Debian Bug report logs -
#734565
mapserver: CVE-2013-7262
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 8 Jan 2014 07:33:07 UTC
Severity: important
Tags: patch, security, upstream
Fixed in versions mapserver/6.4.1-1, mapserver/6.0.1-3.2+deb7u2, mapserver/5.6.5-2+squeeze3
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#734565
; Package mapserver
.
(Wed, 08 Jan 2014 07:33:12 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Wed, 08 Jan 2014 07:33:12 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: mapserver
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for mapserver.
CVE-2013-7262[0]:
| SQL injection vulnerability in the msPostGISLayerSetTimeFilter
| function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time
| service is used, allows remote attackers to execute arbitrary SQL
| commands via a crafted string in a PostGIS TIME filter.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7262
http://security-tracker.debian.org/tracker/CVE-2013-7262
[1] https://github.com/mapserver/mapserver/issues/4834
Please adjust the affected versions in the BTS as needed, at least
unstable from looking at source seems affected.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#734565
; Package mapserver
.
(Wed, 08 Jan 2014 07:42:19 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastiaan Couwenberg <sebastic@xs4all.nl>
:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Wed, 08 Jan 2014 07:42:19 GMT) (full text, mbox, link).
Message #10 received at 734565@bugs.debian.org (full text, mbox, reply):
On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote:
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
The new mapserver packages were prepared before the CVE was available.
> Please adjust the affected versions in the BTS as needed, at least
> unstable from looking at source seems affected.
Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy
and squeeze still are, but the proposed updates for both are waiting for
feedback from the release team:
Bug#734099: pu: package mapserver/6.0.4-1
Bug#734118: opu: package mapserver/5.6.9-1
Kind Regards,
Bas
--
GnuPG: 0xE88D4AF1 (new) / 0x77A975AD (old)
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#734565
; Package mapserver
.
(Wed, 08 Jan 2014 07:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastiaan Couwenberg <sebastic@xs4all.nl>
:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Wed, 08 Jan 2014 07:45:05 GMT) (full text, mbox, link).
Message #15 received at 734565@bugs.debian.org (full text, mbox, reply):
Control: fixed -1 mapserver/6.4.1-1
Control: fixed -1 mapserver/6.0.4-1
Control: fixed -1 mapserver/5.6.9-1
Control: tags -1 pending
Marked as fixed in versions mapserver/6.4.1-1.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to 734565-submit@bugs.debian.org
.
(Wed, 08 Jan 2014 07:45:05 GMT) (full text, mbox, link).
Marked as fixed in versions mapserver/6.0.4-1.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to 734565-submit@bugs.debian.org
.
(Wed, 08 Jan 2014 07:45:06 GMT) (full text, mbox, link).
Marked as fixed in versions mapserver/5.6.9-1.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to 734565-submit@bugs.debian.org
.
(Wed, 08 Jan 2014 07:45:07 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to 734565-submit@bugs.debian.org
.
(Wed, 08 Jan 2014 07:45:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#734565
; Package mapserver
.
(Wed, 08 Jan 2014 09:12:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Wed, 08 Jan 2014 09:12:13 GMT) (full text, mbox, link).
Message #28 received at 734565@bugs.debian.org (full text, mbox, reply):
Hi Bas,
On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote:
> On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote:
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> The new mapserver packages were prepared before the CVE was available.
>
> > Please adjust the affected versions in the BTS as needed, at least
> > unstable from looking at source seems affected.
>
> Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy
> and squeeze still are, but the proposed updates for both are waiting for
> feedback from the release team:
>
> Bug#734099: pu: package mapserver/6.0.4-1
> Bug#734118: opu: package mapserver/5.6.9-1
Could you clarify if second commit referenced in
https://github.com/mapserver/mapserver/issues/4834
(WFS-2 specific fixes for postgis time sql injections (#4834,#4815))
is also needed? Is this relevant for Debian?
Thanks for your work, and regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#734565
; Package mapserver
.
(Wed, 08 Jan 2014 09:48:29 GMT) (full text, mbox, link).
