CVE-2013-7262

Published: 5 January 2014

SQL injection vulnerability in the msPostGISLayerSetTimeFilter function in mappostgis.c in MapServer before 6.4.1, when a WMS-Time service is used, allows remote attackers to execute arbitrary SQL commands via a crafted string in a PostGIS TIME filter.

Priority

Status

Package	Release	Status
mapserver Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Released (6.0.1-2ubuntu1.1)
	quantal	Released (6.0.1-3.2ubuntu0.12.10.1)
	raring	Released (6.0.1-3.2ubuntu0.13.04.1)
	saucy	Released (6.2.1-3ubuntu0.1)
	upstream	Released (6.4.1)
	Patches: upstream: https://github.com/mapserver/mapserver/commit/3a10f6b829297dae63492a8c63385044bc6953ed

References

https://github.com/mapserver/mapserver/issues/4834
https://github.com/mapserver/mapserver/commit/3a10f6b829297dae63492a8c63385044bc6953ed
http://www.mapserver.org/development/changelog/changelog-6-4.html#changelog-6-4-1
https://www.cve.org/CVERecord?id=CVE-2013-7262
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/1267616
https://github.com/mapserver/mapserver/issues/4834

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›