Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-257: MapServer Multiple Security Vulnerabilities

[CVE-2009-0839 thru CVE-2009-0843 & CVE-2009-1176 thru CVE-2009-1177]

October 23, 2009 15:00 GMT
PROBLEM: MapServer is prone to multiple remote vulnerabilities, including buffer-overflow issues, a directory-traversal issue, and information-disclosure issues.
PLATFORM: Versions prior to MapServer 4.10.4 and 5.2.2 are vulnerable.
ABSTRACT: Several vulnerabilities were identified ranging from low to medium/high severity. They include stack and heap overflows, a relative path writing weakness, a file content leakage, as well as a file existence leakage.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-257.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/34306/info
  CVE: CVE-2009-0839
CVE-2009-0840
CVE-2009-0841
CVE-2009-0842
CVE-2009-0843
CVE-2009-1176
CVE-2009-1177
IMPACT ASSESSMENT: This risk is high. An attacker can exploit these issues to obtain sensitive information, create files in arbitrary locations, run arbitrary code within the context of the affected application, or crash the application, denying service to legitimate users. 
[***** Start CVE-2009-0839 thru CVE-2009-0843 & CVE-2009-1176 thru CVE-2009-1177 *****]
Discussion:
MapServer is a popular open-source, multi-platform program for creating interactive map applications.  It was originally developed by the University of Minnesota with support from the U.S. National Aeronautics and Space Administration (NASA).  It is currently supported by the Open Source Geospatial Foundation.

During an audit of the MapServer v5.2.1 source code, five (5) vulnerabilities were identified ranging from low to medium/high severity. They include stack and heap overflows, a relative path writing weakness, a file content leakage, as well as a file existence leakage.  Furthermore, after reporting these issues to the vendor, a second audit by the project maintainer not only determined that v4.10.3 was also affected, but that four (4) additional stack overflows existed in the code as well.

Solution:
Debian Linux 4.0 arm

    * Debian cgi-mapserver_4.10.0-5.1+etch4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_arm.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_arm.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_arm.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_arm.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_arm.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_arm.deb


Debian Linux 5.0 ia-64

    * Debian cgi-mapserver_5.0.3-3+lenny4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_ia64.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_ia64.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_ia64.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_ia64.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_ia64.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_ia64.deb

    * Debian python-mapscript_5.0.3-3+lenny4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_ia64.deb


Debian Linux 4.0 powerpc

    * Debian cgi-mapserver_4.10.0-5.1+etch4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_powerpc.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_powerpc.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_powerpc.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_powerpc.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_powerpc.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_powerpc.deb


Debian Linux 4.0 m68k

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb


Debian Linux 5.0 alpha

    * Debian cgi-mapserver_5.0.3-3+lenny4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_alpha.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_alpha.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_alpha.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_alpha.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_alpha.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_alpha.deb

    * Debian python-mapscript_5.0.3-3+lenny4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_alpha.deb


Debian Linux 5.0 ia-32

    * Debian cgi-mapserver_5.0.3-3+lenny4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_i386.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_i386.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_i386.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_i386.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_i386.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_i386.deb

    * Debian python-mapscript_5.0.3-3+lenny4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_i386.deb


Debian Linux 5.0 s/390

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb


Debian Linux 5.0 mipsel

    * Debian cgi-mapserver_5.0.3-3+lenny4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_mipsel.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_mipsel.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_mipsel.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_mipsel.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_mipsel.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_mipsel.deb

    * Debian python-mapscript_5.0.3-3+lenny4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_mipsel.deb


Debian Linux 4.0 amd64

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb


Debian Linux 4.0 ia-32

    * Debian cgi-mapserver_4.10.0-5.1+etch4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_i386.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_i386.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_i386.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_i386.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_i386.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_i386.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_i386.deb


Debian Linux 5.0 hppa

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb


Debian Linux 4.0 hppa

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb


Debian Linux 4.0 sparc

    * Debian cgi-mapserver_4.10.0-5.1+etch4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_sparc.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_sparc.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_sparc.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_sparc.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_sparc.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_sparc.deb


Debian Linux 4.0 s/390

    * Debian cgi-mapserver_4.10.0-5.1+etch4_s390.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_s390.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_s390.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_s390.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_s390.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_s390.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_s390.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_s390.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_s390.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_s390.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_s390.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_s390.deb


Debian Linux 5.0 m68k

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb


Debian Linux 5.0 arm

    * Debian cgi-mapserver_5.0.3-3+lenny4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_arm.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_arm.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_arm.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_arm.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_arm.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_arm.deb

    * Debian python-mapscript_5.0.3-3+lenny4_arm.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_arm.deb


