Hi Sebastiaan, On Tue, Dec 06, 2016 at 12:22:13AM +0100, Sebastiaan Couwenberg wrote: > Dear Security Team, > > Today the MapServer team has released version 7.0.3 which fixes > CVE-2016-9839. To quote the release announcement [0]: > > " > That issue involves OGR error messages being too verbose in some > instances and potentially disclosing sensitive information if the > underlying connection fails. In addition we have backported a somewhat > similar fix to the 6.x series for PostGIS layers. > " > > I've already updated the package in unstable, and have cherry-picked the > commit fixing the issue for OGR & PostGIS layers for the package in > jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached > debdiffs. > > The "sensitive information" are the credentials for the database > configured in the mapfile which are reported in the error message. If > the database is accessible over the network unauthorized users may gain > access using the credentials from the error message. An example is > provided in the the upstream issue [1] for the PostGIS layer, and > similarly affects the OGR layer [2][3]. > > I don't think the issue is remotely exploitable, unless some way to > force the database connection failure to occur is found. As long as the > database is only accessible on the localhost, the impact is the issue is > limited. > > Affected versions: > > * jessie: 6.4.1-5 > * wheezy: 6.0.1-3.2+deb7u2 > > Fixed versions: > > * jessie: 6.4.1-5+deb8u1 > * wheezy: 6.0.1-3.2+deb7u3 > > Are these changes OK for upload to security-master?
Thanks for contacting us. I think the issue could be fixed via an upcoming point release. Can you please schedule it via the upcoming one? See https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable for respective quidelines. Regards and thanks a lot for your work, I have updated the security-tracker entry for CVE-2016-9839 just now. Salvatore p.s.: For wheezy LTS, note that this is a separate project, it might be that they want to release a DLA, but for that please contact the Wheezy LTS team. Contact point: https://wiki.debian.org/LTS .
