Debian Security Advisory
DSA-2285-1 mapserver -- several vulnerabilities
- Date Reported:
- 26 Jul 2011
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2011-2703, CVE-2011-2704.
- More information:
Several vulnerabilities have been discovered in mapserver, a CGI-based web framework to publish spatial data and interactive mapping applications. The Common Vulnerabilities and Exposures project identifies the following problems:
Several instances of insufficient escaping of user input, leading to SQL injection attacks via OGC filter encoding (in WMS, WFS, and SOS filters).
Missing length checks in the processing of OGC filter encoding that can lead to stack-based buffer overflows and the execution of arbitrary code.
For the oldstable distribution (lenny), these problems have been fixed in version 5.0.3-3+lenny7.
For the stable distribution (squeeze), these problems have been fixed in version 5.6.5-2+squeeze2.
For the testing (squeeze) and unstable (sid) distributions, these problems will be fixed soon.
We recommend that you upgrade your mapserver packages.