the Ubuntu and Debian 
supported distributions that are in the process of being reviewed.

The MapServer Team


Version 6.0.1 (2011-07-12):
---------------------------

IMPORTANT SECURITY FIXES:

-  Fixes to prevent SQL injections through OGC filter encoding (in WMS, WFS
    and SOS), as well as a potential SQL injection in WMS time support.
    Your system may be vulnerable if it has MapServer with OGC protocols
    enabled, with layers connecting to an SQL RDBMS backend, either
    natively or via OGR (#3903)

- Applied patch for ticket (symbol writing issues) (#3589)

- Fix performance issue with Oracle and scrollable cursors (#3905)

- Fix attribute binding for layer styles (#3941)

- Added missing fclose() when writing query files (#3943)

- Fix double-free in msAddImageSymbol() when filename is a http resource 
(#3939)

- Fix rendering of lines with outlinewidth set if not on first style (#3935)

- Added writing of cluster object when saving map. Also improved handling of
   cluster parsing errors (#3934)

- Fix for the cluster processing if the shape bounds doesn't overlap
   with the given extent (#3913)

- OGC Filter: fix segfault when a ows_varname_type or wfs_varname_type is
   defined but not a gml_varname_type (#3902)

- Fix regression of MapServer 6.0.0 when specifying a time range in WMS time
   requests on a Postgis layer (#3909)

- Fixed order of metadata lookup for WMS GML GetFeatureInfo. 'ows' should
   come last, not first (#3636).

- Fixed mssql2008 to return correct geometries with chart layer type (#3894)

- Write SYMBOLSET/END tags when saving a symbol file (#3885)

- Make java threadtests work again (#3887)

- Fix segfault on malformed <PropertyIsLike> filters (#3888)

- Fixed the query handling problem with the Oracle spatial driver (#3878)

- Fixed potential crash with AVERAGE resampling and crazy reprojection 
(#3886)

- Fix for the warnings in mapunion.c (#3880)

- Fixed the build problem in mapunion.c (#3877)

- Union layer: Fixed the crash when styling source layers using 
attributes (#3870)

- Improve rangeset item checking so that Bands=1,2,3 is supported with 
WCS 1.0
   (#3919).

- Fix GetMapserverUnitUsingProj() for proj=latlong (#3883)

More information about the mapserver-dev mailing list