Debian: New mapserver packages fix multiple vulnerabilities

    Date04 Apr 2008
    CategoryDebian
    2455
    Posted ByLinuxSecurity Advisories
    Lack of input sanitizing and output escaping in the CGI mapserver's template handling and error reporting routines leads to cross-site scripting vulnerabilities.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1539-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Devin Carraway
    April 04, 2008                        http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : mapserver
    Vulnerability  : multiple
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2007-4542 CVE-2007-4629
    
    Chris Schmidt and Daniel Morissette discovered two vulnerabilities
    in mapserver, a development environment for spatial and mapping
    applications.  The Common Vulnerabilities and Exposures project
    identifies the following two problems:
    
    CVE-2007-4542
    
        Lack of input sanitizing and output escaping in the CGI
        mapserver's template handling and error reporting routines leads
        to cross-site scripting vulnerabilities.
    
    CVE-2007-4629
        
        Missing bounds checking in mapserver's template handling leads to
        a stack-based buffer overrun vulnerability, allowing a remote
        attacker to execute arbitrary code with the privileges of the CGI
        or httpd user.
    
    For the stable distribution (etch), these problems have been fixed in
    version 4.10.0-5.1+etch2.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 4.10.3-1.
    
    We recommend that you upgrade your mapserver (4.10.0-5.1+etch2) package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver_4.10.0-5.1+etch2.dsc
        Size/MD5 checksum:     1315 19c7e595b5f855246bdda2cb64dfbba6
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver_4.10.0.orig.tar.gz
        Size/MD5 checksum:  1782838 4668bbd017c20c251e962a5cd09c8f31
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver_4.10.0-5.1+etch2.diff.gz
        Size/MD5 checksum:    21156 d424dba068ade923260400584ccc41c9
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc_4.10.0-5.1+etch2_all.deb
        Size/MD5 checksum:    98096 228d80f159c068f2f2dbcaabdc5f0142
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_alpha.deb
        Size/MD5 checksum:   499998 8f5698905169ca1628313e963d97c736
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_alpha.deb
        Size/MD5 checksum:   606384 19ea43dbd9c415093f7eb4726b729897
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_alpha.deb
        Size/MD5 checksum:  3680182 aacfaef3131318654056f40b421939fa
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_alpha.deb
        Size/MD5 checksum:   607784 cb386adc2051f239bd0caef91ac92505
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_alpha.deb
        Size/MD5 checksum:   635130 06f6d035a7611623be6cb5c3afd0ef9e
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_alpha.deb
        Size/MD5 checksum:   770054 ef54472362dbc57e8fc9b1e264215c79
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_amd64.deb
        Size/MD5 checksum:   546404 792b68c551f4bb850cc2e3fb6dc6a4fd
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_amd64.deb
        Size/MD5 checksum:   577372 664d2194141c0d80ad8ba4c4cde7879c
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_amd64.deb
        Size/MD5 checksum:   545634 ca7def85a6cbe91d04b27b111b4c9ab5
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_amd64.deb
        Size/MD5 checksum:   698078 32bb9470760e29a552b809073a9acc7d
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_amd64.deb
        Size/MD5 checksum:  3269920 43e559a538f7bf03fdbf9997f69ca50c
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_amd64.deb
        Size/MD5 checksum:   447180 67f97111943841cfcc3cbed8ce38d637
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_hppa.deb
        Size/MD5 checksum:   490234 f8b6750656c332fe23c39a9f78ed221f
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_hppa.deb
        Size/MD5 checksum:   604170 e8eee5772e3a22700b86cc5a3a212ab0
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_hppa.deb
        Size/MD5 checksum:   605416 7b60c69d78d1b9418c84a1d64a6fa52a
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_hppa.deb
        Size/MD5 checksum:   716022 99284438b81148dd876ca643d368bdfb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_hppa.deb
        Size/MD5 checksum:  3604018 33c29a3f03084548e2986da9a801eaea
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_hppa.deb
        Size/MD5 checksum:   640994 ec6952e07f25d21536f97881940fc332
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_i386.deb
        Size/MD5 checksum:   679168 e64403426963a88c377542fea91343c4
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_i386.deb
        Size/MD5 checksum:   548294 630201c053e7b91f8e9ce64c823c17dd
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_i386.deb
        Size/MD5 checksum:   437666 0a1505703af0c1a48d64f2d038da6aa0
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_i386.deb
        Size/MD5 checksum:   532098 572b22648d3c22ce7407eea80a67f82a
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_i386.deb
        Size/MD5 checksum:   532862 58a54016f685daab8c567c876ad1c4bd
