7061 – mapserver missing update for security issues fixed in 5.6.7

Bug 7061 - mapserver missing update for security issues fixed in 5.6.7

Summary: mapserver missing update for security issues fixed in 5.6.7

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	1
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:

URL:	http://lwn.net/Vulnerabilities/453848/
Whiteboard:	has_procedure MGA1-32-OK MGA1-64-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2012-08-14 22:20 CEST by David Walser
Modified:	2012-08-21 16:14 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	mapserver-5.6.6-1.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-08-14 22:20:35 CEST

Fedora has issued an advisory on July 22, 2011:
http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063300.html

They updated to 5.6.7, which fixes this issue.

Mageia 2 is not vulnerable as these were also fixed in 6.0.1.

More info is here: https://bugzilla.redhat.com/show_bug.cgi?id=723293

Comment 1 David Walser 2012-08-14 22:45:03 CEST

Debian also issued an advisory for this on July 26, 2011:
http://www.debian.org/security/2011/dsa-2285

from http://lwn.net/Vulnerabilities/452969/

Comment 2 Oliver Burger 2012-08-15 09:06:12 CEST

Submitted an update for 1.

SRPM:
mapserver-5.6.7-1.mga1.src.rpm

RPMs:
mapserver-5.6.7-1.mga1.x86_64.rpm
php-mapscript-5.6.7-1.mga1.x86_64.rpm

--- Advisory ---
This bugfix release fixes several bugs and security issues:
- Fixes to prevent SQL injections
- Fixed potentially exploitable buffer overflows
as well as a list of bugfixes, see
http://trac.osgeo.org/mapserver/browser/tags/rel-5-6-7/mapserver/HISTORY.TXT
----------------

Assignee: oliver.bgr => qa-bugs

Comment 3 Samuel Verschelde 2012-08-16 23:39:25 CEST

Testing i586:

(To Oliver Burger: question for you near the end)

# urpmi mapserver

Then went to http://localhost/cgi-bin/mapserv and get the standard "No query information to decode. QUERY_STRING is set, but empty."

Downloaded tutorial data from http://mapserver.org/tutorial/background.html (mapserver-tutorial.zip) and extracted it to /tmp

Then check:

http://localhost/cgi-bin/mapserv?map=/tmp/ms4w/apps/tutorial/htdocs/example1-5.map&layer=states&layer=states_line&layer=states_label&layer=modis&mode=map

This should display a map. I took and adapted this link from the tutorial at http://mapserver.org/tutorial/section1.html

The following URL fails unless I install the "proj" package. Oliver: should a requires or suggest be added (I'm not putting the feedback whiteboard marker since my question is not about a blocking regression)?

http://localhost/cgi-bin/mapserv?map=/tmp/ms4w/apps/tutorial/htdocs/example1-6.map&layer=states&layer=states_label&layer=modis&mode=map

CC: (none) => stormi

Samuel Verschelde 2012-08-16 23:39:43 CEST

Whiteboard: (none) => has_procedure MGA1-32-OK

Comment 4 Samuel Verschelde 2012-08-17 09:35:50 CEST

Testing x86_64 complete. Waiting a little bit for Oliver's answer before validating.

Whiteboard: has_procedure MGA1-32-OK => has_procedure MGA1-32-OK MGA1-64-OK

Comment 5 Samuel Verschelde 2012-08-19 09:51:58 CEST

Update valided. I'll create another bug report for the possible missing dep.

See comment #2 for SRPM and advisory.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2012-08-21 16:14:47 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0230

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.