CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
96.0%
The releases contain fixes for issues discovered in an audit of the CGI by a 3rd party (tickets #2939, #2941, #2942, #2943 and #2944). The issues are detailed at: http://trac.osgeo.org/mapserver/ticket/2939 http://trac.osgeo.org/mapserver/ticket/2941 http://trac.osgeo.org/mapserver/ticket/2942 http://trac.osgeo.org/mapserver/ticket/2943 http://trac.osgeo.org/mapserver/ticket/2944 Also provided is support for RFC-56 that addresses tightening up the control of access to mapfiles and templates:
http://mapserver.org/development/rfc/ms-rfc-56.html
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory 2009-3357.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(37298);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");
script_cve_id("CVE-2009-0839", "CVE-2009-0840", "CVE-2009-0841", "CVE-2009-0842", "CVE-2009-0843", "CVE-2009-1176", "CVE-2009-1177");
script_xref(name:"FEDORA", value:"2009-3357");
script_name(english:"Fedora 10 : mapserver-5.2.2-1.fc10 (2009-3357)");
script_summary(english:"Checks rpm output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Fedora host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"The releases contain fixes for issues discovered in an audit of the
CGI by a 3rd party (tickets #2939, #2941, #2942, #2943 and #2944). The
issues are detailed at: http://trac.osgeo.org/mapserver/ticket/2939
http://trac.osgeo.org/mapserver/ticket/2941
http://trac.osgeo.org/mapserver/ticket/2942
http://trac.osgeo.org/mapserver/ticket/2943
http://trac.osgeo.org/mapserver/ticket/2944 Also provided is support
for RFC-56 that addresses tightening up the control of access to
mapfiles and templates:
http://mapserver.org/development/rfc/ms-rfc-56.html
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
# http://mapserver.org/development/rfc/ms-rfc-56.html
script_set_attribute(
attribute:"see_also",
value:"https://mapserver.org/development/rfc/ms-rfc-56.html"
);
script_set_attribute(
attribute:"see_also",
value:"http://trac.osgeo.org/mapserver/ticket/2939"
);
script_set_attribute(
attribute:"see_also",
value:"http://trac.osgeo.org/mapserver/ticket/2941"
);
script_set_attribute(
attribute:"see_also",
value:"http://trac.osgeo.org/mapserver/ticket/2942"
);
script_set_attribute(
attribute:"see_also",
value:"http://trac.osgeo.org/mapserver/ticket/2943"
);
script_set_attribute(
attribute:"see_also",
value:"http://trac.osgeo.org/mapserver/ticket/2944"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=493364"
);
# https://lists.fedoraproject.org/pipermail/package-announce/2009-April/022093.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?7a686300"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected mapserver package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_cwe_id(20, 22, 119, 200);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mapserver");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10");
script_set_attribute(attribute:"patch_publication_date", value:"2009/04/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Fedora Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC10", reference:"mapserver-5.2.2-1.fc10")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mapserver");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0839
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0840
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0841
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0842
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0843
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1176
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1177
trac.osgeo.org/mapserver/ticket/2939
trac.osgeo.org/mapserver/ticket/2941
trac.osgeo.org/mapserver/ticket/2942
trac.osgeo.org/mapserver/ticket/2943
trac.osgeo.org/mapserver/ticket/2944
www.nessus.org/u?7a686300
bugzilla.redhat.com/show_bug.cgi?id=493364
mapserver.org/development/rfc/ms-rfc-56.html