Bug#734565: mapserver: CVE-2013-7262
Hi Sebastiaan, On Wed, Jan 08, 2014 at 11:15:56PM +0100, Sebastiaan Couwenberg wrote: Hi Salvatore, On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote: On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote: On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote: If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. The new mapserver packages were prepared before the CVE was available. I've prepared new mapserver packages for squeeze and wheezy with only the fix for this CVE, the new stable upstream release route I initially took is not proper to fix this issue. mapserver (6.0.1-3.2+deb7u2) for wheezy: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc mapserver (5.6.5-2+squeeze3) for squeeze: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc The squeeze package contained debhelper.log files in the debian/ directory, which caused problems for clean pbuilder builds so they were removed. And dpatch insisted in changing the permissions. I've included these changes in the squeeze package too. Please adjust the affected versions in the BTS as needed, at least unstable from looking at source seems affected. Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy and squeeze still are, but the proposed updates for both are waiting for feedback from the release team: Could you clarify if second commit referenced in https://github.com/mapserver/mapserver/issues/4834 (WFS-2 specific fixes for postgis time sql injections (#4834,#4815)) is also needed? Is this relevant for Debian? No, the WFS-2 specific commit shouldn't be relevant for Debian yet. The vulnerability was discovered during the implementation of WFS 2.0 support in MapServer. That support only lives in the master branch for now and will be included in the next major upstream release. Okay thanks for this explanation. Regarding the upload for security: We have tagged this issue 'no-dsa'[1] meaning that no DSA is planned for this vulnerability only. So if you are planning to do a (old)stable-proposed-updates upload, the above can be included there (either by updating to a update to a upstream version as you propose or by an isolated patch; depends on what release teams would like to have for these two opu and pu requests). [1] https://security-tracker.debian.org/tracker/CVE-2013-7262 Thanks again for the quick followups, Regards, Salvatore signature.asc Description: Digital signature ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#734565: mapserver: CVE-2013-7262
Hi Salvatore, On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote: On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote: On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote: If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. The new mapserver packages were prepared before the CVE was available. I've prepared new mapserver packages for squeeze and wheezy with only the fix for this CVE, the new stable upstream release route I initially took is not proper to fix this issue. mapserver (6.0.1-3.2+deb7u2) for wheezy: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc mapserver (5.6.5-2+squeeze3) for squeeze: http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc The squeeze package contained debhelper.log files in the debian/ directory, which caused problems for clean pbuilder builds so they were removed. And dpatch insisted in changing the permissions. I've included these changes in the squeeze package too. Please adjust the affected versions in the BTS as needed, at least unstable from looking at source seems affected. Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy and squeeze still are, but the proposed updates for both are waiting for feedback from the release team: Could you clarify if second commit referenced in https://github.com/mapserver/mapserver/issues/4834 (WFS-2 specific fixes for postgis time sql injections (#4834,#4815)) is also needed? Is this relevant for Debian? No, the WFS-2 specific commit shouldn't be relevant for Debian yet. The vulnerability was discovered during the implementation of WFS 2.0 support in MapServer. That support only lives in the master branch for now and will be included in the next major upstream release. Thanks for your work, and regards, Salvatore If the security-team approves the package changes, shall I ask my sponsor to upload the packages? Kind Regards, Bas -- GnuPG: 0xE88D4AF1 (new) / 0x77A975AD (old) ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel
Bug#734565: mapserver: CVE-2013-7262
On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote: If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities Exposures) id in your changelog entry. The new mapserver packages were prepared before the CVE was available. Please adjust the affected versions in the BTS as needed, at least unstable from looking at source seems affected. Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy and squeeze still are, but the proposed updates for both are waiting for feedback from the release team: Bug#734099: pu: package mapserver/6.0.4-1 Bug#734118: opu: package mapserver/5.6.9-1 Kind Regards, Bas -- GnuPG: 0xE88D4AF1 (new) / 0x77A975AD (old) ___ Pkg-grass-devel mailing list Pkg-grass-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-grass-devel