MapServer and TinyOWS updates for CVE-2013-0339
Dear Security Team,
Today the MapServer project published new MapServer & TinyOWS releases
to address CVE-2013-0339 in libxml2.
Since the issue is only with libxml2 < 2.9, it should only affect wheezy
and squeeze. But since CVE-2013-0339 is marked fixed in the wheezy &
squeeze libxml2 packages, I don't think we need these mapserver updates
in Debian for the security fix.
Can you confirm we don't to patch mapserver in wheezy & squeeze?
-------- Original Message --------
Subject: [mapserver-dev] MapServer 6.4.2, 7.0.0-beta2 and TinyOWS 1.1.1
Date: 2015-07-07 14:06
From: thomas bonfort <firstname.lastname@example.org>
To: MapServer Dev Mailing List <email@example.com>,
MapserverList OSGEO <firstname.lastname@example.org>
This is a security release to mitigate an information disclosure issue
with libxml2 (versions older than 2.9, c.f.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0339 ) which
can reveal any file accessible on the host system by passing a
specially crafted XML file. Although this is not an issue with
MapServer itself, the proposed update makes sure this vector of attack
cannot be used when mapserver is using a version of libxml2 older than
You are strongly recommended to update if your mapserver has libxml2
support and is using an unpatched version of libxml2 older than 2.8.
We are concurrently releasing the second beta for MapServer 7.0.0 that
contains this security fix along with a number of issues that were
discovered since the release of beta1. As always, we rely on you the
community to test these beta versions and provide us with feedback as
to the issues you may encounter.
You can find the download links and changelogs at the usual location:
The MapServer Team
mapserver-dev mailing list