Bug#995785: Various vulnerabilities in mapserver

Max Kellermann max at blarg.de
Tue Oct 5 19:05:39 BST 2021


On 2021/10/05 19:15, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
> tags 995785 upstream
> forwarded 995785 https://github.com/MapServer/MapServer/pull/6418
>
> You should get CVEs for these security issues, then they will be tracked
> more appropriately than with this bugreport.

Huh, what a strange justification to close a bug report about security
vulnerabilities.

I'm not interested in tracking this issue - it's already tracked
upstream, and my PR has already been approved.  I wanted to help the
Debian project to ship a vulnerabiity fix in its version-frozen stable
releases.  A regular new upstream release will not land in Bullseye,
and without me telling you, it is unlikely that Debian users will ever
receive those fixes.

The last time I fixed vulnerabilities in MapServer (May 4th), the
fixes didn't land in Debian either.  Debian Bullseye shipped with a
vulnerable MapServer version.  MapServer 7.6.4 was released on July
12th with my vulnerability fixes, but Debian Bullseye was released a
month later with the known-vulnerable version 7.6.2.

Max



More information about the Pkg-grass-devel mailing list