The MapServer team announces the release of MapServer versions 6.0.1, 5.6.7 and 4.10.7. No new functionality has been added. 6.0.1 is a maintence release that fixes a few issues including recently discovered security vulnerabilities. The list of fixes since 6.0.0 is included at the end of this message. Versions 5.6.7 and 4.10.7 include fixes for the security vulnerabilities described below plus a few bug fixes that may have occurred since the last official release. See the respective HISTORY.TXT files for additional information. SECURITY FIXES: --------------- MapServer developers have discovered flaws in the OGC filter support in MapServer. That code is used in support of WFS, WMS-SLD and SOS specifications. All versions may be susceptible to SQL injection under certain circumstances. The extent of the vulnerability depends on the MapServer version, relational database and mapfile configuration being used. All users are ** strongly encouraged ** to upgrade to these latest releases. The 5.6.7 and 4.10.7 releases also address one significant buffer overflow (6.0 branch is not vulneralble). These fixes do not affect the functionality of MapServer and no changes will be necessary for configurations/applications using the same base branch (e.g. 5.6). Even though we release 6.0.1, 5.6.7 and 4.10.7 today, these security fixes have also been backported to all stable branches (going back to 4.10) in MapServer's Subversion (SVN) source code repository, so if you work from source and would like to patch your local MapServer source tree, the changeset (i.e. patch file) for each stable release can be obtained through the following Trac ticket: - http://trac.osgeo.org/mapserver/ticket/3903 Special thanks to Even Rouault for his work identifying the issues and the subsequent patching and testing he did. Source and binary downloads: ---------------------------- The source code is available at: http://mapserver.org/download.html The binary distributions listed in the download page should be updated with binaries for the new 6.0.1 release in the next few hours. We are also in the process of submitting security patches to the Ubuntu and Debian supported distributions. Version 6.0.1 (2011-07-11): --------------------------- *** TODO: Add HISTORY.TXT content... ***