From ${URL} : Description A vulnerability has been reported in MapServer, which can be exploited by malicious people to conduct SQL injection attacks. Certain unspecified input passed via PostGIS TIME filters is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation requires PostGIS to be used and WMS-Time to be configured. The vulnerability is reported in versions prior to 6.4.1. Solution: Update to version 6.4.1. Provided and/or discovered by: The vendor credits Even Rouault. Original Advisory: http://www.mapserver.org/development/changelog/changelog-6-4.html#changes-from-6-4-0-to-6-4-1 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
CVE-2013-7262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7262): SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.
(In reply to GLSAMaker/CVETool Bot from comment #1) > CVE-2013-7262 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7262): > SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in > mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, > allows remote attackers to execute arbitrary SQL commands via a crafted > string in a PostGIS TIME filter. This CVE is also fixed in mapserver-6.2.2 (according to http://mapserver.org/development/changelog/changelog-6-2-2.html) and mapserver-6.0.4 (according to http://mapserver.org/development/changelog/changelog-6-0-4.html). So there is no need to do the "big step" to the 6.4.x or 6.2.x line (but check bug 471250 for 6.2.x). If i could compile either 6.0.1 or 6.2.1 i would check if a rename of the ebuild is sufficient, but unfortunately in run into lapack/blas issues...
@security: I would treat this as maintainer-needed. fordfrog, the only member of sci-geosciences herd, told me "I have nothing to do with it" when I inquired about fixing PHP support.
author Amy Winston <amynka@gentoo.org> 2016-02-27 12:20:01 (GMT) committer Amy Winston <amynka@gentoo.org> 2016-02-27 12:20:01 (GMT) commit 64b32d1e88e7adfb309a96cc940300fb08ecd66c sci-geosciences/mapserver: drop old security bug #497302 It should be now fixed. Amy
committed per previous comment and all vulnerable versions removed.