mapserver -- several vulnerabilities

ID DSA-2285
Type debian
Reporter Debian
Modified 2011-07-26T00:00:00


Several vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems:

Several instances of insufficient escaping of user input, leading to SQL injection attacks via OGC filter encoding (in WMS, WFS, and SOS filters).

Missing length checks in the processing of OGC filter encoding that can lead to stack-based buffer overflows and the execution of arbitrary code.

For the oldstable distribution (lenny), these problems have been fixed in version 5.0.3-3+lenny7.

For the stable distribution (squeeze), these problems have been fixed in version 5.6.5-2+squeeze2.

For the testing (squeeze) and unstable (sid) distributions, these problems will be fixed soon.

We recommend that you upgrade your mapserver packages.