[mapserver-dev] 7.6.3 released - includes important security fix

Steve Lime sdlime at gmail.com
Fri Apr 30 15:55:10 PDT 2021

The MapServer team is pleased (kinda) to announce the 7.6.3 security
and maintenance release.

Importantly, this release addresses a flaw, discovered by project
developers, in MapServer CGI mapfile loading that makes it possible to
bypass security controls (ticket #6313). This flaw makes it difficult
to easily limit where MapServer can load a mapfile from and affects
versions 4.10 and later. This is a critical issue and all users are
encouraged to update as soon as possible.

What does this mean for you?

   1. If you've not used MS_MAP_PATTERN or MS_MAP_NO_PATH as part of
securing your installation then this doesn't have much impact since
you're not using the controls. That said, this is a critical
configuration step and you should upgrade and make use of those
controls to limit where mapfiles can be accessed.
   2. If you've relied on MS_MAP_PATTERN exclusively, you should
upgrade and be in good shape. However, it's a great time to review and
   3. If you've relied on MS_MAP_NO_PATH primarily (like me), you
should upgrade and set a value for MS_MAP_PATTERN.

We are simultaneously releasing versions 7.0.8, 7.2.3 and 7.4.5 as
well. Updates to binary distributions will follow ASAP.

For the list of additional changes see the Changelog at

Or head to Download at https://mapserver.org/download.html

For those wanting searchable offline documentation, the updated PDF is
available at https://download.osgeo.org/mapserver/docs/MapServer.pdf

The MapServer Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20210430/6b61111e/attachment.html>

More information about the mapserver-dev mailing list