[mapserver-users] MapServer 5.2.2 and 4.10.4 released with security fixes
Steve Lime
Steve.Lime at dnr.state.mn.us
Thu Mar 26 19:40:02 PDT 2009
MapServer 5.2.2 and 4.10.4 have been released. (Version 5.4 will contain all of these
fixes at the start and a beta 4 release will be available in a day or so.)
The releases contain fixes for issues discovered in an audit of the CGI by a 3rd party
(tickets #2939, #2941, #2942, #2943 and #2944). The issues are detailed at:
http://trac.osgeo.org/mapserver/ticket/2939
http://trac.osgeo.org/mapserver/ticket/2941
http://trac.osgeo.org/mapserver/ticket/2942
http://trac.osgeo.org/mapserver/ticket/2943
http://trac.osgeo.org/mapserver/ticket/2944
Also provided is support for RFC-56 that addresses tightening up the control of
access to mapfiles and templates:
http://mapserver.org/development/rfc/ms-rfc-56.html
Most of these defects have been present for a number of releases and the potential
impact depends on your individual setup. Users of the mapserv CGI are strongly advised
to upgrade to the latest release. The changes do not directly affect MapScript however
as a result of the changes all users may have to modify their applications to upgrade.
To upgrade you must:
1 - make sure map files are well-formed, that is, the first token is MAP. Comments
can come before the MAP token.
2 - make sure symbol files are well-formed, that is, the first token is SYMBOLSET. Like
mapfiles, comments can come before the SYMBOLSET token.
3 - MapServer templates, browse and query, now must include the magic string -
"MapServer Template". The string is not case sensitive but must be present in the first
line of the template or MapServer will reject it. The first line is not output with the template.
Finally, please consider using the new environment variables detailed in the RFC to further
secure your installation.
Upgrade tips:
In many cases items 1-3 above can be completed prior to updating your software. For templates,
you can enclose the magic string in comments appropriate to the template type (see the RFC
above for examples). The magic string will be output until you complete the upgrade but the
browser will ignore them as comments.
The source packages are available in the MapServer downloads page:
http://mapserver.org/download/
and can be downloaded directly at:
http://download.osgeo.org/mapserver/mapserver-5.2.2.tar.gz
http://download.osgeo.org/mapserver/mapserver-4.10.4.tar.gz
Precompiled binaries should be available shortly at the usual locations (also linked from the
download page above). Existing MS4W users can go to the MS4W downloads page and use
the "MapServer version 5.2.2 Upgrade" package.
If you have questions, comments or concerns please contact me directly or send a message
to the -dev list. Thanks to the folks at Positron Security for their assistance.
Steve
More information about the MapServer-users
mailing list