[mapserver-users] 7.6.3 released - includes important security fix

Jeff McKenna jmckenna at gatewaygeomatics.com
Thu Jun 3 13:33:05 PDT 2021 

The associated CVE security ID for this is: CVE-2021-32062 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32062

-jeff


-- 
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/



On 2021-04-30 7:55 p.m., Steve Lime wrote:
> The MapServer team is pleased (kinda) to announce the 7.6.3 security and 
> maintenance release.
> 
> Importantly, this release addresses a flaw, discovered by project 
> developers, in MapServer CGI mapfile loading that makes it possible to 
> bypass security controls (ticket #6313). This flaw makes it difficult to 
> easily limit where MapServer can load a mapfile from and affects 
> versions 4.10 and later. This is a critical issue and all users are 
> encouraged to update as soon as possible.
> 
> What does this mean for you?
> 
>  1. If you've not used MS_MAP_PATTERN or MS_MAP_NO_PATH as part of
>     securing your installation then this doesn't have much impact since
>     you're not using the controls. That said, this is a critical
>     configuration step and you should upgrade and make use of those
>     controls to limit where mapfiles can be accessed.
>  2. If you've relied on MS_MAP_PATTERN exclusively, you should upgrade
>     and be in good shape. However, it's a great time to review and test
>     MS_MAP_PATTERN.
>  3. If you've relied on MS_MAP_NO_PATH primarily (like me), you should
>     upgrade and set a value for MS_MAP_PATTERN.
> 
> We are simultaneously releasing versions 7.0.8, 7.2.3 and 7.4.5 as well. 
> Updates to binary distributions will follow ASAP.
> 
> For the list of additional changes see the Changelog at 
> https://mapserver.org/development/changelog/changelog-7-6.html 
> <https://mapserver.org/development/changelog/changelog-7-6.html> Or head 
> to Download at https://mapserver.org/download.html 
> <https://mapserver.org/download.html> For those wanting searchable 
> offline documentation, the updated PDF is available at 
> https://download.osgeo.org/mapserver/docs/MapServer.pdf 
> <https://download.osgeo.org/mapserver/docs/MapServer.pdf>
> 
> -- The MapServer Team
> 
> 
>

More information about the mapserver-users mailing list