[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
This was fixed in maverick some time ago: mapserver (5.6.5-1) unstable; urgency=low * New upstream release with an important bug fix about scale calculation. * Added OGC SOS server support. mapserver (5.6.4-1) unstable; urgency=high [ Alan Boudreault ] * New upstream release, with important security bug fixes. * Fix Buffer overflow in msTmpFile function. [http://trac.osgeo.org/mapserver/ticket/3484] * Fix insecure mapserv CGI command-line debug args. [http://trac.osgeo.org/mapserver/ticket/3485] [ Francesco Paolo Lovergine ] * Policy bumped to 3.9.4, no changes required. * Note that in practice bashisms are avoided due to current options selection. (closes: #582098) * Urgency set to high due to security fixes included. mapserver (5.6.3-2) unstable; urgency=low * Added palette support for rgba png. -- Michael BieniaTue, 20 Jul 2010 16:44:16 +0100 ** Changed in: mapserver (Ubuntu Maverick) Status: Confirmed => Fix Released -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
** Changed in: mapserver (Ubuntu Maverick) Importance: Undecided => High ** Changed in: mapserver (Ubuntu Maverick) Importance: High => Critical -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Please, synchronize mapserver 5.6.5 from debian unstable to Ubuntu Maverick. This release includes sec patches. At the same time, please close that bug: https://bugs.launchpad.net/bugs/607281 (which is asking for that sync too) -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Marking as patch-accepted-upstream as patches are SRU patches originating from upstream and released in 5.6.4 ** Tags added: patch-accepted-upstream -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Right, I took a note about the "LP: #..." hint. Thanks a lot for those quick uploads. -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
** Tags added: patch -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
** Branch linked: lp:ubuntu/lucid-security/mapserver ** Branch linked: lp:ubuntu/hardy-security/mapserver ** Branch linked: lp:ubuntu/karmic-security/mapserver -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
This bug was fixed in the package mapserver - 5.0.0-3ubuntu0.2 --- mapserver (5.0.0-3ubuntu0.2) hardy-security; urgency=low * SECURITY UPDATE: Buffer overflow in msTmpFile function (LP: #603593) - debian/patches/07_mstmpfile.dpatch: Fix the buffer overflow. [http://trac.osgeo.org/mapserver/ticket/3484] * SECURITY UPDATE: Insecure CGI command-line debug args (LP: #603593) - debian/patches/08_cl_debug_args.dpatch: Disable insecure mapserv CGI command-line debug args. [http://trac.osgeo.org/mapserver/ticket/3485] -- Alan BoudreaultFri, 09 Jul 2010 09:36:30 -0400 -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
This bug was fixed in the package mapserver - 5.4.2-1ubuntu0.1 --- mapserver (5.4.2-1ubuntu0.1) karmic-security; urgency=low * SECURITY UPDATE: Buffer overflow in msTmpFile function (LP: #603593) - debian/patches/01_mstmpfile.dpatch: Fix the buffer overflow. [http://trac.osgeo.org/mapserver/ticket/3484] * SECURITY UPDATE: Insecure CGI command-line debug args (LP: #603593) - debian/patches/02_cl_debug_args.dpatch: Disable insecure mapserv CGI command-line debug args. [http://trac.osgeo.org/mapserver/ticket/3485] -- Alan BoudreaultFri, 09 Jul 2010 09:36:30 -0400 ** Changed in: mapserver (Ubuntu Hardy) Status: Fix Committed => Fix Released -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
This bug was fixed in the package mapserver - 5.6.1-1ubuntu1.1 --- mapserver (5.6.1-1ubuntu1.1) lucid-security; urgency=low * SECURITY UPDATE: Buffer overflow in msTmpFile function (LP: #603593) - debian/patches/01_mstmpfile.dpatch: Fix the buffer overflow. [http://trac.osgeo.org/mapserver/ticket/3484] * SECURITY UPDATE: Insecure CGI command-line debug args (LP: #603593) - debian/patches/02_cl_debug_args.dpatch: Disable insecure mapserv CGI command-line debug args. [http://trac.osgeo.org/mapserver/ticket/3485] -- Alan BoudreaultFri, 09 Jul 2010 09:36:30 -0400 ** Changed in: mapserver (Ubuntu Lucid) Status: Fix Committed => Fix Released ** Bug watch added: trac.osgeo.org/mapserver/ #3484 http://trac.osgeo.org/mapserver/ticket/3484 ** Bug watch added: trac.osgeo.org/mapserver/ #3485 http://trac.osgeo.org/mapserver/ticket/3485 ** Changed in: mapserver (Ubuntu Karmic) Status: Fix Committed => Fix Released -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
I've uploaded these to the security queue. ** Changed in: mapserver (Ubuntu Lucid) Status: Confirmed => Fix Committed ** Changed in: mapserver (Ubuntu Hardy) Status: Confirmed => Fix Committed ** Changed in: mapserver (Ubuntu Karmic) Status: Confirmed => Fix Committed -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
ACK for hardy, karmic and lucid, though it's too bad we needed autoconf changes for this (patch is huge). Alan, in the future, please use 'LP: #...' instead of 'LP #...'. Launchpad won't autoclose bugs without the colon. I've fixed it for the upload. -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Subscribing ubuntu-security-sponsors as per https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
We are going to upload MapServer 5.6.4 release in Debian Unstable today. After, Maverick will have to synchronized with debian. I'll add a comment here as soon as the 5.6.4 release is ready to be synched. -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Here's the sec update for lucid. Build tested on a clean environment ** Patch added: "debdiff for lucid" http://launchpadlibrarian.net/51630365/mapserver_5.6.1-1ubuntu1.1.diff -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Here's the sec update for karmic. Build tested on a clean environment ** Patch added: "debdiff for karmic" http://launchpadlibrarian.net/51629279/mapserver_5.4.2-1ubuntu0.1.diff -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Here the sec update for hardy. Build tested on a clean environment ** Patch added: "debdiff for hardy" http://launchpadlibrarian.net/51627901/mapserver_5.0.0-3ubuntu0.2.diff -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 603593] Re: buffer overflow + insecure mapserv CGI command-line debug args
Alan, thanks for the heads up and your work on this! When submitting debdiffs please follow https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors to make sure your patches are published in a timely manner. Thanks! ** Visibility changed to: Public ** Also affects: mapserver (Ubuntu Hardy) Importance: Undecided Status: New ** Also affects: mapserver (Ubuntu Karmic) Importance: Undecided Status: New ** Also affects: mapserver (Ubuntu Maverick) Importance: Undecided Status: New ** Also affects: mapserver (Ubuntu Lucid) Importance: Undecided Status: New ** Changed in: mapserver (Ubuntu Lucid) Status: New => Confirmed ** Changed in: mapserver (Ubuntu Maverick) Status: New => Confirmed ** Changed in: mapserver (Ubuntu Hardy) Status: New => Confirmed ** Changed in: mapserver (Ubuntu Karmic) Status: New => Confirmed -- buffer overflow + insecure mapserv CGI command-line debug args https://bugs.launchpad.net/bugs/603593 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs