[mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1

Lime, Steve D (MNIT) Steve.Lime at state.mn.us
Tue Dec 31 10:54:33 PST 2013 

I would vote CVE. I think risk is quite low but not zero. --Steve

________________________________________
From: thomas bonfort [thomas.bonfort at gmail.com]
Sent: Tuesday, December 31, 2013 12:26 PM
To: Even Rouault
Cc: MapServer Dev Mailing List; Lime, Steve D (MNIT); Sebastiaan Couwenberg
Subject: Re: [mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1

So, Even and others, CVE or not CVE?

--
thomas

On 31 December 2013 18:10, Even Rouault <even.rouault at mines-paris.org> wrote:
> Le mardi 31 décembre 2013 18:06:08, Lime, Steve D (MNIT) a écrit :
>> Would be good to hear from Even. I think Thomas is correct. One can't
>> manipulate the table list, nor can multiple statements be strung together.
>> We're backporting to multiple branches out of an abundance of caution.
>
> If you know the exact query structure (which is not difficult to get), you could
> UNION ALL with content from other (possibly intended to be private) tables.
>
>> --Steve
>>
>> ________________________________________
>> From: mapserver-dev-bounces at lists.osgeo.org
>> [mapserver-dev-bounces at lists.osgeo.org] on behalf of thomas bonfort
>> [thomas.bonfort at gmail.com] Sent: Tuesday, December 31, 2013 9:02 AM
>> To: Sebastiaan Couwenberg
>> Cc: MapServer Dev Mailing List
>> Subject: Re: [mapserver-dev] [motion] release 5.6.9, 6.0.4, 6.2.2 and 6.4.1
>>
>> Bas,
>> My personal opinion is that a CVE wouldn't be needed as the
>> vulnerability is not exploitable other than to return unfiltered data
>> from the table, something that could/can already be done in a "valid"
>> way by requesting an infinite time range. Again, this is my personal
>> understanding, and if incorrect would indeed require a CVE.
>>
>> I'll pass the buck down to someone more knowledgeable of the issue to
>> make the final call...
>>
>> regards,
>> thomas
>>
>> On 31 December 2013 15:26, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
>> > Have you considered requesting a CVE for the vulnerability to ease
>> > tracking the patching of it by the various distributions?
>> >
>> > http://cve.mitre.org/
>> >
>> > Kind Regards,
>> >
>> > Bas
>> >
>> >
>> > _______________________________________________
>> > mapserver-dev mailing list
>> > mapserver-dev at lists.osgeo.org
>> > http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>
>> _______________________________________________
>> mapserver-dev mailing list
>> mapserver-dev at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>
>>
>> _______________________________________________
>> mapserver-dev mailing list
>> mapserver-dev at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
> --
> Geospatial professional services
> http://even.rouault.free.fr/services.html

More information about the mapserver-dev mailing list