Debian Linux 4.0 armel

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb


Debian Linux 4.0 alpha

    * Debian cgi-mapserver_4.10.0-5.1+etch4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_alpha.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_alpha.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_alpha.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_alpha.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_alpha.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_alpha.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_alpha.deb


Debian Linux 5.0 armel

    * Debian cgi-mapserver_5.0.3-3+lenny4_armel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_armel.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_armel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_armel.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_armel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_armel.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_armel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_armel.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_armel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_armel.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_armel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_armel.deb

    * Debian python-mapscript_5.0.3-3+lenny4_armel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_armel.deb


Debian Linux 5.0

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb


Debian Linux 4.0

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb


Debian Linux 5.0 amd64

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb


Debian Linux 4.0 mipsel

    * Debian cgi-mapserver_4.10.0-5.1+etch4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_mipsel.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_mipsel.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_mipsel.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_mipsel.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_mipsel.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_mipsel.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_mipsel.deb


Debian Linux 5.0 mips

    * Debian cgi-mapserver_5.0.3-3+lenny4_mips.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_mips.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_mips.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_mips.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_mips.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_mips.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_mips.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_mips.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_mips.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_mips.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_mips.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_mips.deb

    * Debian python-mapscript_5.0.3-3+lenny4_mips.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_mips.deb


Debian Linux 5.0 powerpc

    * Debian cgi-mapserver_5.0.3-3+lenny4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_powerpc.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_powerpc.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_powerpc.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_powerpc.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_powerpc.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_powerpc.deb

    * Debian python-mapscript_5.0.3-3+lenny4_powerpc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_powerpc.deb


Debian Linux 4.0 ia-64

    * Debian cgi-mapserver_4.10.0-5.1+etch4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _4.10.0-5.1+etch4_ia64.deb

    * Debian mapserver-bin_4.10.0-5.1+etch4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _4.10.0-5.1+etch4_ia64.deb

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb

    * Debian perl-mapscript_4.10.0-5.1+etch4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_4.10.0-5.1+etch4_ia64.deb

    * Debian php4-mapscript_4.10.0-5.1+etch4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php4-mapscrip t_4.10.0-5.1+etch4_ia64.deb

    * Debian php5-mapscript_4.10.0-5.1+etch4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_4.10.0-5.1+etch4_ia64.deb

    * Debian python-mapscript_4.10.0-5.1+etch4_ia64.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_4.10.0-5.1+etch4_ia64.deb


Debian Linux 4.0 mips

    * Debian mapserver-doc_4.10.0-5.1+etch4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _4.10.0-5.1+etch4_all.deb


Debian Linux 5.0 sparc

    * Debian cgi-mapserver_5.0.3-3+lenny4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/cgi-mapserver _5.0.3-3+lenny4_sparc.deb

    * Debian libmapscript-ruby_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby_5.0.3-3+lenny4_all.deb

    * Debian libmapscript-ruby1.8_5.0.3-3+lenny4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.8_5.0.3-3+lenny4_sparc.deb

    * Debian libmapscript-ruby1.9_5.0.3-3+lenny4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/libmapscript- ruby1.9_5.0.3-3+lenny4_sparc.deb

    * Debian mapserver-bin_5.0.3-3+lenny4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-bin _5.0.3-3+lenny4_sparc.deb

    * Debian mapserver-doc_5.0.3-3+lenny4_all.deb
      http://security.debian.org/pool/updates/main/m/mapserver/mapserver-doc _5.0.3-3+lenny4_all.deb

    * Debian perl-mapscript_5.0.3-3+lenny4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/perl-mapscrip t_5.0.3-3+lenny4_sparc.deb

    * Debian php5-mapscript_5.0.3-3+lenny4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/php5-mapscrip t_5.0.3-3+lenny4_sparc.deb

    * Debian python-mapscript_5.0.3-3+lenny4_sparc.deb
      http://security.debian.org/pool/updates/main/m/mapserver/python-mapscr ipt_5.0.3-3+lenny4_sparc.deb


Regents of the University of Minnesota MapServer 4.10.3

    * Regents of the University of Minnesota mapserver-4.10.4.tar.gz
      http://download.osgeo.org/mapserver/mapserver-4.10.4.tar.gz


Regents of the University of Minnesota MapServer 5.2.1

    * Regents of the University of Minnesota mapserver-5.2.2.tar.gz
      http://download.osgeo.org/mapserver/mapserver-5.2.2.tar.gz


[***** End CVE-2009-0839 thru CVE-2009-0843 & CVE-2009-1176 thru CVE-2009-1177 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788