Acknowledgement sent
to "Sebastiaan Couwenberg" <sebastic@xs4all.nl>
:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Wed, 08 Jan 2014 09:48:29 GMT) (full text, mbox, link).
Message #33 received at 734565@bugs.debian.org (full text, mbox, reply):
> On 2014-01-08 7:51, Sebastiaan Couwenberg wrote:
>> Control: tags -1 security
>>
>> As reported by Salvatore Bonaccorso in #734565, there is now a CVE for
>> the security issue in question.
>>
>> Can I get a Go/No Go for uploading the proposed changes in the debdiff?
>
> You proposed the changes four days ago, including relatively large
> diffs; please give people time to review / process them rather than
> chasing so quickly.
Sorry if my question was seen as chasing the Release Team. I'm not trying
to pressure the RT.
My question was triggered by the bug filed today now that the CVE is
available.
> As a side note, the diffs were sufficiently large that neither of your
> bug reports reached the debian-release list, so several people may not
> have seen them yet.
I was afraid the debdiffs might be a bit too large. So I think the wise
thing to do is to prepare security uploads which only fix the CVE issue if
possible, and leave the other security and stability fixes for a later
(old)stable-update if the complete upstream stable release is considered
acceptable.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#734565
; Package mapserver
.
(Wed, 08 Jan 2014 22:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastiaan Couwenberg <sebastic@xs4all.nl>
:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Wed, 08 Jan 2014 22:21:05 GMT) (full text, mbox, link).
Message #38 received at 734565@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote:
> On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote:
>> On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote:
>>> If you fix the vulnerability please also make sure to include the
>>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> The new mapserver packages were prepared before the CVE was available.
I've prepared new mapserver packages for squeeze and wheezy with only
the fix for this CVE, the new stable upstream release route I initially
took is not proper to fix this issue.
mapserver (6.0.1-3.2+deb7u2) for wheezy:
http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc
mapserver (5.6.5-2+squeeze3) for squeeze:
http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc
The squeeze package contained debhelper.log files in the debian/
directory, which caused problems for clean pbuilder builds so they were
removed. And dpatch insisted in changing the permissions. I've included
these changes in the squeeze package too.
>>> Please adjust the affected versions in the BTS as needed, at least
>>> unstable from looking at source seems affected.
>>
>> Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy
>> and squeeze still are, but the proposed updates for both are waiting for
>> feedback from the release team:
>
> Could you clarify if second commit referenced in
>
> https://github.com/mapserver/mapserver/issues/4834
> (WFS-2 specific fixes for postgis time sql injections (#4834,#4815))
>
> is also needed? Is this relevant for Debian?
No, the WFS-2 specific commit shouldn't be relevant for Debian yet.
The vulnerability was discovered during the implementation of WFS 2.0
support in MapServer. That support only lives in the master branch for
now and will be included in the next major upstream release.
> Thanks for your work, and regards,
> Salvatore
If the security-team approves the package changes, shall I ask my
sponsor to upload the packages?
Kind Regards,
Bas
--
GnuPG: 0xE88D4AF1 (new) / 0x77A975AD (old)
No longer marked as fixed in versions mapserver/6.0.4-1.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to control@bugs.debian.org
.
(Thu, 09 Jan 2014 07:42:17 GMT) (full text, mbox, link).
No longer marked as fixed in versions mapserver/5.6.9-1.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to control@bugs.debian.org
.
(Thu, 09 Jan 2014 07:42:18 GMT) (full text, mbox, link).
Marked as fixed in versions mapserver/6.0.1-3.2+deb7u2.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to control@bugs.debian.org
.
(Thu, 09 Jan 2014 07:42:18 GMT) (full text, mbox, link).
Marked as fixed in versions mapserver/5.6.5-2+squeeze3.
Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl>
to control@bugs.debian.org
.
(Thu, 09 Jan 2014 07:42:19 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
:
Bug#734565
; Package mapserver
.
(Fri, 10 Jan 2014 02:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
.
(Fri, 10 Jan 2014 02:24:04 GMT) (full text, mbox, link).
Message #51 received at 734565@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Sebastiaan,
On Wed, Jan 08, 2014 at 11:15:56PM +0100, Sebastiaan Couwenberg wrote:
> Hi Salvatore,
>
> On 01/08/2014 10:09 AM, Salvatore Bonaccorso wrote:
> > On Wed, Jan 08, 2014 at 08:40:35AM +0100, Sebastiaan Couwenberg wrote:
> >> On 01/08/2014 08:25 AM, Salvatore Bonaccorso wrote:
> >>> If you fix the vulnerability please also make sure to include the
> >>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >>
> >> The new mapserver packages were prepared before the CVE was available.
>
> I've prepared new mapserver packages for squeeze and wheezy with only
> the fix for this CVE, the new stable upstream release route I initially
> took is not proper to fix this issue.
>
> mapserver (6.0.1-3.2+deb7u2) for wheezy:
>
> http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_6.0.1-3.2+deb7u2.dsc
>
> mapserver (5.6.5-2+squeeze3) for squeeze:
>
> http://mentors.debian.net/debian/pool/main/m/mapserver/mapserver_5.6.5-2+squeeze3.dsc
>
> The squeeze package contained debhelper.log files in the debian/
> directory, which caused problems for clean pbuilder builds so they were
> removed. And dpatch insisted in changing the permissions. I've included
> these changes in the squeeze package too.
>
> >>> Please adjust the affected versions in the BTS as needed, at least
> >>> unstable from looking at source seems affected.
> >>
> >> Unstable is no longer affect with the upload of mapserver 6.4.1, wheezy
> >> and squeeze still are, but the proposed updates for both are waiting for
> >> feedback from the release team:
> >
> > Could you clarify if second commit referenced in
> >
> > https://github.com/mapserver/mapserver/issues/4834
> > (WFS-2 specific fixes for postgis time sql injections (#4834,#4815))
> >
> > is also needed? Is this relevant for Debian?
>
> No, the WFS-2 specific commit shouldn't be relevant for Debian yet.
>
> The vulnerability was discovered during the implementation of WFS 2.0
> support in MapServer. That support only lives in the master branch for
> now and will be included in the next major upstream release.
Okay thanks for this explanation. Regarding the upload for security:
We have tagged this issue 'no-dsa'[1] meaning that no DSA is planned
for this vulnerability only. So if you are planning to do a
(old)stable-proposed-updates upload, the above can be included there
(either by updating to a update to a upstream version as you propose
or by an isolated patch; depends on what release teams would like to
have for these two opu and pu requests).
[1] https://security-tracker.debian.org/tracker/CVE-2013-7262
Thanks again for the quick followups,
Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Sun, 12 Jan 2014 23:33:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 12 Jan 2014 23:33:11 GMT) (full text, mbox, link).
Message #56 received at 734565-close@bugs.debian.org (full text, mbox, reply):
Source: mapserver
Source-Version: 6.0.1-3.2+deb7u2
We believe that the bug you reported is fixed in the latest version of
mapserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734565@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mapserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Jan 2014 03:45:58 +0100
Source: mapserver
Binary: php5-mapscript libmapscript-perl cgi-mapserver python-mapscript mapserver-bin mapserver-doc libmapscript-ruby libmapscript-ruby1.8 libmapscript-ruby1.9.1
Architecture: source all amd64
Version: 6.0.1-3.2+deb7u2
Distribution: stable-proposed-updates
Urgency: low
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
cgi-mapserver - CGI executable for MapServer
libmapscript-perl - Perl MapServer module
libmapscript-ruby - Ruby MapServer library
libmapscript-ruby1.8 - Ruby MapServer library
libmapscript-ruby1.9.1 - Ruby MapServer library
mapserver-bin - MapServer utilities
mapserver-doc - documentation for MapServer
php5-mapscript - php5-cgi module for MapServer
python-mapscript - Python library for MapServer
Closes: 734565
Changes:
mapserver (6.0.1-3.2+deb7u2) stable-proposed-updates; urgency=low
.
* Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
msPostGISLayerSetTimeFilter function in mappostgis.c.
