MapServer 5.2.2 and 4.10.4 have been released. (Version 5.4 will contain all of these fixes at the start and a beta 4 release will be available in a day or so.)
The releases contain fixes for issues discovered in an audit of the CGI by a 3rd party (tickets #2939, #2941, #2942, #2943 and #2944). The issues are detailed at: http://trac.osgeo.org/mapserver/ticket/2939 http://trac.osgeo.org/mapserver/ticket/2941 http://trac.osgeo.org/mapserver/ticket/2942 http://trac.osgeo.org/mapserver/ticket/2943 http://trac.osgeo.org/mapserver/ticket/2944 Also provided is support for RFC-56 that addresses tightening up the control of access to mapfiles and templates: http://mapserver.org/development/rfc/ms-rfc-56.html Most of these defects have been present for a number of releases and the potential impact depends on your individual setup. Users of the mapserv CGI are strongly advised to upgrade to the latest release. The changes do not directly affect MapScript however as a result of the changes all users may have to modify their applications to upgrade. To upgrade you must: 1 - make sure map files are well-formed, that is, the first token is MAP. Comments can come before the MAP token. 2 - make sure symbol files are well-formed, that is, the first token is SYMBOLSET. Like mapfiles, comments can come before the SYMBOLSET token. 3 - MapServer templates, browse and query, now must include the magic string - "MapServer Template". The string is not case sensitive but must be present in the first line of the template or MapServer will reject it. The first line is not output with the template. Finally, please consider using the new environment variables detailed in the RFC to further secure your installation. Upgrade tips: In many cases items 1-3 above can be completed prior to updating your software. For templates, you can enclose the magic string in comments appropriate to the template type (see the RFC above for examples). The magic string will be output until you complete the upgrade but the browser will ignore them as comments. The source packages are available in the MapServer downloads page: http://mapserver.org/download/ and can be downloaded directly at: http://download.osgeo.org/mapserver/mapserver-5.2.2.tar.gz http://download.osgeo.org/mapserver/mapserver-4.10.4.tar.gz Precompiled binaries should be available shortly at the usual locations (also linked from the download page above). Existing MS4W users can go to the MS4W downloads page and use the "MapServer version 5.2.2 Upgrade" package. If you have questions, comments or concerns please contact me directly or send a message to the -dev list. Thanks to the folks at Positron Security for their assistance. Steve _______________________________________________ mapserver-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapserver-users
