[mapserver-users] MapServer 5.6.4 and 4.10.6 released with important security fixes
Daniel Morissette
dmorissette at mapgears.com
Tue Jul 13 08:52:34 PDT 2010
FYI, an issue with scale computation has been found in the 5.6.4 release
and is being worked on at the moment. We will publish a 5.6.5 release
soon with a fix for it, so if you have not upgraded to 5.6.4 yet you
should probably wait a few more hours.
Sorry about this
Daniel
Daniel Morissette wrote:
> The MapServer team announces the release of MapServer version 5.6.4 and
> 4.10.6.
>
> No new functionality has been added. 5.6.4 is a maintenance release that
> fixes a few issues (including a potential security vulnerability) that
> were found since the release of 5.6.3. The list of fixes since 5.6.3 is
> included at the end of this message.
>
> With respect to the 4.10.6 release, it only includes the security fixes
> described below.
>
>
> SECURITY FIXES:
> ---------------
>
> As part of a security audit of MapServer 5.6 it was reported that some
> of the mapserv CGI command-line arguments used by developers for
> debugging and testing the software constitute a security risk that could
> potentially be exploited remotely. We are not aware of any exploit for
> this issue at the moment, but it is strongly advised that users of past
> releases upgrade to the latest releases that disable the potentially
> insecure command-line args.
>
> We will not disclose any of the details here, but potential
> vulnerabilities were demonstrated to our team and it was recommended
> that we take actions to avoid command-line arguments in CGI programs. As
> a result and to create the smallest possible amount of disruption in
> point releases, for this release we simply disabled all mapserv
> command-line debug args by default, except for "-v" which is useful to
> get mapserv version on an installed system, as well as "-nh" and
> "QUERY_STRING=..." which add no risk and/or are used by msautotests and
> in some docs.
>
> This change does not affect functionality for regular mapserv CGI users
> working through HTTP, it only impacts developers that use those
> command-line arguments to debug and test the software. It should be
> noted that the use of command-line args for testing and debugging the
> software may be deprecated and replaced by a different mechanism in
> future releases.
>
> This release also fixes at least one important buffer overflow.
>
> Even if we release only 5.6.4 and 4.10.6 today, these security fixes
> have also been backported to all stable branches (going back to 4.10) in
> MapServer's Subversion (SVN) source code repository, so if you work from
> source and would like to patch your local MapServer source tree, the
> changeset (i.e. patch file) for each stable release can be obtained
> through the Trac ticket for each issue:
> - http://trac.osgeo.org/mapserver/ticket/3484
> - http://trac.osgeo.org/mapserver/ticket/3485
>
>
> Source and binary downloads:
> ----------------------------
>
> The source code is available at:
>
> http://mapserver.org/download.html
>
> The binary distributions listed in the download page should be updated
> with binaries for the new 5.6.4 release in the next few hours.
>
> We are also in the process of submitting security patches to the Ubuntu
> and Debian supported distributions.
>
>
> Version 5.6.4 (2010-07-08):
> ---------------------------
>
> IMPORTANT SECURITY FIXES:
>
> - Disabled some insecure (and potentially exploitable) mapserv command-line
> debug arguments (#3485). The --enable-cgi-cl-debug-args configure switch
> can be used to re-enable them for devs who really cannot get away without
> them and who understand the potential security risk (not recommended for
> production servers or those who don't understand the security
> implications).
>
> - Fixed possible buffer overflow in msTmpFile() (#3484)
>
> Other fixes:
>
> - Fixed possible race condition with connectiontype WFS layers (#3137)
>
> - Modified mapserver units enum order to fix some problems with external
> packages (#3173)
>
> - fix blending of transparent layers with AGG on MSB archs (#3471)
>
> - Fixed imageObj->saveImage() sends unnecessary headers (#3418)
>
> - Correct PropertyName parsing for wfs post requests (#3235)
>
> - Ensure mapwmslayer.c does not unlink file before closing connection on
> it (#3451)
>
> - Fix security exception issue in C# with MSVC2010 (#3438)
>
> - Write out join CONNECTIONTYPE when saving a mapfile. (#3435)
>
> - Fixed attribute queries to use an extent stored (and cached) as part of
> the queryObj rather than the map->extent. (#3424)
>
> - Reverted msLayerWhichItems() to 5.4-like behavior although still
> supporting
> retrieving all items (#3356,#3342)
>
> - Grid layer: remove drawing of unnecessary gird lines (#3433)
>
> - OGC Filters for spatial dbs should be enclosed in parentheses (#3430)
>
> - Improve the handling of simple string comparisons for raster classified
> values (#3425)
>
> - Add the ogc namspace to filters generated by Mapserver (#3414)
>
> - Fix MS_NONSQUARE to work in mode=map (#3413)
>
> - Improve error message when loadQuery() filename extension check fails
> (#3302)
>
> - Fix GetLegendGraphic using keyimages (#3398)
>
> - Fix getFeatureInfo queries on WFS layers (#3403)
>
> - Fixed mapstring.c build problem related to errno (#3401).
>
> - Correct ungeoreferenced defaults via GetExtent() on raster layer (#3368)
>
> - More adjustments to how TLOCK_GDAL held around msGetGDALGeoTransform
> (#3368)
> _______________________________________________
> mapserver-users mailing list
> mapserver-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-users
--
Daniel Morissette
http://www.mapgears.com/
More information about the MapServer-users
mailing list