(closes: #734565)
Checksums-Sha1:
b0adfda5df7e68c48c5c0f913dec2b5d9e7079ec 3062 mapserver_6.0.1-3.2+deb7u2.dsc
5ae76763a0ecd83ed55f324ffb5dfe587a84fc5c 29026 mapserver_6.0.1-3.2+deb7u2.debian.tar.gz
329bb47737c6ee3c3503dda52ef9141ebb2d6894 95340 mapserver-doc_6.0.1-3.2+deb7u2_all.deb
90ac81bbe58d05788605ece9145e4fd2605c410e 69296 libmapscript-ruby_6.0.1-3.2+deb7u2_all.deb
7cacf54ec8b090f7ab214fa28999a3e9ba494781 1023516 php5-mapscript_6.0.1-3.2+deb7u2_amd64.deb
7a00f8f84d34c637882528a21ad38bb58b735e9a 1178958 libmapscript-perl_6.0.1-3.2+deb7u2_amd64.deb
8902db53b831f15a6c55ad2c445a5e3cff076569 821158 cgi-mapserver_6.0.1-3.2+deb7u2_amd64.deb
1d47f657c57f143e71ea9493b7df3ae5041ecfb4 2028830 python-mapscript_6.0.1-3.2+deb7u2_amd64.deb
7232e1f717940ab295e21fd21e9d13fab3658b3a 6708472 mapserver-bin_6.0.1-3.2+deb7u2_amd64.deb
dbf878efb095e3c1fba54709b5b46016966cf31c 1081378 libmapscript-ruby1.8_6.0.1-3.2+deb7u2_amd64.deb
8a3381c50991d4ddb5e9c2d8d39b9809d2eb5a94 1083160 libmapscript-ruby1.9.1_6.0.1-3.2+deb7u2_amd64.deb
Checksums-Sha256:
e98eaf0effcb254997bdd06a799aae06f47027e3cb10fc03ba6891495026a978 3062 mapserver_6.0.1-3.2+deb7u2.dsc
49fb197e5190ff859efbbc9d5399482e5815216146818c2ddb0eb0a297877717 29026 mapserver_6.0.1-3.2+deb7u2.debian.tar.gz
5fcb6be1a9cab3b323b55223f10cab520af37db863ca34787325846b399ef452 95340 mapserver-doc_6.0.1-3.2+deb7u2_all.deb
203a921888dc32923df49c0cbcf1b5d3fdb22932e17d1489132d722e7635bd84 69296 libmapscript-ruby_6.0.1-3.2+deb7u2_all.deb
d05fd8a568ea354b7b1f2388baa21810fb82a685113d2d98e74a6a1bc72cc944 1023516 php5-mapscript_6.0.1-3.2+deb7u2_amd64.deb
d0db807576f17d75a2440360d8ab0665397d1a840783ef37cdf31dd23ccb30b6 1178958 libmapscript-perl_6.0.1-3.2+deb7u2_amd64.deb
a80f11e8ea13cc2cf9d79dc172883372f3082bef438c374b8c2259afd4fd3fc1 821158 cgi-mapserver_6.0.1-3.2+deb7u2_amd64.deb
ad207e37466c0e52d613774ec4f9b83d17e5cfd088b6b99bf2b9ec99ec4840ba 2028830 python-mapscript_6.0.1-3.2+deb7u2_amd64.deb
470040d455d661b52e5a3a8be6d7c15cf2291269906b861fc84832282faf4b29 6708472 mapserver-bin_6.0.1-3.2+deb7u2_amd64.deb
45d653ca18500ce799c342714b98d727aebd61c46434fd4eb6dd158299f7d732 1081378 libmapscript-ruby1.8_6.0.1-3.2+deb7u2_amd64.deb
1c81ae23f90929ba3ee474b2332cd285cf389bc614838f51dd471c602ebff61f 1083160 libmapscript-ruby1.9.1_6.0.1-3.2+deb7u2_amd64.deb
Files:
1127371137159a4314c95ff292bf48af 3062 devel optional mapserver_6.0.1-3.2+deb7u2.dsc
7e992635d54b0c64632a19baef9cff23 29026 devel optional mapserver_6.0.1-3.2+deb7u2.debian.tar.gz
31c98ed00a327cf22928c16c6404287d 95340 doc optional mapserver-doc_6.0.1-3.2+deb7u2_all.deb
8f14cfa178f726675ebb7e132cd17970 69296 ruby optional libmapscript-ruby_6.0.1-3.2+deb7u2_all.deb
5edae5d3d5c8b83169f2229ec14bd125 1023516 php optional php5-mapscript_6.0.1-3.2+deb7u2_amd64.deb
736e3a6c620d543ea3bf5fa9811afd90 1178958 perl optional libmapscript-perl_6.0.1-3.2+deb7u2_amd64.deb
