[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing CVE-2016-9839 for mapserver

Hi Sebastiaan,

On Tue, Dec 06, 2016 at 12:22:13AM +0100, Sebastiaan Couwenberg wrote:
> Dear Security Team,
> Today the MapServer team has released version 7.0.3 which fixes
> CVE-2016-9839. To quote the release announcement [0]:
> "
>  That issue involves OGR error messages being too verbose in some
>  instances and potentially disclosing sensitive information if the
>  underlying connection fails. In addition we have backported a somewhat
>  similar fix to the 6.x series for PostGIS layers.
> "
> I've already updated the package in unstable, and have cherry-picked the
> commit fixing the issue for OGR & PostGIS layers for the package in
> jessie (6.4.1-5+deb8u1) & wheezy (6.0.1-3.2+deb7u3). See the attached
> debdiffs.
> The "sensitive information" are the credentials for the database
> configured in the mapfile which are reported in the error message. If
> the database is accessible over the network unauthorized users may gain
> access using the credentials from the error message. An example is
> provided in the the upstream issue [1] for the PostGIS layer, and
> similarly affects the OGR layer [2][3].
> I don't think the issue is remotely exploitable, unless some way to
> force the database connection failure to occur is found. As long as the
> database is only accessible on the localhost, the impact is the issue is
> limited.
> Affected versions:
>  * jessie: 6.4.1-5
>  * wheezy: 6.0.1-3.2+deb7u2
> Fixed versions:
>  * jessie: 6.4.1-5+deb8u1
>  * wheezy: 6.0.1-3.2+deb7u3
> Are these changes OK for upload to security-master?

Thanks for contacting us. I think the issue could be fixed via an
upcoming point release. Can you please schedule it via the upcoming
one? See
for respective quidelines.

Regards and thanks a lot for your work, I have updated the
security-tracker entry for CVE-2016-9839 just now.


p.s.: For wheezy LTS, note that this is a separate project, it might be
      that they want to release a DLA, but for that please contact the
      Wheezy LTS team. Contact point: https://wiki.debian.org/LTS .

Reply to: