This morning, MapServer 5.6.4 and 4.10.6 have been released with some important security fixes. Even if we are not aware of any exploit for the issues, all users are strongly advised to upgrade. All the details are available in the release announcement.
In the last couple of years, MapServer has started to attract the attention of security-aware organizations who have performed audits of the source code. These audits sometimes lead to potential vulnerability reports and security releases like what happened this morning, but there is more to this...
I like to think of the increasing number of MapServer source code audits as a good thing for a few reasons:
- First this confirms that MapServer has hit the critical mass required to attract the attention of groups large enough to afford security audits. It's always good to hear that your software is widely used and getting attention from the Big Guys.
- Thanks to MapServer's open source nature, security experts can perform quality assurance on its source code and share their findings and recommendations with us, this of course leads to better software for the users, but also means that we as developers can learn a lot from their reports and get better at writing secure code over time.
- All this comes at no direct cost for us. That's open source at its best: those audits are contributions to the project by the users themselves.
P.S. In addition to the potential vulnerability fixes that were released this morning, the last security audit report that we received also contained some more general recommendations that we will be working on in the next few weeks. So you can expect that MapServer 6.0 will be an even more secure release!