Fedora has issued an advisory on July 22, 2011: http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063300.html They updated to 5.6.7, which fixes this issue. Mageia 2 is not vulnerable as these were also fixed in 6.0.1. More info is here: https://bugzilla.redhat.com/show_bug.cgi?id=723293
Debian also issued an advisory for this on July 26, 2011: http://www.debian.org/security/2011/dsa-2285 from http://lwn.net/Vulnerabilities/452969/
Submitted an update for 1. SRPM: mapserver-5.6.7-1.mga1.src.rpm RPMs: mapserver-5.6.7-1.mga1.x86_64.rpm php-mapscript-5.6.7-1.mga1.x86_64.rpm --- Advisory --- This bugfix release fixes several bugs and security issues: - Fixes to prevent SQL injections - Fixed potentially exploitable buffer overflows as well as a list of bugfixes, see http://trac.osgeo.org/mapserver/browser/tags/rel-5-6-7/mapserver/HISTORY.TXT ----------------
Assignee: oliver.bgr => qa-bugs
Testing i586: (To Oliver Burger: question for you near the end) # urpmi mapserver Then went to http://localhost/cgi-bin/mapserv and get the standard "No query information to decode. QUERY_STRING is set, but empty." Downloaded tutorial data from http://mapserver.org/tutorial/background.html (mapserver-tutorial.zip) and extracted it to /tmp Then check: http://localhost/cgi-bin/mapserv?map=/tmp/ms4w/apps/tutorial/htdocs/example1-5.map&layer=states&layer=states_line&layer=states_label&layer=modis&mode=map This should display a map. I took and adapted this link from the tutorial at http://mapserver.org/tutorial/section1.html The following URL fails unless I install the "proj" package. Oliver: should a requires or suggest be added (I'm not putting the feedback whiteboard marker since my question is not about a blocking regression)? http://localhost/cgi-bin/mapserv?map=/tmp/ms4w/apps/tutorial/htdocs/example1-6.map&layer=states&layer=states_label&layer=modis&mode=map
CC: (none) => stormi
Whiteboard: (none) => has_procedure MGA1-32-OK
Testing x86_64 complete. Waiting a little bit for Oliver's answer before validating.
Whiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK
Update valided. I'll create another bug report for the possible missing dep. See comment #2 for SRPM and advisory.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0230
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED