MapServer 4.10.3 has just been released with some security fixes.
This release contains fixes for XSS vulnerabilities that have been found
in the mapserv CGI and have been present for several releases. We have
verified that the issues were present in versions 4.4 to 5.0-beta4. They
may also have been present in older released but we did not test that
far. Note that those specific issues only affect the mapserv CGI, the
various MapScript bindings should not be vulnerable to those issues.
Users of the mapserv CGI are strongly advised to upgrade to the latest
release. If you are running an older release and cannot upgrade then you
can find a patch that can be applied to MapServer 4.8 and older in
ticket #2256 at http://trac.osgeo.org/mapserver/ticket/2256
This release contains no new features, the list of changes/fixes since
4.10.2 is included at the end of this message.
Finally, the source package is available in the MapServer downloads page:
http://mapserver.gis.umn.edu/download/current/
Precompiled binaries should be available shortly at the usual locations
(also linked from the download page above).
Daniel
Version 4.10.3 (2007-08-22)
---------------------------
- Fixed XSS vulnerabilities (#2256)
- Fixed possible buffer overflow in template processing (#2252)
- Rename libmap.a to libmapserver.a for commonality with
libmapserver.so (#2150)
- Fixed size of output buffer in msGetEncodedString() (#2132)
- SOS : backport fixes related to large xml outputs (#1938, #2146)
- WCS : Fixed resampling/reprojecting for tileindex datasets (#2180)
