ELA-1686-1 mapserver security update

Package	mapserver
Version	7.0.4-2+deb9u2 (stretch), 7.2.2-1+deb10u2 (buster)
Related CVEs	CVE-2026-33721

A heap-buffer-overflow was found in mapserver, a CGI-based framework for Internet map services, which could lead to Denial of Service via crafted SLD (Styled Layer Descriptor) sent by a remote unauthenticated attacker.

For Debian 10 buster, these problems have been fixed in version 7.2.2-1+deb10u2.

For Debian 9 stretch, these problems have been fixed in version 7.0.4-2+deb9u2.

We recommend that you upgrade your mapserver packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.