[mapserver-users] MapServer 5.6.4 and 4.10.6 released with important security fixes

Daniel Morissette dmorissette at mapgears.com
Tue Jul 13 08:52:34 PDT 2010


FYI, an issue with scale computation has been found in the 5.6.4 release
and is being worked on at the moment. We will publish a 5.6.5 release
soon with a fix for it, so if you have not upgraded to 5.6.4 yet you
should probably wait a few more hours.

Sorry about this

Daniel

Daniel Morissette wrote:
> The MapServer team announces the release of MapServer version 5.6.4 and
> 4.10.6.
> 
> No new functionality has been added. 5.6.4 is a maintenance release that
> fixes a few issues (including a potential security vulnerability) that
> were found since the release of 5.6.3. The list of fixes since 5.6.3 is
> included at the end of this message.
> 
> With respect to the 4.10.6 release, it only includes the security fixes
> described below.
> 
> 
> SECURITY FIXES:
> ---------------
> 
> As part of a security audit of MapServer 5.6 it was reported that some
> of the mapserv CGI command-line arguments used by developers for
> debugging and testing the software constitute a security risk that could
> potentially be exploited remotely. We are not aware of any exploit for
> this issue at the moment, but it is strongly advised that users of past
> releases upgrade to the latest releases that disable the potentially
> insecure command-line args.
> 
> We will not disclose any of the details here, but potential
> vulnerabilities were demonstrated to our team and it was recommended
> that we take actions to avoid command-line arguments in CGI programs. As
> a result and to create the smallest possible amount of disruption in
> point releases, for this release we simply disabled all mapserv
> command-line debug args by default, except for "-v" which is useful to
> get mapserv version on an installed system, as well as "-nh" and
> "QUERY_STRING=..." which add no risk and/or are used by msautotests and
> in some docs.
> 
> This change does not affect functionality for regular mapserv CGI users
> working through HTTP, it only impacts developers that use those
> command-line arguments to debug and test the software. It should be
> noted that the use of command-line args for testing and debugging the
> software may be deprecated and replaced by a different mechanism in
> future releases.
> 
> This release also fixes at least one important buffer overflow.
> 
> Even if we release only 5.6.4 and 4.10.6 today, these security fixes
> have also been backported to all stable branches (going back to 4.10) in
> MapServer's Subversion (SVN) source code repository, so if you work from
> source and would like to patch your local MapServer source tree, the
> changeset (i.e. patch file) for each stable release can be obtained
> through the Trac ticket for each issue:
> - http://trac.osgeo.org/mapserver/ticket/3484
> - http://trac.osgeo.org/mapserver/ticket/3485
> 
> 
> Source and binary downloads:
> ----------------------------
> 
> The source code is available at:
> 
>     http://mapserver.org/download.html
> 
> The binary distributions listed in the download page should be updated
> with binaries for the new 5.6.4 release in the next few hours.
> 
> We are also in the process of submitting security patches to the Ubuntu
> and Debian supported distributions.
> 
> 
> Version 5.6.4 (2010-07-08):
> ---------------------------
> 
> IMPORTANT SECURITY FIXES:
> 
> - Disabled some insecure (and potentially exploitable) mapserv command-line
>   debug arguments (#3485). The --enable-cgi-cl-debug-args configure switch
>   can be used to re-enable them for devs who really cannot get away without
>   them and who understand the potential security risk (not recommended for
>   production servers or those who don't understand the security
> implications).
> 
> - Fixed possible buffer overflow in msTmpFile() (#3484)
> 
> Other fixes:
> 
> - Fixed possible race condition with connectiontype WFS layers (#3137)
> 
> - Modified mapserver units enum order to fix some problems with external
>   packages (#3173)
> 
> - fix blending of transparent layers with AGG on MSB archs (#3471)
> 
> - Fixed imageObj->saveImage() sends unnecessary headers (#3418)
> 
> - Correct PropertyName parsing for wfs post requests (#3235)
> 
> - Ensure mapwmslayer.c does not unlink file before closing connection on
>   it (#3451)
> 
> - Fix security exception issue in C# with MSVC2010 (#3438)
> 
> - Write out join CONNECTIONTYPE when saving a mapfile. (#3435)
> 
> - Fixed attribute queries to use an extent stored (and cached) as part of
>   the queryObj rather than the map->extent. (#3424)
> 
> - Reverted msLayerWhichItems() to 5.4-like behavior although still
> supporting
>   retrieving all items (#3356,#3342)
> 
> - Grid layer: remove drawing of unnecessary gird lines (#3433)
> 
> - OGC Filters for spatial dbs should be enclosed in parentheses (#3430)
> 
> - Improve the handling of simple string comparisons for raster classified
>   values (#3425)
> 
> - Add the ogc namspace to filters generated by Mapserver (#3414)
> 
> - Fix MS_NONSQUARE to work in mode=map (#3413)
> 
> - Improve error message when loadQuery() filename extension check fails
> (#3302)
> 
> - Fix GetLegendGraphic using keyimages (#3398)
> 
> - Fix getFeatureInfo queries on WFS layers (#3403)
> 
> - Fixed mapstring.c build problem related to errno (#3401).
> 
> - Correct ungeoreferenced defaults via GetExtent() on raster layer (#3368)
> 
> - More adjustments to how TLOCK_GDAL held around msGetGDALGeoTransform
> (#3368)
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-users


-- 
Daniel Morissette
http://www.mapgears.com/



More information about the MapServer-users mailing list