Re: [mapserver-users] 7.6.3 released - includes important security fix

[Jeff McKenna via mapserver-users]

The associated CVE security ID for this is: CVE-2021-32062 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32062


-jeff


--
Jeff McKenna
GatewayGeo: Developers of MS4W, MapServer Consulting and Training
co-founder of FOSS4G
http://gatewaygeo.com/



On 2021-04-30 7:55 p.m., Steve Lime wrote:
The MapServer team is pleased (kinda) to announce the 7.6.3 security and 
maintenance release.


Importantly, this release addresses a flaw, discovered by project 
developers, in MapServer CGI mapfile loading that makes it possible to 
bypass security controls (ticket #6313). This flaw makes it difficult to 
easily limit where MapServer can load a mapfile from and affects 
versions 4.10 and later. This is a critical issue and all users are 
encouraged to update as soon as possible.


What does this mean for you?

 1. If you've not used MS_MAP_PATTERN or MS_MAP_NO_PATH as part of
securing your installation then this doesn't have much impact since
you're not using the controls. That said, this is a critical
configuration step and you should upgrade and make use of those
controls to limit where mapfiles can be accessed.
 2. If you've relied on MS_MAP_PATTERN exclusively, you should upgrade
and be in good shape. However, it's a great time to review and test
MS_MAP_PATTERN.
 3. If you've relied on MS_MAP_NO_PATH primarily (like me), you should
upgrade and set a value for MS_MAP_PATTERN.

We are simultaneously releasing versions 7.0.8, 7.2.3 and 7.4.5 as well. 
Updates to binary distributions will follow ASAP.


For the list of additional changes see the Changelog at 
https://mapserver.org/development/changelog/changelog-7-6.html 
 Or head 
to Download at https://mapserver.org/download.html 
 For those wanting searchable 
offline documentation, the updated PDF is available at 
https://download.osgeo.org/mapserver/docs/MapServer.pdf 



-- The MapServer Team




___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

[mapserver-users] 7.6.3 released - includes important security fix

[Steve Lime]

The MapServer team is pleased (kinda) to announce the 7.6.3 security
and maintenance release.

Importantly, this release addresses a flaw, discovered by project
developers, in MapServer CGI mapfile loading that makes it possible to
bypass security controls (ticket #6313). This flaw makes it difficult
to easily limit where MapServer can load a mapfile from and affects
versions 4.10 and later. This is a critical issue and all users are
encouraged to update as soon as possible.

What does this mean for you?


   1. If you've not used MS_MAP_PATTERN or MS_MAP_NO_PATH as part of
securing your installation then this doesn't have much impact since
you're not using the controls. That said, this is a critical
configuration step and you should upgrade and make use of those
controls to limit where mapfiles can be accessed.
   2. If you've relied on MS_MAP_PATTERN exclusively, you should
upgrade and be in good shape. However, it's a great time to review and
test MS_MAP_PATTERN.
   3. If you've relied on MS_MAP_NO_PATH primarily (like me), you
should upgrade and set a value for MS_MAP_PATTERN.

We are simultaneously releasing versions 7.0.8, 7.2.3 and 7.4.5 as
well. Updates to binary distributions will follow ASAP.

For the list of additional changes see the Changelog at
https://mapserver.org/development/changelog/changelog-7-6.html

Or head to Download at https://mapserver.org/download.html

For those wanting searchable offline documentation, the updated PDF is
available at https://download.osgeo.org/mapserver/docs/MapServer.pdf

-- 
The MapServer Team
___
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users