Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>: Bug#439346; Package mapserver.
(full text, mbox, link).
Acknowledgement sent to Francesco Paolo Lovergine <frankie@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>.
(full text, mbox, link).
From: Francesco Paolo Lovergine <frankie@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: XSS issue
Date: Fri, 24 Aug 2007 12:45:45 +0200
Package: mapserver
Severity: grave
Tags: security
See
http://trac.osgeo.org/mapserver/ticket/2256
It needs updating to 4.10.3. Patch provided for etch to secteam in the meanwhile.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core)
Locale: LANG=it_IT@euro, LC_CTYPE=it_IT@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Tags added: pending, etch
Request was from Andreas Putzo <andreas@putzo.net>
to control@bugs.debian.org.
(Tue, 28 Aug 2007 17:48:01 GMT) (full text, mbox, link).
Reply sent to Andreas Putzo <andreas@putzo.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Francesco Paolo Lovergine <frankie@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: mapserver
Source-Version: 4.10.3-1
We believe that the bug you reported is fixed in the latest version of
mapserver, which is due to be installed in the Debian FTP archive:
cgi-mapserver_4.10.3-1_i386.deb
to pool/main/m/mapserver/cgi-mapserver_4.10.3-1_i386.deb
mapserver-bin_4.10.3-1_i386.deb
to pool/main/m/mapserver/mapserver-bin_4.10.3-1_i386.deb
mapserver-doc_4.10.3-1_all.deb
to pool/main/m/mapserver/mapserver-doc_4.10.3-1_all.deb
mapserver_4.10.3-1.dsc
to pool/main/m/mapserver/mapserver_4.10.3-1.dsc
mapserver_4.10.3-1.tar.gz
to pool/main/m/mapserver/mapserver_4.10.3-1.tar.gz
perl-mapscript_4.10.3-1_i386.deb
to pool/main/m/mapserver/perl-mapscript_4.10.3-1_i386.deb
php5-mapscript_4.10.3-1_i386.deb
to pool/main/m/mapserver/php5-mapscript_4.10.3-1_i386.deb
python-mapscript_4.10.3-1_i386.deb
to pool/main/m/mapserver/python-mapscript_4.10.3-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 439346@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Putzo <andreas@putzo.net> (supplier of updated mapserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 28 Aug 2007 08:21:59 +0000
Source: mapserver
Binary: mapserver-doc perl-mapscript mapserver-bin cgi-mapserver php5-mapscript python-mapscript
Architecture: source i386 all
Version: 4.10.3-1
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Andreas Putzo <andreas@putzo.net>
Description:
cgi-mapserver - CGI executable for MapServer
mapserver-bin - MapServer utilities
mapserver-doc - documentation for MapServer
perl-mapscript - Perl MapServer library
php5-mapscript - php5-cgi module for MapServer
python-mapscript - Python library for MapServer
Closes: 433710434326434401434406434438434653434758435933436280436853439346
Changes:
mapserver (4.10.3-1) unstable; urgency=high
.
[ Andreas Putzo ]
* New upstream release.
- Fixed XSS vulnerabilities.
[http://trac.osgeo.org/mapserver/ticket/2256]
- Fixed possible buffer overflow in template processing.
[http://trac.osgeo.org/mapserver/ticket/2252]
(Closes: #439346)
* Added myself to Uploaders.
* Debconf templates and debian/control reviewed by the debian-l10n-
english team as part of the Smith review project. Closes: #433710
* Debconf translation updates:
- Galician. Closes: #434326
- Tamil. Closes: #434401
- Russian. Closes: #434406
- Portuguese. Closes: #434438
- German. Closes: #434653
- Vietnamese. Closes: #434758
- French. Closes: #435933
- Czech. Closes: #436280
- Dutch. Closes: #436853
Files:
9a26e912c1ec126df1b056f881e54052 1239 devel optional mapserver_4.10.3-1.dsc
551ef26040c0cd73855596d7746a0072 1771665 devel optional mapserver_4.10.3-1.tar.gz
0911a996a855b718d283c9eea90cb316 95934 doc optional mapserver-doc_4.10.3-1_all.deb
f9e9a2475d81012ceac14bf52f8320c7 539838 web optional php5-mapscript_4.10.3-1_i386.deb
165cc119963fd4b7baf95bd9f21c0f2f 711828 perl optional perl-mapscript_4.10.3-1_i386.deb
448f86fbbd5773bc4e186c700bb17dc2 434826 web optional cgi-mapserver_4.10.3-1_i386.deb
0b73c40ae5b375ded7753870d537790b 1107722 python optional python-mapscript_4.10.3-1_i386.deb
7e0e88e966a9b13336cbd265b26c5412 3155826 misc optional mapserver-bin_4.10.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG1qcGpFNRmenyx0cRAu1cAKCR9N1D330eIg8xNIOXwtFBRC0mDQCglXt2
DgSOZi29Gzlvp/D7EatRvPk=
=1cRD
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 03 Oct 2007 07:28:21 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.