Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 190108 - sci-geosciences/mapserver < 4.10.3 Multiple XSS Vulnerabilities
Summary: sci-geosciences/mapserver < 4.10.3 Multiple XSS Vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/26561/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-08-24 22:50 UTC by Matt Fleming (RETIRED)
Modified: 2007-09-03 08:35 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
updated mapserver ebuild (mapserver-4.10.3.ebuild,8.04 KB, text/plain)
2007-09-01 06:26 UTC, Steve Arnold 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Fleming (RETIRED) gentoo-dev 2007-08-24 22:50:17 UTC 
Some vulnerabilities have been reported in MapServer, which can be
exploited by malicious people to conduct cross-site scripting
attacks.

Input passed to unspecified parameters is not properly sanitised
before being returned to the user via the "processLine()" function in
maptemplate.c and the "writeError()" function in mapserv.c. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

The vulnerabilities are reported in versions prior to 4.10.3.
Comment 1 Matt Fleming (RETIRED) gentoo-dev 2007-08-24 22:51:37 UTC 
CC'ing maintainer and setting whiteboard status.
Comment 2 Steve Arnold archtester gentoo-dev 2007-09-01 06:26:04 UTC 
Created attachment 129745 [details]
updated mapserver ebuild

updated mapserver ebuild with amd64, java 1.5 fix, and thread support.  Seems to work here but needs some arch testing, etc.  I'm not the maintainer, so maybe they've already got one...
Comment 3 Steve Arnold archtester gentoo-dev 2007-09-01 06:35:10 UTC 
Oh, it should take care of bug #170556 as well.
Comment 4 Steve Arnold archtester gentoo-dev 2007-09-01 16:47:23 UTC 
What's the priority on this?  I can add it to the tree, but I'm still not sure who maintains it...
Comment 5 Steve Arnold archtester gentoo-dev 2007-09-02 20:45:12 UTC 
Okay, 4.10.3 is in the tree - should we think about stabilizing this version and removing the older ones?
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-03 08:35:34 UTC 
Steve: no need to stabilize since the affected version wasn't stable itself. If you want to have it stable, you should open a separate stabilization request. You may remove the affected versions however.
closing this one without glsa, thanks everyone.