See attached message, this is a heads up that a MapServer release with
security fixes will be available very shortly. The announcement will be
made later tonight or first thing tomorrow morning and new source
packages for 5.2.2 and 4.10.4 are already available on the download server:
http://download.osgeo.org/mapserver/mapserver-5.2.2.tar.gz
http://download.osgeo.org/mapserver/mapserver-4.10.4.tar.gz
BTW, is there a formal process for notifications of security fixes to
your projects?
Daniel
-------- Original Message --------
Subject: Motion: Adopt RFC-56 and release MapServer 4.10.4 and 5.2.2
Date: Thu, 26 Mar 2009 14:20:01 -0400
From: Daniel Morissette <dmorissette@mapgears.com>
To: 'MapServer Dev Mailing List' <mapserver-dev@lists.osgeo.org>
Some security vulnerabilities have been found and reported to us
following an audit of MapServer's mapserv CGI. We have worked on this
off-list with other PSC members to come up with a solution before making
anything public.
The outcome of this is five tickets (#2939, #2941, #2942, #2943, #2944)
and corresponding fixes:
http://trac.osgeo.org/mapserver/ticket/2939
http://trac.osgeo.org/mapserver/ticket/2941
http://trac.osgeo.org/mapserver/ticket/2942
http://trac.osgeo.org/mapserver/ticket/2943
http://trac.osgeo.org/mapserver/ticket/2944
as well as a new RFC-56 about tightening up control of access to
mapfiles and templates:
http://mapserver.org/development/rfc/ms-rfc-56.html
Motion:
I hereby motion that we release MapServer 5.2.2 and 4.10.4 ASAP with
fixes for tickets (#2939, #2941, #2942, #2943, #2944) and the
implementation of RFC-56. MapServer 5.4.0 beta4 should also follow
within a few days with the same fixes.
I start with my +1
Daniel