Some vulnerabilities have been reported in MapServer, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to unspecified parameters is not properly sanitised before being returned to the user via the "processLine()" function in maptemplate.c and the "writeError()" function in mapserv.c. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerabilities are reported in versions prior to 4.10.3.
CC'ing maintainer and setting whiteboard status.
Created attachment 129745 [details] updated mapserver ebuild updated mapserver ebuild with amd64, java 1.5 fix, and thread support. Seems to work here but needs some arch testing, etc. I'm not the maintainer, so maybe they've already got one...
Oh, it should take care of bug #170556 as well.
What's the priority on this? I can add it to the tree, but I'm still not sure who maintains it...
Okay, 4.10.3 is in the tree - should we think about stabilizing this version and removing the older ones?
Steve: no need to stabilize since the affected version wasn't stable itself. If you want to have it stable, you should open a separate stabilization request. You may remove the affected versions however. closing this one without glsa, thanks everyone.