'Re: [mapserver-users] =?utf-8?q?Security_Advisory_=E2=80=93_Limiting?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mapserver-users
Subject:    Re: [mapserver-users]  =?utf-8?q?Security_Advisory_=E2=80=93_Limiting?=
From:       Jeff McKenna <jmckenna () gatewaygeomatics ! com>
Date:       2021-03-31 12:30:01
Message-ID: 82fe51a8-6222-9ebe-6984-ea45ddd1be32 () gatewaygeomatics ! com
[Download RAW message or body]

All: please share the advisory in your networks: 
https://mapserver.org/announcements/2021-03-30-limit-mapfile-access.html

-the MapServer PSC

On 2021-03-30 3:24 p.m., Steve Lime wrote:
> Hi all: This is an important reminder that, as part of a secure 
> deployment, it is important to limit MapServer CGI access to mapfiles. 
> The MapServer CGI has long supported the use of environment variables as 
> a primary mechanism to do this. If you haven't implemented these 
> controls then that constitutes undue risk that is easily mitigated and 
> we strongly encourage you to do so as soon as  possible. It's also a 
> great time to review those settings if you already have them in place as 
> we've recently updated regex examples related to MS_MAP_PATTERN to limit 
> path traversal.
> 
> Relevant documentation can be found at:
> 
> * https://mapserver.org/optimization/limit_mapfile_access.html
> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fo \
> ptimization%2Flimit_mapfile_access.html&data=04%7C01%7Csteve.lime%40state.mn.us%7C83 \
> d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0%7C63752713 \
> 4622587147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha \
> WwiLCJXVCI6Mn0%3D%7C1000&sdata=nm9oinfRBIW6p2O2MWFa%2FEwSggN0OU75ITLisrSNXck%3D&reserved=0>
>                 
> * https://mapserver.org/environment_variables.html
> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmapserver.org%2Fe \
> nvironment_variables.html%23environment-variables&data=04%7C01%7Csteve.lime%40state. \
> mn.us%7C83d18f834100493d07d208d8f38cb6e4%7Ceb14b04624c445198f26b89c2159828c%7C0%7C0% \
> 7C637527134622597107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJ \
> BTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=SU5H%2F0IKrina79Ts9X47fv8X3AHC0TRAwX2N4p3%2BOvA%3D&reserved=0>
>  
> Please don't hesitate to reach out with questions.
> 
> --Steve
> 
_______________________________________________
mapserver-users mailing list
mapserver-users@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapserver-users

[prev in list] [next in list] [prev in thread] [next in thread] 