[Bug 1648998] Re: Fix CVE-2016-9839 & CVE-2017-5522
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Jan 24 14:23:03 UTC 2017
ACK on the trees in comment #2. I've uploaded packages for building with
a couple of small changes:
- LP tag in changelog needs a "#" for it to be automatically picked up, as in LP: #1234
- CVE-2016-9839 patch was a bit broken on xenial and yakkety, which I've fixed, it was adding the following to the build log:
/<<PKGBUILDDIR>>/mapogr.cpp: In function ‘int msOGRFileWhichShapes(layerObj*, rectObj, msOGRFileInfo*)’:
/<<PKGBUILDDIR>>/mapogr.cpp:1671:74: warning: too many arguments for format [-Wformat-extra-args]
layer->filter.string+6, layer->name?layer->name:"(null)");
^
Once packages are built, I will release them as security updates.
Thanks! :)
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1648998
Title:
Fix CVE-2016-9839 & CVE-2017-5522
Status in mapserver package in Ubuntu:
Triaged
Bug description:
In MapServer before 7.0.3, OGR driver error messages are too verbose
and may leak sensitive information if data connection fails.
https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-9839.html
Packages for Debian have been updated - we should apply the same in
Ubuntu.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/1648998/+subscriptions
More information about the Ubuntu-sponsors
mailing list