[mapserver-dev] MapServer 6.0.1, 5.6.7 and 4.10.7 releases with security fixes

Daniel Morissette dmorissette at mapgears.com
Wed Jul 13 08:43:48 EDT 2011


Sorry for hitting the [send] button too quick... the downloads page on 
the website has not been updated yet... will wait for it to update 
before posting the announcement to the mapserver-users list.

In the meantime, here are the links to the source packages:

http://download.osgeo.org/mapserver/mapserver-6.0.1.tar.gz
http://download.osgeo.org/mapserver/mapserver-5.6.7.tar.gz
http://download.osgeo.org/mapserver/mapserver-4.10.7.tar.gz


On 11-07-13 08:21 AM, Daniel Morissette wrote:
> The MapServer team announces the release of MapServer versions 6.0.1,
> 5.6.7 and 4.10.7.
>
> No new functionality has been added. 6.0.1 is a maintence release that
> fixes a few issues including recently discovered security
> vulnerabilities. The list of fixes since 6.0.0 is included at the end of
> this message.
>
> Versions 5.6.7 and 4.10.7 include fixes for the security vulnerabilities
> described below plus a few bug fixes that may have occurred since the
> last official release. See the respective HISTORY.TXT files for
> additional information.
>
> IMPORTANT SECURITY FIXES:
> -------------------------
>
> MapServer developers have discovered flaws in the OGC filter support in
> MapServer. That code is used in support of WFS, WMS-SLD and SOS
> specifications.
>
> All versions may be susceptible to SQL injection under certain
> circumstances. The extent of the vulnerability depends on the MapServer
> version, relational database and mapfile configuration being used. All
> users are ** strongly encouraged ** to upgrade to these latest releases.
>
> The 5.6.7 and 4.10.7 releases also address one significant potentially
> exploitable buffer overflow (6.0 branch is not vulneralble).
>
> These fixes do not affect the functionality of MapServer and no changes
> will be necessary for configurations/applications using the same base
> branch (e.g. 5.6).
>
> Even though we release 6.0.1, 5.6.7 and 4.10.7 today, these security
> fixes have also been backported to all stable branches (going back to
> 4.10) in MapServer's Subversion (SVN) source code repository, so if you
> work from source and would like to patch your local MapServer source
> tree, the changeset (i.e. patch file) for each stable release can be
> obtained through the following Trac ticket:
>
> - http://trac.osgeo.org/mapserver/ticket/3903
>
> Special thanks to Even Rouault for his work identifying the issues and
> the subsequent patching and testing he did.
>
> Source and binary downloads:
> ----------------------------
>
> The source code is available at:
>
> http://mapserver.org/download.html
>
> The binary distributions listed in the download page should be updated
> with binaries for the new 6.0.1 release (and in some cases 5.6.7) in the
> next few hours, if not already done.
>
> We have also submitted security patches to the Ubuntu and Debian
> supported distributions that are in the process of being reviewed.
>
> The MapServer Team
>
>
> Version 6.0.1 (2011-07-12):
> ---------------------------
>
> IMPORTANT SECURITY FIXES:
>
> - Fixes to prevent SQL injections through OGC filter encoding (in WMS, WFS
> and SOS), as well as a potential SQL injection in WMS time support.
> Your system may be vulnerable if it has MapServer with OGC protocols
> enabled, with layers connecting to an SQL RDBMS backend, either
> natively or via OGR (#3903)
>
> - Applied patch for ticket (symbol writing issues) (#3589)
>
> - Fix performance issue with Oracle and scrollable cursors (#3905)
>
> - Fix attribute binding for layer styles (#3941)
>
> - Added missing fclose() when writing query files (#3943)
>
> - Fix double-free in msAddImageSymbol() when filename is a http resource
> (#3939)
>
> - Fix rendering of lines with outlinewidth set if not on first style
> (#3935)
>
> - Added writing of cluster object when saving map. Also improved
> handling of
> cluster parsing errors (#3934)
>
> - Fix for the cluster processing if the shape bounds doesn't overlap
> with the given extent (#3913)
>
> - OGC Filter: fix segfault when a ows_varname_type or wfs_varname_type is
> defined but not a gml_varname_type (#3902)
>
> - Fix regression of MapServer 6.0.0 when specifying a time range in WMS
> time
> requests on a Postgis layer (#3909)
>
> - Fixed order of metadata lookup for WMS GML GetFeatureInfo. 'ows' should
> come last, not first (#3636).
>
> - Fixed mssql2008 to return correct geometries with chart layer type
> (#3894)
>
> - Write SYMBOLSET/END tags when saving a symbol file (#3885)
>
> - Make java threadtests work again (#3887)
>
> - Fix segfault on malformed <PropertyIsLike> filters (#3888)
>
> - Fixed the query handling problem with the Oracle spatial driver (#3878)
>
> - Fixed potential crash with AVERAGE resampling and crazy reprojection
> (#3886)
>
> - Fix for the warnings in mapunion.c (#3880)
>
> - Fixed the build problem in mapunion.c (#3877)
>
> - Union layer: Fixed the crash when styling source layers using
> attributes (#3870)
>
> - Improve rangeset item checking so that Bands=1,2,3 is supported with
> WCS 1.0
> (#3919).
>
> - Fix GetMapserverUnitUsingProj() for proj=latlong (#3883)
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev


-- 
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000



More information about the mapserver-dev mailing list