Re: CVE Request -- MapServer -- SQL injections in OGC filter encoding and in WMS time support.

[Alan Boudreault <aboudreault () mapgears com>]

I got new from the debian security guy yesterday. I should get the CVE id 
soon.

Thanks,
Alan

On July 19, 2011 11:28:29 am Even Rouault wrote:
> Selon Jan Lieskovsky <jlieskov () redhat com>:
>
> Jan,
>
> I believe Alan Boudreault (MapServer team member that I've added to the CC
> list) has already asked the Debian security team to request for a CVE
> number, but without any result for now. Maybe he can confirm.
>
> Best regards,
>
> Even
>
> > Hello Josh, Steve, vendors,
> >
> >    the following has been brought to our attention:
> >    [1] https://bugzilla.redhat.com/show_bug.cgi?id=722545
> >    [2] http://trac.osgeo.org/mapserver/ticket/3903
> >
> > More from [2]:
> >
> > This ticket is to track fixes to prevent SQL injections through OGC
> > filter encoding (in WMS, WFS and SOS), as well as a potential SQL
> > injection in WMS time support.
> >
> > Your system may be vulnerable if it has MapServer with OGC protocols
> > enabled, with layers connecting to an SQL RDBMS backend, either natively
> > or via OGR.
> >
> > All versions of MapServer 4.x, 5.x and 6.x are potentially vulnerable.
> > All users are ** strongly encouraged ** to upgrade to one of the latest
> > releases with the fixes.
> >
> > Could you allocate a CVE id for this?
> >
> > Thank you && Regards, Jan.
> > --
> > Jan iankko Lieskovsky / Red Hat Security Response Team

-- 
Alan Boudreault
Mapgears
http://www.mapgears.com