Re: CVE Request -- MapServer -- SQL injections in OGC filter encoding and in WMS time support.

[Even Rouault <even.rouault () mines-paris org>]

Selon Jan Lieskovsky <jlieskov () redhat com>:

Jan,

I believe Alan Boudreault (MapServer team member that I've added to the CC list)
has already asked the Debian security team to request for a CVE number, but
without any result for now. Maybe he can confirm.

Best regards,

Even

> Hello Josh, Steve, vendors,
>
>    the following has been brought to our attention:
>    [1] https://bugzilla.redhat.com/show_bug.cgi?id=722545
>    [2] http://trac.osgeo.org/mapserver/ticket/3903
>
> More from [2]:
>
> This ticket is to track fixes to prevent SQL injections through OGC
> filter encoding (in WMS, WFS and SOS), as well as a potential SQL
> injection in WMS time support.
>
> Your system may be vulnerable if it has MapServer with OGC protocols
> enabled, with layers connecting to an SQL RDBMS backend, either natively
> or via OGR.
>
> All versions of MapServer 4.x, 5.x and 6.x are potentially vulnerable.
> All users are ** strongly encouraged ** to upgrade to one of the latest
> releases with the fixes.
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team