New upstream mapserver versions 5.2.2 and 4.10.4 have been released: http://lists.osgeo.org/pipermail/mapserver-users/2009-March/060600.html to address multiple security issues found during the security audit of the mapserver's code. Details about issues fixed: http://www.securityfocus.com/archive/1/archive/1/502271/100/0/threaded http://www.positronsecurity.com/advisories/2009-000.html CVE assigned to the issues: CVE-2009-0839: Stack-based buffer overflow in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when the server has a map with a long IMAGEPATH or NAME attribute, allows remote attackers to execute arbitrary code via a crafted id parameter in a query action. http://trac.osgeo.org/mapserver/ticket/2944 (Fedora packages are built with FORTIFY_SOURCE, which should catch this problem and reduce impact to non-exploitable crash.) CVE-2009-0840: Heap-based buffer underflow in the readPostBody function in cgiutil.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to have an unknown impact via a negative value in the Content-Length HTTP header. http://trac.osgeo.org/mapserver/ticket/2943 (Original advisory mentions it should not be possible to trigger this when using httpd 2.2.x at least.) CVE-2009-0841: Directory traversal vulnerability in mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2, when running on Windows with Cygwin, allows remote attackers to create arbitrary files via a .. (dot dot) in the id parameter. http://trac.osgeo.org/mapserver/ticket/2942 (See advisory for more details about conditions when this might be exploitable on non-Windows systems.) CVE-2009-0842: mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to read arbitrary invalid .map files via a full pathname in the map parameter, which triggers the display of partial file contents within an error message, as demonstrated by a /tmp/sekrut.map symlink. http://trac.osgeo.org/mapserver/ticket/2941 CVE-2009-0843: The msLoadQuery function in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 allows remote attackers to determine the existence of arbitrary files via a full pathname in the queryfile parameter, which triggers different error messages depending on whether this pathname exists. http://trac.osgeo.org/mapserver/ticket/2939 CVE-2009-1176: mapserv.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 does not ensure that the string holding the id parameter ends in a '\0' character, which allows remote attackers to conduct buffer-overflow attacks or have unspecified other impact via a long id parameter in a query action. (Related to CVE-2009-0839, see advisory for details.) CVE-2009-1177: Multiple stack-based buffer overflows in maptemplate.c in mapserv in MapServer 4.x before 4.10.4 and 5.x before 5.2.2 have unknown impact and remote attack vectors. http://trac.osgeo.org/mapserver/ticket/2944
mapserver-5.2.2-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/mapserver-5.2.2-1.fc9
mapserver-5.2.2-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/mapserver-5.2.2-1.fc10
mapserver-5.2.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
mapserver-5.2.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.