MapServer 5.6.4 and 4.10.6 released with important security fixes

2010.08.04
Credit: dmorissette
Risk: High
Local: Yes
Remote: Yes

The MapServer team announces the release of MapServer version 5.6.4 and 4.10.6. No new functionality has been added. 5.6.4 is a maintenance release that fixes a few issues (including a potential security vulnerability) that were found since the release of 5.6.3. The list of fixes since 5.6.3 is included at the end of this message. With respect to the 4.10.6 release, it only includes the security fixes described below. SECURITY FIXES: --------------- As part of a security audit of MapServer 5.6 it was reported that some of the mapserv CGI command-line arguments used by developers for debugging and testing the software constitute a security risk that could potentially be exploited remotely. We are not aware of any exploit for this issue at the moment, but it is strongly advised that users of past releases upgrade to the latest releases that disable the potentially insecure command-line args. We will not disclose any of the details here, but potential vulnerabilities were demonstrated to our team and it was recommended that we take actions to avoid command-line arguments in CGI programs. As a result and to create the smallest possible amount of disruption in point releases, for this release we simply disabled all mapserv command-line debug args by default, except for "-v" which is useful to get mapserv version on an installed system, as well as "-nh" and "QUERY_STRING=..." which add no risk and/or are used by msautotests and in some docs. This change does not affect functionality for regular mapserv CGI users working through HTTP, it only impacts developers that use those command-line arguments to debug and test the software. It should be noted that the use of command-line args for testing and debugging the software may be deprecated and replaced by a different mechanism in future releases. This release also fixes at least one important buffer overflow. Even if we release only 5.6.4 and 4.10.6 today, these security fixes have also been backported to all stable branches (going back to 4.10) in MapServer's Subversion (SVN) source code repository, so if you work from source and would like to patch your local MapServer source tree, the changeset (i.e. patch file) for each stable release can be obtained through the Trac ticket for each issue: - http://trac.osgeo.org/mapserver/ticket/3484 - http://trac.osgeo.org/mapserver/ticket/3485 Source and binary downloads: ---------------------------- The source code is available at: http://mapserver.org/download.html The binary distributions listed in the download page should be updated with binaries for the new 5.6.4 release in the next few hours. We are also in the process of submitting security patches to the Ubuntu and Debian supported distributions. Version 5.6.4 (2010-07-08): --------------------------- IMPORTANT SECURITY FIXES: - Disabled some insecure (and potentially exploitable) mapserv command-line debug arguments (#3485). The --enable-cgi-cl-debug-args configure switch can be used to re-enable them for devs who really cannot get away without them and who understand the potential security risk (not recommended for production servers or those who don't understand the security implications). - Fixed possible buffer overflow in msTmpFile() (#3484) Other fixes: - Fixed possible race condition with connectiontype WFS layers (#3137) - Modified mapserver units enum order to fix some problems with external packages (#3173) - fix blending of transparent layers with AGG on MSB archs (#3471) - Fixed imageObj->saveImage() sends unnecessary headers (#3418) - Correct PropertyName parsing for wfs post requests (#3235) - Ensure mapwmslayer.c does not unlink file before closing connection on it (#3451) - Fix security exception issue in C# with MSVC2010 (#3438) - Write out join CONNECTIONTYPE when saving a mapfile. (#3435) - Fixed attribute queries to use an extent stored (and cached) as part of the queryObj rather than the map->extent. (#3424) - Reverted msLayerWhichItems() to 5.4-like behavior although still supporting retrieving all items (#3356,#3342) - Grid layer: remove drawing of unnecessary gird lines (#3433) - OGC Filters for spatial dbs should be enclosed in parentheses (#3430) - Improve the handling of simple string comparisons for raster classified values (#3425) - Add the ogc namspace to filters generated by Mapserver (#3414) - Fix MS_NONSQUARE to work in mode=map (#3413) - Improve error message when loadQuery() filename extension check fails (#3302) - Fix GetLegendGraphic using keyimages (#3398) - Fix getFeatureInfo queries on WFS layers (#3403) - Fixed mapstring.c build problem related to errno (#3401). - Correct ungeoreferenced defaults via GetExtent() on raster layer (#3368) - More adjustments to how TLOCK_GDAL held around msGetGDALGeoTransform (#3368)

References:

http://www.securityfocus.com/bid/41855
http://trac.osgeo.org/mapserver/ticket/3484
http://trac.osgeo.org/mapserver/ticket/3485
http://marc.info/?l=oss-security&m=127973754121922&w=2
http://marc.info/?l=oss-security&m=127973381215859&w=2
http://lists.osgeo.org/pipermail/mapserver-users/2010-July/066052.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top