Secure testing team - Mar 2009 - Mapserver vulnerabilities

Thanks Daniel

I added  in the loop Debian stable and testing security teams. 
As you can know, by policy patches need to be eventually adapted to

4.10.0 (etch)
5.0.3 (lenny)

while 5.2.2 can be considered for sid.

On Thu, Mar 26, 2009 at 06:18:59PM -0400, Daniel Morissette
wrote:
> See attached message, this is a heads up that a MapServer release with 
> security fixes will be available very shortly. The announcement will be 
> made later tonight or first thing tomorrow morning and new source 
> packages for 5.2.2 and 4.10.4 are already available on the download server:
> 
> http://download.osgeo.org/mapserver/mapserver-5.2.2.tar.gz
> http://download.osgeo.org/mapserver/mapserver-4.10.4.tar.gz
> 
> BTW, is there a formal process for notifications of security fixes to 
> your projects?
> 
Yes, the above first email address is for off-lists notification of undisclaimed
vulnerabilities. The second address is a public list, so it should not be used
for private comunications. Our teams are also able to require a CVE number
assignement
in case it was still not assigned.
> Daniel
> 
> 
> -------- Original Message --------
> Subject: Motion: Adopt RFC-56 and release MapServer 4.10.4 and 5.2.2
> Date: Thu, 26 Mar 2009 14:20:01 -0400
> From: Daniel Morissette <dmorissette at mapgears.com>
> To: ''MapServer Dev Mailing List'' <mapserver-dev at
lists.osgeo.org>
> 
> Some security vulnerabilities have been found and reported to us
> following an audit of MapServer''s mapserv CGI. We have worked on
this
> off-list with other PSC members to come up with a solution before making
> anything public.
> 
> The outcome of this is five tickets (#2939, #2941, #2942, #2943, #2944)
> and corresponding fixes:
>    http://trac.osgeo.org/mapserver/ticket/2939
>    http://trac.osgeo.org/mapserver/ticket/2941
>    http://trac.osgeo.org/mapserver/ticket/2942
>    http://trac.osgeo.org/mapserver/ticket/2943
>    http://trac.osgeo.org/mapserver/ticket/2944
> 
> as well as a new RFC-56 about tightening up control of access to
> mapfiles and templates:
>    http://mapserver.org/development/rfc/ms-rfc-56.html
> 
> 
> Motion:
> 
> I hereby motion that we release MapServer 5.2.2 and 4.10.4 ASAP with
> fixes for tickets (#2939, #2941, #2942, #2943, #2944) and the
> implementation of RFC-56. MapServer 5.4.0 beta4 should also follow
> within a few days with the same fixes.
> 
> I start with my +1
> 
> Daniel
-- 
Francesco P. Lovergine
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090327/f0c8cbd6/attachment.pgp

On Fri, Mar 27, 2009 at 11:33:27AM +0100, Francesco P. Lovergine
wrote:
> 
> while 5.2.2 can be considered for sid.
> 
I''m finalizing for this in the meantime. To be released after official
release.

-- 
Francesco P. Lovergine