Bug#995785: Various vulnerabilities in mapserver
Max Kellermann
max at blarg.de
Tue Oct 5 19:05:39 BST 2021
On 2021/10/05 19:15, Sebastiaan Couwenberg <sebastic at xs4all.nl> wrote:
> tags 995785 upstream
> forwarded 995785 https://github.com/MapServer/MapServer/pull/6418
>
> You should get CVEs for these security issues, then they will be tracked
> more appropriately than with this bugreport.
Huh, what a strange justification to close a bug report about security
vulnerabilities.
I'm not interested in tracking this issue - it's already tracked
upstream, and my PR has already been approved. I wanted to help the
Debian project to ship a vulnerabiity fix in its version-frozen stable
releases. A regular new upstream release will not land in Bullseye,
and without me telling you, it is unlikely that Debian users will ever
receive those fixes.
The last time I fixed vulnerabilities in MapServer (May 4th), the
fixes didn't land in Debian either. Debian Bullseye shipped with a
vulnerable MapServer version. MapServer 7.6.4 was released on July
12th with my vulnerability fixes, but Debian Bullseye was released a
month later with the known-vulnerable version 7.6.2.
Max
More information about the Pkg-grass-devel
mailing list