[MapServer-users] MS4W 5.2.0 (final) released! *Security Release*

[Jeff McKenna]

Hi everyone,

After many many betas and release candidates, I'm very proud to announce 
that MS4W 5.2.0 is available at https://ms4w.com

Important: you must be sure to run the file "/tmp/vc_redist.86.exe" 
before installing Apache, if you are using the zip archive.

The history of changes is too long to paste here, so see it at 
https://ms4w.com/HISTORY.html

**Critical**: this is a security release.  All users must follow the 
steps to secure your MS4W server installation, including by limiting 
user access to ms4w.conf (see 
https://ms4w.com/README_INSTALL.html#strongly-recommended-set-user-access-permissions-for-ms4w-conf 
). Please, for any MS4W version, review those steps, and grab that 
secure-permissions.bat (or Powershell secure-permissions.ps1) script & 
run it on your production installation of MS4W.

**New security policy**: you can find MS4W's security policy at the root 
of your MS4W 5.2.0 installation (SECURITY.txt) or online at 
https://ms4w.com/SECURITY.html   As shown by the many security upgrades 
included in 5.2.0, I realize how important security is for your 
production installation, and rest assured that I am working hard to 
improve security in MS4W always.

Several add-on packages were also upgraded (GeoMoose, Mapbender, 
OpenLayers [with a local MS4W layer again), and a new MapServer WCS Demo 
package was added (see how to setup a timeseries of raster layers in a 
"tileindex layer" for WCS, including the important VALIDATION block for 
the time format, and nothing is better than seeing the local working 
mapfile & data, and opening your local MS4W WCS service in QGIS, to 
learn how to implement for your own data)

A significant effort was put into upgrading the setup.exe installer, to 
code sign it for Windows security approval, and also updating the paths 
for MS4W apps & their mapfiles, as well as setting user access 
permissions for ms4w.conf automatically.  It should install nicely into 
the beloved path of C:/Program Files/ (in fact I was testing all of the 
apps in an [awful] path of D:/temp/ttt tt t/), but installing at the 
root of a drive is always best.

The Migration Guide is very useful for commands to test locally and 
notes to follow (I use this page to find commands constantly) 
https://ms4w.com/trac/wiki/MigrationGuide5.x

The README has been also updated of course, with special notes for 
enabling MapCache, pycsw, Oracle plugins, GDAL/MapServer plugins etc. at 
https://ms4w.com/README_INSTALL.html

Thank you to those who have reported and provided feedback in the MS4W 
issue tracker, please continue to do so there (tip: I use this exact 
query link all-day every-day to view the tickets: 
https://ms4w.com/trac/report/1?sort=created&page=1&max=200 )

The MS4W dev server has also been updated, showcasing the MS4W apps at 
https://ms4w.dev

Pro tip: look for a new simple CSW "viewer" link on your homepage 
127.0.0.1 after install [and after following the steps to configure 
pycsw there] (or try the simple viewer on the demo server at 
https://ms4w.dev/pycsw-viewer/ ). It's a nice way to see your local 
pycsw catalogue (and even map the bounding box of your records) & 
compare to other CSW endpoints.

Oh, some power users might notice some more security updates coming to 
important libraries this week, and wonder 'why didn't jeff wait a week' 
- I've learned now, that security is a fast-moving train.  Best to get 
this release out, get your local 5.2.0 installation secure, and then 
watch the MS4W issue tracker to follow the security changes & help 
test/comment there, to make the next release as smooth as possible.

Thanks everyone, phew!

Happy MapServ-ing to all,

-jeff


-- 
Jeff McKenna
GatewayGeo: Developers of MS4W, & offering MapServer Consulting/Dev
co-founder of FOSS4G
http://gatewaygeo.com/