FYI, an issue with scale computation has been found in the 5.6.4 release and is being worked on at the moment. We will publish a 5.6.5 release soon with a fix for it, so if you have not upgraded to 5.6.4 yet you should probably wait a few more hours.
Sorry about this Daniel Daniel Morissette wrote: > The MapServer team announces the release of MapServer version 5.6.4 and > 4.10.6. > > No new functionality has been added. 5.6.4 is a maintenance release that > fixes a few issues (including a potential security vulnerability) that > were found since the release of 5.6.3. The list of fixes since 5.6.3 is > included at the end of this message. > > With respect to the 4.10.6 release, it only includes the security fixes > described below. > > > SECURITY FIXES: > --------------- > > As part of a security audit of MapServer 5.6 it was reported that some > of the mapserv CGI command-line arguments used by developers for > debugging and testing the software constitute a security risk that could > potentially be exploited remotely. We are not aware of any exploit for > this issue at the moment, but it is strongly advised that users of past > releases upgrade to the latest releases that disable the potentially > insecure command-line args. > > We will not disclose any of the details here, but potential > vulnerabilities were demonstrated to our team and it was recommended > that we take actions to avoid command-line arguments in CGI programs. As > a result and to create the smallest possible amount of disruption in > point releases, for this release we simply disabled all mapserv > command-line debug args by default, except for "-v" which is useful to > get mapserv version on an installed system, as well as "-nh" and > "QUERY_STRING=..." which add no risk and/or are used by msautotests and > in some docs. > > This change does not affect functionality for regular mapserv CGI users > working through HTTP, it only impacts developers that use those > command-line arguments to debug and test the software. It should be > noted that the use of command-line args for testing and debugging the > software may be deprecated and replaced by a different mechanism in > future releases. > > This release also fixes at least one important buffer overflow. > > Even if we release only 5.6.4 and 4.10.6 today, these security fixes > have also been backported to all stable branches (going back to 4.10) in > MapServer's Subversion (SVN) source code repository, so if you work from > source and would like to patch your local MapServer source tree, the > changeset (i.e. patch file) for each stable release can be obtained > through the Trac ticket for each issue: > - http://trac.osgeo.org/mapserver/ticket/3484 > - http://trac.osgeo.org/mapserver/ticket/3485 > > > Source and binary downloads: > ---------------------------- > > The source code is available at: > > http://mapserver.org/download.html > > The binary distributions listed in the download page should be updated > with binaries for the new 5.6.4 release in the next few hours. > > We are also in the process of submitting security patches to the Ubuntu > and Debian supported distributions. > > > Version 5.6.4 (2010-07-08): > --------------------------- > > IMPORTANT SECURITY FIXES: > > - Disabled some insecure (and potentially exploitable) mapserv command-line > debug arguments (#3485). The --enable-cgi-cl-debug-args configure switch > can be used to re-enable them for devs who really cannot get away without > them and who understand the potential security risk (not recommended for > production servers or those who don't understand the security > implications). > > - Fixed possible buffer overflow in msTmpFile() (#3484) > > Other fixes: > > - Fixed possible race condition with connectiontype WFS layers (#3137) > > - Modified mapserver units enum order to fix some problems with external > packages (#3173) > > - fix blending of transparent layers with AGG on MSB archs (#3471) > > - Fixed imageObj->saveImage() sends unnecessary headers (#3418) > > - Correct PropertyName parsing for wfs post requests (#3235) > > - Ensure mapwmslayer.c does not unlink file before closing connection on > it (#3451) > > - Fix security exception issue in C# with MSVC2010 (#3438) > > - Write out join CONNECTIONTYPE when saving a mapfile. (#3435) > > - Fixed attribute queries to use an extent stored (and cached) as part of > the queryObj rather than the map->extent. (#3424) > > - Reverted msLayerWhichItems() to 5.4-like behavior although still > supporting > retrieving all items (#3356,#3342) > > - Grid layer: remove drawing of unnecessary gird lines (#3433) > > - OGC Filters for spatial dbs should be enclosed in parentheses (#3430) > > - Improve the handling of simple string comparisons for raster classified > values (#3425) > > - Add the ogc namspace to filters generated by Mapserver (#3414) > > - Fix MS_NONSQUARE to work in mode=map (#3413) > > - Improve error message when loadQuery() filename extension check fails > (#3302) > > - Fix GetLegendGraphic using keyimages (#3398) > > - Fix getFeatureInfo queries on WFS layers (#3403) > > - Fixed mapstring.c build problem related to errno (#3401). > > - Correct ungeoreferenced defaults via GetExtent() on raster layer (#3368) > > - More adjustments to how TLOCK_GDAL held around msGetGDALGeoTransform > (#3368) > _______________________________________________ > mapserver-users mailing list > [email protected] > http://lists.osgeo.org/mailman/listinfo/mapserver-users -- Daniel Morissette http://www.mapgears.com/ _______________________________________________ mapserver-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapserver-users