e4431a1a7efb40a8c6baca9b3b97eb0d 821158 web optional cgi-mapserver_6.0.1-3.2+deb7u2_amd64.deb
63944162e81989309687135eb058ba39 2028830 python optional python-mapscript_6.0.1-3.2+deb7u2_amd64.deb
c61916e68c12abf94b2a504f7ce38d5f 6708472 misc optional mapserver-bin_6.0.1-3.2+deb7u2_amd64.deb
01c5e4b89ddccb19661bba486a07aae8 1081378 ruby optional libmapscript-ruby1.8_6.0.1-3.2+deb7u2_amd64.deb
337eec8fd1dc7966b48e1d7019f7f907 1083160 ruby optional libmapscript-ruby1.9.1_6.0.1-3.2+deb7u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJS0aaOAAoJEAVMuPMTQ89E2YcP/RV8i0aaf4wfk8pyL8m1T7r0
6J7O6E4A8E85n2NpQSb4DPLfnfGafgwpNZQh0xt0aPISE7lI/VS77IVaTca+rSYZ
EhiicCas/P6qKaw2UWwlIo2JAyeiD22/Vr9U/mjNmy2RGHv7iuS6rhkAM2y4yt8O
oXeGH05tCE9DVFdeXLjub9EJtpHKcyn+lHsi734CwBwm+p+s4qQiNBf6D+6hE/m3
Vb9jV4z6QbS3EbejtJoDj0qJxzjJT7LzOtZNCN4bmUpCrHqlRske3Bnp9zC+UPD6
kx6EVOjmwuvL18bOnsiEgBect+1ElJR4sDZRSeCmsuZUetRo+2XliYXHjtgEwNPo
YRgwc5qeUVsiuNQzc06oKECpspGQLIild2o3wBbbBbQOgfwFP7D9NvfudpFMmEAf
JAf9UCtqQ0Udmlm2mNJWttpcG0m3gmScIZUh/cS5e8AvvcO3tSO8AvsSOb/tBp5L
JBwusLmcAMwmBMkVw09W930bM0DRyS5juGJsjQe6K6V4haA/LhQ1mXyBH795tsrb
0KyoDti/8a0TXjWrvDVI2JsMBraSy+SVGaT3lBmzCG5d6kqksFOR77gMuk9utANC
YfTQ0trGbZpcnkFt2aZxJbDfsu9f4kXnrbLZsFnJIJe9z/JjRqRg2j6M2DWvhM6Q
49vNmRJNMcdCMe1yx/re
=Cnjh
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>
:
You have taken responsibility.
(Sun, 12 Jan 2014 23:33:15 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sun, 12 Jan 2014 23:33:15 GMT) (full text, mbox, link).
Message #61 received at 734565-close@bugs.debian.org (full text, mbox, reply):
Source: mapserver
Source-Version: 5.6.5-2+squeeze3
We believe that the bug you reported is fixed in the latest version of
mapserver, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734565@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated mapserver package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Jan 2014 04:21:27 +0100
Source: mapserver
Binary: php5-mapscript perl-mapscript cgi-mapserver python-mapscript mapserver-bin mapserver-doc libmapscript-ruby libmapscript-ruby1.8 libmapscript-ruby1.9.1
Architecture: source all amd64
Version: 5.6.5-2+squeeze3
Distribution: oldstable-proposed-updates
Urgency: low
Maintainer: Debian GIS Project <pkg-grass-devel@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description:
cgi-mapserver - CGI executable for MapServer
libmapscript-ruby - Ruby MapServer library
libmapscript-ruby1.8 - Ruby MapServer library
libmapscript-ruby1.9.1 - Ruby MapServer library
mapserver-bin - MapServer utilities
mapserver-doc - documentation for MapServer
perl-mapscript - Perl MapServer library
php5-mapscript - php5-cgi module for MapServer
python-mapscript - Python library for MapServer
Closes: 734565
Changes:
mapserver (5.6.5-2+squeeze3) oldstable-proposed-updates; urgency=low
.
* Add patch to fix CVE-2013-7262, an SQL injection vulnerability in the
msPostGISLayerSetTimeFilter function in mappostgis.c.
(closes: #734565)
* Remove debhelper log files to allow clean builds.
Checksums-Sha1:
d5c8739a83f5fb5d3028bb3e6dd7fec08fdf02b4 2731 mapserver_5.6.5-2+squeeze3.dsc
9f97349ed9019e6ed729b8fffa8145e411bfac09 31353 mapserver_5.6.5-2+squeeze3.diff.gz
07ead7476c70cfe54d358991c36a751b873735b4 81634 mapserver-doc_5.6.5-2+squeeze3_all.deb
bd7b6c4986af9d7eab2ed8c99f18b85f2de3922f 60326 libmapscript-ruby_5.6.5-2+squeeze3_all.deb
3378b330423a7ddbbf6cb8b7b0639f37e37ab25e 876806 php5-mapscript_5.6.5-2+squeeze3_amd64.deb
02d4bc9ad6ddd031811da1dae73835f39757f778 1100548 perl-mapscript_5.6.5-2+squeeze3_amd64.deb
f6567ebe28a2e5cc62df858cc47cf8dd4b3070eb 788696 cgi-mapserver_5.6.5-2+squeeze3_amd64.deb
4043293533b0e892175ae46ba667d03b263d003b 1784436 python-mapscript_5.6.5-2+squeeze3_amd64.deb
92bff3a786914a0e06c376c4f7858ba27e99d70a 6488296 mapserver-bin_5.6.5-2+squeeze3_amd64.deb
22d2f52a9e327e84eef856439f6b8ab7d55d42ab 989446 libmapscript-ruby1.8_5.6.5-2+squeeze3_amd64.deb
78f9b4d72f19d6e7ea3208eef541308f5d66647f 989934 libmapscript-ruby1.9.1_5.6.5-2+squeeze3_amd64.deb
Checksums-Sha256:
f157dbdaa232384d70f7c82535a9c40e47d672ae0b935d82621186c63673175f 2731 mapserver_5.6.5-2+squeeze3.dsc
e40a70bcd51b7a1e0d8545e40729f0d6c19c6e7e9e3d4912f4530c4e54a4b6b8 31353 mapserver_5.6.5-2+squeeze3.diff.gz
0d6e4e563b25278057f81b5d2aa084cb4bba24f666a3da78a39a3f4509503638 81634 mapserver-doc_5.6.5-2+squeeze3_all.deb
cf4dee68c6d3d155516ad321a0f23704f433a735364c3c758ab2a8869c9cd5e8 60326 libmapscript-ruby_5.6.5-2+squeeze3_all.deb
3ac29d92af7940cd9ab43024425578a80b11b7b5ea795651f513b345c7fbfcc0 876806 php5-mapscript_5.6.5-2+squeeze3_amd64.deb
57fbca5c7fa9c5a553617dc7d4139976c0efd4f0cd88ecf824846ebcaf6e6c8e 1100548 perl-mapscript_5.6.5-2+squeeze3_amd64.deb
86f483db9739154c3d47c6f47011a590e485571bfa08e87c806ef3b438984478 788696 cgi-mapserver_5.6.5-2+squeeze3_amd64.deb
cfaa8910e34d5d1e3292a9b450b34cc9fa1fccc9691a9aef4487e86a78435def 1784436 python-mapscript_5.6.5-2+squeeze3_amd64.deb
d42ea327e5d06e7fb09668882bb9f38db8e3a9dccc3e81e880ba1fe433416f08 6488296 mapserver-bin_5.6.5-2+squeeze3_amd64.deb
2684b38c83bb394e5e1f98a6913471a7f811f4e9b48e83cc90636e79954ebcf2 989446 libmapscript-ruby1.8_5.6.5-2+squeeze3_amd64.deb
c3fe4a6b6e65e9692d97cff6b97cfebb804b9cdbcd4d915f6d88fb2fa6abbc82 989934 libmapscript-ruby1.9.1_5.6.5-2+squeeze3_amd64.deb
Files:
a34bc23ad926e0f7b3919f25d97547f4 2731 devel optional mapserver_5.6.5-2+squeeze3.dsc
8b851fdecbbb6f8ed85d7ada7f284c64 31353 devel optional mapserver_5.6.5-2+squeeze3.diff.gz
34db8cf9c3ec346c0fabcb72d9ae797f 81634 doc optional mapserver-doc_5.6.5-2+squeeze3_all.deb
4fdb5f0e9b10335c7a06b930e8af52e5 60326 ruby optional libmapscript-ruby_5.6.5-2+squeeze3_all.deb
611facaa5152f5a855403ab4f5888469 876806 php optional php5-mapscript_5.6.5-2+squeeze3_amd64.deb
ef650748471c10507abfbf6cffc29c57 1100548 perl optional perl-mapscript_5.6.5-2+squeeze3_amd64.deb
71c9edced3c2fde132d28b44a907982b 788696 web optional cgi-mapserver_5.6.5-2+squeeze3_amd64.deb
005215106aad2a2b4fc039f2320f36fa 1784436 python optional python-mapscript_5.6.5-2+squeeze3_amd64.deb
b5059da4688c9c8ab63b3a8807531c85 6488296 misc optional mapserver-bin_5.6.5-2+squeeze3_amd64.deb
b35d3cd7f1c45fac8c1992247e19d6a4 989446 ruby optional libmapscript-ruby1.8_5.6.5-2+squeeze3_amd64.deb
83ec0df88e6a09cf522611836dc42515 989934 ruby optional libmapscript-ruby1.9.1_5.6.5-2+squeeze3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCgAGBQJS0bCPAAoJEAVMuPMTQ89E6MUP/0hhgEYoKXpn++/1Lk9sY39+
9MF4yBUSDOUp1OgODutGNRaD0+eA2eBUu8DtVB+KxBs0QWZULuknWDCGzSzSb5Jc
BEleTHVo9r3WJt4ZBMTrqAj1xAZ9T7T6VKvNDiLdie6qe3ztP9K3ePwLHX2gE3sm
q3x+FzC+dK/YguXL7IaEmeeRyanrovzxkIRVvmwAB68UyQJbFuvwXZIoIuNtjdTq
awSMBlufMI2UBXlIE7zR6D8g9KU00KeyUKGxiwtjYney4e/m3wvUBfipem7vbOdD
dd+OLyt5eIAJ5SKnomLA2nwz4xq5Tv049XQ5jUtnB5T/BN6960YO+sxDwqME+GXy
jEgS5gpY8oOYY+FHSFxkCvh68c/BU7Ot3vHZ0tXRXEA2HJ4a6E3H0Bf+XFC+OhmX
SuHR1ZoKezZCaxSJ9ae69NN8cwsi+HWH4tUe3JMS3EOo5qCj8lcEF/tORciJRtFn
b3qLlyVwF0m9veVXV7nPg8XAht/7ohJnPnbM9L3uqcIzGRgFlQDA/1xTO936/IGz
jV54yVeba+BMIablPD6JwZHAE+cAl3o35ercMsuvPVScpK3kWZS03OXj2gqCORTY
4vnu9ntY+GZa11sCoLzWjvaethgb67kh71m3vyA0gKRXOHfuVtRZUQu6Kxu48HQK
+qw+xU/O41tU3Qw1Dnqi
=y5S6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 11 Feb 2014 07:30:33 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:00:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.