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_i386.deb
        Size/MD5 checksum:  3190140 204555dc33ec7b226ef8f2f8525db170
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_ia64.deb
        Size/MD5 checksum:   783708 7b29e6da8bf8250c04a62fe13bdc011b
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_ia64.deb
        Size/MD5 checksum:  5063660 b889010ab9c78e7ed07eea208a9334a0
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_ia64.deb
        Size/MD5 checksum:   784782 97086a9de4be64b8b8707134f1bcfbd3
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_ia64.deb
        Size/MD5 checksum:   679852 68efbd6efae15a522a2f2c63e376487a
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_ia64.deb
        Size/MD5 checksum:   981752 069d27887888b57c99a6b4fe3f0722f1
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_ia64.deb
        Size/MD5 checksum:   821774 e150ab973b38a7c07e5c847d6b5bd64b
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_mips.deb
        Size/MD5 checksum:   548380 4e47dfcf1964e0e492843edf4dccfa3a
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_mips.deb
        Size/MD5 checksum:   546882 01c1fe2bb20638adb7b7766d8f206f75
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_mips.deb
        Size/MD5 checksum:   562064 ac0f572131814de0d6d42baedb2c79e2
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_mips.deb
        Size/MD5 checksum:  3508794 0a9693d49164791b4937ca6a2dc3cc89
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_mips.deb
        Size/MD5 checksum:   596240 80e21dbb719f84659ebcf4fe1b33b84f
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_mips.deb
        Size/MD5 checksum:   478066 7c1ffda6b2c12357faab71435837cfc0
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_mipsel.deb
        Size/MD5 checksum:  3521650 7c63c1ee85a82ea30413a1d63cc3047e
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_mipsel.deb
        Size/MD5 checksum:   549762 af6c9505f9c136aa9e6c66cad597e6ca
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_mipsel.deb
        Size/MD5 checksum:   548530 d163f209f4d5effb22d574ad8c219508
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_mipsel.deb
        Size/MD5 checksum:   480380 911b5d5804322f4a62b095c9c64fc9cc
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_mipsel.deb
        Size/MD5 checksum:   559940 688ca8a13b4cf4340cb9a4b4448cd2ba
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_mipsel.deb
        Size/MD5 checksum:   596074 3a0489a3d59c8a3b60fe08c5c37eb251
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_powerpc.deb
        Size/MD5 checksum:   453732 01000caf42f203b6c2330e579d79b28a
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_powerpc.deb
        Size/MD5 checksum:   557654 fd75a89e0ecc889db67fd517c8bf7568
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_powerpc.deb
        Size/MD5 checksum:   556412 678fb38b4dd725f1ae2f520e2ff92270
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_powerpc.deb
        Size/MD5 checksum:   708664 b8a96b7531808b2965d7dba797821d50
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_powerpc.deb
        Size/MD5 checksum:   579560 cd5d303cfa304194217ebbbc58ae2e4b
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_powerpc.deb
        Size/MD5 checksum:  3305834 860ad67587a7a080e6aa1fc752e2abd2
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_s390.deb
        Size/MD5 checksum:  3302260 995559c077c87884aa90f9361a3d57b2
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_s390.deb
        Size/MD5 checksum:   555090 1b6d9bf9660334c0c4df0295fb65559d
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_s390.deb
        Size/MD5 checksum:   553850 f0ffecbccb2df4a50a31618a01362bb2
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_s390.deb
        Size/MD5 checksum:   452176 6ed738fa8f1f1a0a5fef28ede711d4b9
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_s390.deb
        Size/MD5 checksum:   581032 48e1a6e91883bf1d859ebc1e17ca9809
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_s390.deb
        Size/MD5 checksum:   606142 9d0d79a7ccaa876218079e180e316ee2
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscript_4.10.0-5.1+etch2_sparc.deb
        Size/MD5 checksum:   568812 9a0a3af49a1bdb305e5146915441dd2f
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscript_4.10.0-5.1+etch2_sparc.deb
        Size/MD5 checksum:   703378 08a50fe3eb7330eac9dc77ae86a93900
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscript_4.10.0-5.1+etch2_sparc.deb
        Size/MD5 checksum:   541560 388c334dcb0fafb48805ce5f7cd40078
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscript_4.10.0-5.1+etch2_sparc.deb
        Size/MD5 checksum:   542890 6c54d5dfbb8ae3ead60bd7aa7135ebd9
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin_4.10.0-5.1+etch2_sparc.deb
        Size/MD5 checksum:  3216194 263c2aa66013c75217751e7faf6c40d4
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver_4.10.0-5.1+etch2_sparc.deb
        Size/MD5 checksum:   442792 fb273e738d0a0f234088b58c53125304
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"65","type":"x","order":"1","pct":57.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.2,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.