Advisories » MGASA-2015-0097

Updated mapserver packages fix CVE-2013-7262 and packaging issues

Publication date: 06 Mar 2015
Modification date: 06 Mar 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2013-7262

Description

Updated mapserver packages fix security vulnerability:

SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in
mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used,
allows remote attackers to execute arbitrary SQL commands via a crafted
string in a PostGIS TIME filter (CVE-2013-7262).

The mapserver package has been updated to version 6.2.2, which fixes this
issue and several other bugs, including some packaging issues which
prevented it from working anyway.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15363
• http://www.mapserver.org/development/changelog/changelog-6-2-2.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1048688
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7262

SRPMS

4/core

• mapserver-6.2.2-1.2.mga4