[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixing CVE-2017-5522 (stack buffer overflow) for mapserver in wheezy

On 01/18/2017 10:17 PM, Ola Lundqvist wrote:
> Yes they are ok for wheezy-security. Thank you for your support.

I've updated the secure-testing repo for this issue and sent the DLA.

> On 18 January 2017 at 22:15, Sebastiaan Couwenberg <sebastic@xs4all.nl> wrote:
>> Dear LTS Team,
>>
>> Today the MapServer team has announced the release of version 7.0.4
>> which fixes CVE-2017-5522 (stack buffer overflow). To quote the release
>> announcement [0]:
>>
>> "
>>  Today the project team released versions 6.0.6, 6.2.4, 6.4.5 and 7.0.4
>>  of MapServer. This is primarily a security release to address
>>  CVE-2017-5522. That issue involves a buffer overflow identified by
>>  MapServer developers associated with specific WFS get feature requests.
>> "
>>
>> I've already updated the package in unstable, and have cherry-picked the
>> commit fixing the issue for the package in jessie (6.4.1-5+deb8u3) &
>> wheezy (6.0.1-3.2+deb7u3). See the attached debdiff.
>>
>> The issue may be remotely exploitable with specifically crafted WFS
>> requests.
>>
>> Affected versions:
>>
>>  * wheezy: 6.0.1-3.2+deb7u3
>>
>> Fixed versions:
>>
>>  * wheezy: 6.0.1-3.2+deb7u4
>>
>> Are these changes OK for wheezy-security?
>>
>> [0] https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
Reply to: