Debian Bug report logs - #439346
XSS issue

version graph

Package: mapserver; Maintainer for mapserver is Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>;

Reported by: Francesco Paolo Lovergine <frankie@debian.org>

Date: Fri, 24 Aug 2007 10:48:01 UTC

Severity: grave

Tags: etch, security

Fixed in version mapserver/4.10.3-1

Done: Andreas Putzo <andreas@putzo.net>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>:
Bug#439346; Package mapserver. (full text, mbox, link).


Acknowledgement sent to Francesco Paolo Lovergine <frankie@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Francesco Paolo Lovergine <frankie@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: XSS issue
Date: Fri, 24 Aug 2007 12:45:45 +0200
Package: mapserver
Severity: grave
Tags: security

See 

http://trac.osgeo.org/mapserver/ticket/2256

It needs updating to 4.10.3. Patch provided for etch to secteam in the meanwhile.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core)
Locale: LANG=it_IT@euro, LC_CTYPE=it_IT@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash



Tags added: pending, etch Request was from Andreas Putzo <andreas@putzo.net> to control@bugs.debian.org. (Tue, 28 Aug 2007 17:48:01 GMT) (full text, mbox, link).


Reply sent to Andreas Putzo <andreas@putzo.net>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Francesco Paolo Lovergine <frankie@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #12 received at 439346-close@bugs.debian.org (full text, mbox, reply):

From: Andreas Putzo <andreas@putzo.net>
To: 439346-close@bugs.debian.org
Subject: Bug#439346: fixed in mapserver 4.10.3-1
Date: Thu, 30 Aug 2007 11:32:04 +0000
Source: mapserver
Source-Version: 4.10.3-1

We believe that the bug you reported is fixed in the latest version of
mapserver, which is due to be installed in the Debian FTP archive:

cgi-mapserver_4.10.3-1_i386.deb
  to pool/main/m/mapserver/cgi-mapserver_4.10.3-1_i386.deb
mapserver-bin_4.10.3-1_i386.deb
  to pool/main/m/mapserver/mapserver-bin_4.10.3-1_i386.deb
mapserver-doc_4.10.3-1_all.deb
  to pool/main/m/mapserver/mapserver-doc_4.10.3-1_all.deb
mapserver_4.10.3-1.dsc
  to pool/main/m/mapserver/mapserver_4.10.3-1.dsc
mapserver_4.10.3-1.tar.gz
  to pool/main/m/mapserver/mapserver_4.10.3-1.tar.gz
perl-mapscript_4.10.3-1_i386.deb
  to pool/main/m/mapserver/perl-mapscript_4.10.3-1_i386.deb
php5-mapscript_4.10.3-1_i386.deb
  to pool/main/m/mapserver/php5-mapscript_4.10.3-1_i386.deb
python-mapscript_4.10.3-1_i386.deb
  to pool/main/m/mapserver/python-mapscript_4.10.3-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 439346@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andreas Putzo <andreas@putzo.net> (supplier of updated mapserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 28 Aug 2007 08:21:59 +0000
Source: mapserver
Binary: mapserver-doc perl-mapscript mapserver-bin cgi-mapserver php5-mapscript python-mapscript
Architecture: source i386 all
Version: 4.10.3-1
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Andreas Putzo <andreas@putzo.net>
Description: 
 cgi-mapserver - CGI executable for MapServer
 mapserver-bin - MapServer utilities
 mapserver-doc - documentation for MapServer
 perl-mapscript - Perl MapServer library
 php5-mapscript - php5-cgi module for MapServer
 python-mapscript - Python library for MapServer
Closes: 433710 434326 434401 434406 434438 434653 434758 435933 436280 436853 439346
Changes: 
 mapserver (4.10.3-1) unstable; urgency=high
 .
   [ Andreas Putzo ]
   * New upstream release.
     - Fixed XSS vulnerabilities.
       [http://trac.osgeo.org/mapserver/ticket/2256]
     - Fixed possible buffer overflow in template processing.
       [http://trac.osgeo.org/mapserver/ticket/2252]
     (Closes: #439346)
   * Added myself to Uploaders.
   * Debconf templates and debian/control reviewed by the debian-l10n-
     english team as part of the Smith review project. Closes: #433710
   * Debconf translation updates:
     - Galician. Closes: #434326
     - Tamil. Closes: #434401
     - Russian. Closes: #434406
     - Portuguese. Closes: #434438
     - German. Closes: #434653
     - Vietnamese. Closes: #434758
     - French. Closes: #435933
     - Czech. Closes: #436280
     - Dutch. Closes: #436853
Files: 
 9a26e912c1ec126df1b056f881e54052 1239 devel optional mapserver_4.10.3-1.dsc
 551ef26040c0cd73855596d7746a0072 1771665 devel optional mapserver_4.10.3-1.tar.gz
 0911a996a855b718d283c9eea90cb316 95934 doc optional mapserver-doc_4.10.3-1_all.deb
 f9e9a2475d81012ceac14bf52f8320c7 539838 web optional php5-mapscript_4.10.3-1_i386.deb
 165cc119963fd4b7baf95bd9f21c0f2f 711828 perl optional perl-mapscript_4.10.3-1_i386.deb
 448f86fbbd5773bc4e186c700bb17dc2 434826 web optional cgi-mapserver_4.10.3-1_i386.deb
 0b73c40ae5b375ded7753870d537790b 1107722 python optional python-mapscript_4.10.3-1_i386.deb
 7e0e88e966a9b13336cbd265b26c5412 3155826 misc optional mapserver-bin_4.10.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG1qcGpFNRmenyx0cRAu1cAKCR9N1D330eIg8xNIOXwtFBRC0mDQCglXt2
DgSOZi29Gzlvp/D7EatRvPk=
=1cRD
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 03 Oct 2007 07:28:21 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:03:58 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.