Bug#734565: mapserver: CVE-2013-7262
Sebastiaan Couwenberg
sebastic at xs4all.nl
Wed Jan 8 22:15:56 UTC 2014
Hi Salvatore,
On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote:
> On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote:
>> On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote:
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> The new mapserver packages were prepared before the CVE was available.
I've prepared new mapserver packages for squeeze and wheezy with only
the fix for this CVE, the new stable upstream release route I initially
took is not proper to fix this issue.
mapserver (6.0.1-3.2+deb7u2) for wheezy:
http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc
mapserver (5.6.5-2+squeeze3) for squeeze:
http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc
The squeeze package contained debhelper.log files in the debian/
directory, which caused problems for clean pbuilder builds so they were
removed. And dpatch insisted in changing the permissions. I've included
these changes in the squeeze package too.
>>> Please adjust the affected versions in the BTS as needed, at least
>>> unstable from looking at source seems affected.
>>
>> Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy
>> and squeeze still are, but the proposed updates for both are waiting for
>> feedback from the release team:
>
> Could you clarify if second commit referenced in
>
> https://github.com/mapserver/mapserver/issues/4834
> (WFS-2 specific fixes for postgis time sql injections (#4834,#4815))
>
> is also needed? Is this relevant for Debian?
No, the WFS-2 specific commit shouldn't be relevant for Debian yet.
The vulnerability was discovered during the implementation of WFS 2.0
support in MapServer. That support only lives in the master branch for
now and will be included in the next major upstream release.
> Thanks for your work, and regards,
> Salvatore
If the security-team approves the package changes, shall I ask my
sponsor to upload the packages?
Kind Regards,
Bas
--
GnuPG: 0xE88D4AF1 (new) / 0x77A975AD (old)
More information about the Pkg-grass-devel
mailing list