On Jan/18, Sebastiaan Couwenberg wrote: > Today the MapServer team has announced the release of version 7.0.4 > which fixes CVE-2017-5522 (stack buffer overflow). To quote the > release announcement [0]: > > " > Today the project team released versions 6.0.6, 6.2.4, 6.4.5 and 7.0.4 > of MapServer. This is primarily a security release to address > CVE-2017-5522. That issue involves a buffer overflow identified by > MapServer developers associated with specific WFS get feature requests. > " > > I've already updated the package in unstable, and have cherry-picked > the commit fixing the issue for the package in jessie (6.4.1-5+deb8u3) > & wheezy (6.0.1-3.2+deb7u3). See the attached debdiffs. > > The issue may be remotely exploitable with specifically crafted WFS > requests. > > Are these changes OK for upload to security-master?
Yes, please upload, and I'll take care of the DSA. Cheers, --Seb
