[mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1
Lime, Steve D (MNIT)
Steve.Lime at state.mn.us
Tue Dec 31 09:06:08 PST 2013
Would be good to hear from Even. I think Thomas is correct. One can't manipulate the table list, nor can multiple statements be strung together. We're backporting to multiple branches out of an abundance of caution. --Steve
________________________________________
From: mapserver-dev-bounces at lists.osgeo.org [mapserver-dev-bounces at lists.osgeo.org] on behalf of thomas bonfort [thomas.bonfort at gmail.com]
Sent: Tuesday, December 31, 2013 9:02 AM
To: Sebastiaan Couwenberg
Cc: MapServer Dev Mailing List
Subject: Re: [mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1
Bas,
My personal opinion is that a CVE wouldn't be needed as the
vulnerability is not exploitable other than to return unfiltered data
from the table, something that could/can already be done in a "valid"
way by requesting an infinite time range. Again, this is my personal
understanding, and if incorrect would indeed require a CVE.
I'll pass the buck down to someone more knowledgeable of the issue to
make the final call...
regards,
thomas
On 31 December 2013 15:26, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
> Have you considered requesting a CVE for the vulnerability to ease
> tracking the patching of it by the various distributions?
>
> http://cve.mitre.org/
>
> Kind Regards,
>
> Bas
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
_______________________________________________
mapserver-dev mailing list
mapserver-dev at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-dev
More information about the mapserver-dev
mailing list