Bug#734565: mapserver: CVE-2013-7262

Salvatore Bonaccorso carnil at debian.org
Fri Jan 10 02:20:41 UTC 2014 

Hi Sebastiaan,

On Wed, Jan 08, 2014 at 11:15:56PM +0100, Sebastiaan Couwenberg wrote:
> Hi Salvatore,
> 
> On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote:
> > On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote:
> >> On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote:
> >>> If you fix the vulnerability please also make sure to include the
> >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >>
> >> The new mapserver packages were prepared before the CVE was available.
> 
> I've prepared new mapserver packages for squeeze and wheezy with only
> the fix for this CVE, the new stable upstream release route I initially
> took is not proper to fix this issue.
> 
> mapserver (6.0.1-3.2+deb7u2) for wheezy:
> 
> http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc
> 
> mapserver (5.6.5-2+squeeze3) for squeeze:
> 
> http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc
> 
> The squeeze package contained debhelper.log files in the debian/
> directory, which caused problems for clean pbuilder builds so they were
> removed. And dpatch insisted in changing the permissions. I've included
> these changes in the squeeze package too.
> 
> >>> Please adjust the affected versions in the BTS as needed, at least
> >>> unstable from looking at source seems affected.
> >>
> >> Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy
> >> and squeeze still are, but the proposed updates for both are waiting for
> >> feedback from the release team:
> > 
> > Could you clarify if second commit referenced in
> > 
> > https://github.com/mapserver/mapserver/issues/4834
> > (WFS-2 specific fixes for postgis time sql injections (#4834,#4815))
> > 
> > is also needed? Is this relevant for Debian?
> 
> No, the WFS-2 specific commit shouldn't be relevant for Debian yet.
> 
> The vulnerability was discovered during the implementation of WFS 2.0
> support in MapServer. That support only lives in the master branch for
> now and will be included in the next major upstream release.

Okay thanks for this explanation. Regarding the upload for security:
We have tagged this issue 'no-dsa'[1] meaning that no DSA is planned
for this vulnerability only. So if you are planning to do a
(old)stable-proposed-updates upload, the above can be included there
(either by updating to a update to a upstream version as you propose
or by an isolated patch; depends on what release teams would like to
have for these two opu and pu requests).

 [1] https://security-tracker.debian.org/tracker/CVE-2013-7262

Thanks again for the quick followups,

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-grass-devel/attachments/20140110/8c518bf5/attachment-0001.sig>

More information about the Pkg-grass-devel mailing list