| Package | mapserver |
|---|---|
| Version | 7.0.4-2+deb9u1 (stretch), 7.2.2-1+deb10u1 (buster) |
| Related CVEs | CVE-2021-32062 CVE-2025-59431 |
Vulnerabilities were found in mapserver, a CGI-based framework for Internet map services, which could lead to security controls bypass or SQL injection.
- CVE-2021-32062
-
Due to a logic flaw associated with processing map parameter, it is possible to specify an arbitrary mapfile that bypasses the
MS_MAP_NO_PATHandMS_MAP_PATTERNsecurity control checks. - CVE-2025-59431
-
Alwin Warringa discovered that XML Filter Query directive
PropertyNameis vulnerably to Boolean-based SQL injection, allowing to manipulate backend database queries via crafted XML Filter Query directives.
In addition, this update fixes memory and heap-buffer-overflow issues in the lexer.
For Debian 10 buster, these problems have been fixed in version 7.2.2-1+deb10u1.
For Debian 9 stretch, these problems have been fixed in version 7.0.4-2+deb9u1.
We recommend that you upgrade your mapserver packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.