Bug 7061

Summary: mapserver missing update for security issues fixed in 5.6.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: stormi-mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/453848/
Whiteboard: has_procedure MGA1-32-OK MGA1-64-OK
Source RPM: mapserver-5.6.6-1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-08-14 22:20:35 CEST 
Fedora has issued an advisory on July 22, 2011:
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063300.html

They updated to 5.6.7, which fixes this issue.

Mageia 2 is not vulnerable as these were also fixed in 6.0.1.

More info is here: https://bugzilla.redhat.com/show_bug.cgi?id=723293
Comment 1 David Walser 2012-08-14 22:45:03 CEST 
Debian also issued an advisory for this on July 26, 2011:
http://www.debian.org/security/2011/dsa-2285

from http://lwn.net/Vulnerabilities/452969/
Comment 2 Oliver Burger 2012-08-15 09:06:12 CEST 
Submitted an update for 1.

SRPM:
mapserver-5.6.7-1.mga1.src.rpm

RPMs:
mapserver-5.6.7-1.mga1.x86_64.rpm
php-mapscript-5.6.7-1.mga1.x86_64.rpm

--- Advisory ---
This bugfix release fixes several bugs and security issues:
- Fixes to prevent SQL injections
- Fixed potentially exploitable buffer overflows
as well as a list of bugfixes, see
http://trac.osgeo.org/mapserver/browser/tags/rel-5-6-7/mapserver/HISTORY.TXT
----------------

Assignee: oliver.bgr => qa-bugs

Comment 3 Samuel Verschelde 2012-08-16 23:39:25 CEST 
Testing i586:

(To Oliver Burger: question for you near the end)

# urpmi mapserver

Then went to http://localhost/cgi-bin/mapserv and get the standard "No query information to decode. QUERY_STRING is set, but empty."

Downloaded tutorial data from http://mapserver.org/tutorial/background.html (mapserver-tutorial.zip) and extracted it to /tmp

Then check:

http://localhost/cgi-bin/mapserv?map=/tmp/ms4w/apps/tutorial/htdocs/example1-5.map&layer=states&layer=states_line&layer=states_label&layer=modis&mode=map

This should display a map. I took and adapted this link from the tutorial at http://mapserver.org/tutorial/section1.html

The following URL fails unless I install the "proj" package. Oliver: should a requires or suggest be added (I'm not putting the feedback whiteboard marker since my question is not about a blocking regression)?

http://localhost/cgi-bin/mapserv?map=/tmp/ms4w/apps/tutorial/htdocs/example1-6.map&layer=states&layer=states_label&layer=modis&mode=map

CC: (none) => stormi

Samuel Verschelde 2012-08-16 23:39:43 CEST

Whiteboard: (none) => has_procedure MGA1-32-OK

Comment 4 Samuel Verschelde 2012-08-17 09:35:50 CEST 
Testing x86_64 complete. Waiting a little bit for Oliver's answer before validating.

Whiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK

Comment 5 Samuel Verschelde 2012-08-19 09:51:58 CEST 
Update valided. I'll create another bug report for the possible missing dep.

See comment #2 for SRPM and advisory.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2012-08-21 16:14:47 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0230

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED