Register | Log in

mapserver

Choose email to subscribe with

general

source: mapserver (main)
version: 8.6.4-1
maintainer: Debian GIS Project (archive) (DMD)
uploaders: Francesco Paolo Lovergine [DMD] – Alan Boudreault [DMD] – Bas Couwenberg [DMD]
arch: all any
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 7.6.2-1
o-o-sec: 7.6.2-1+deb11u2
oldstable: 8.0.0-3+deb12u1
old-bpo: 8.4.0-1~bpo12+1
stable: 8.4.0-4+deb13u2
stable-bpo: 8.6.4-1~bpo13+1
testing: 8.6.4-1
unstable: 8.6.4-1

versioned links

7.6.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.6.2-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.0.0-3+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.4.0-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.4.0-4+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.6.4-1~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.6.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

cgi-mapserver
libmapscript-java
libmapscript-perl
libmapserver-dev
libmapserver2t64
mapserver-bin
mapserver-doc
php-mapscript-ng
python3-mapscript

action needed

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2026-45104: MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

1 issue postponed or untriaged:

CVE-2026-42030: (postponed; to be fixed through a stable update) MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.

Created: 2026-06-01 Last update: 2026-06-13 22:30

2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:

CVE-2026-42030: MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.
CVE-2026-45104: MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

Created: 2026-05-09 Last update: 2026-06-13 22:30

Depends on packages which need a new maintainer normal

The packages that mapserver depends on which need a new maintainer are:

docbook-xsl (#802370)
- Build-Depends: docbook-xsl

Created: 2023-09-01 Last update: 2026-06-27 10:00

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2026-42030: (needs triaging) MapServer is a system for developing web-based GIS applications. From version 6.0 to before version 8.6.2, a reflected XSS vulnerability in MapServer's WMS server allows an unauthenticated attacker to inject arbitrary HTML/JavaScript into the browser of any user who opens a crafted WMS URL. The vulnerability is triggered via FORMAT=application/openlayers combined with an unsanitized SRS parameter in WMS 1.3.0 requests. This issue has been patched in version 8.6.2.
CVE-2026-45104: (needs triaging) MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-03-28 Last update: 2026-06-13 22:30

testing migrations

This package will soon be part of the auto-perl transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
This package will soon be part of the perl-5.42 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[2026-06-06] mapserver 8.6.4-1 MIGRATED to testing (Debian testing watch)
[2026-06-06] Accepted mapserver 8.6.4-1~bpo13+1 (source) into stable-backports (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-06-01] Accepted mapserver 8.6.4-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-05-09] mapserver 8.6.3-1 MIGRATED to testing (Debian testing watch)
[2026-05-09] Accepted mapserver 8.6.3-1~bpo13+1 (source) into stable-backports (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-05-07] Accepted mapserver 8.6.3-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-05-04] Accepted mapserver 8.4.0-4+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Guilhem Moulin)
[2026-05-03] Accepted mapserver 8.0.0-3+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Guilhem Moulin)
[2026-04-22] mapserver 8.6.2-1 MIGRATED to testing (Debian testing watch)
[2026-04-22] Accepted mapserver 8.6.2-1~bpo13+1 (source) into stable-backports (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-04-19] Accepted mapserver 8.6.2-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-04-17] Accepted mapserver 7.6.2-1+deb11u2 (source) into oldoldstable-security (Guilhem Moulin)
[2026-03-26] Accepted mapserver 8.6.1-1~bpo13+1 (source) into stable-backports (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-03-26] mapserver 8.6.1-1 MIGRATED to testing (Debian testing watch)
[2026-03-23] Accepted mapserver 8.6.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2026-03-23] Accepted mapserver 7.6.2-1+deb11u1 (source) into oldoldstable-security (Guilhem Moulin)
[2025-12-09] Accepted mapserver 8.6.0-1~bpo13+1 (source) into stable-backports (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-12-09] mapserver 8.6.0-1 MIGRATED to testing (Debian testing watch)
[2025-12-03] Accepted mapserver 8.6.0-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-27] Accepted mapserver 8.6.0~rc1-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-18] Accepted mapserver 8.6.0~beta2-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-13] Accepted mapserver 8.6.0~beta1-1~exp1 (source) into experimental (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-08] mapserver 8.4.1-2 MIGRATED to testing (Debian testing watch)
[2025-11-03] Accepted mapserver 8.4.1-2 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-11-01] Accepted mapserver 8.4.0-4+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2025-09-26] Accepted mapserver 8.4.1-1~bpo13+1 (source amd64 all) into stable-backports (Debian FTP Masters) (signed by: Sebastiaan Couwenberg)
[2025-09-25] mapserver 8.4.1-1 MIGRATED to testing (Debian testing watch)
[2025-09-21] Accepted mapserver 8.4.1-1 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)
[2025-04-08] mapserver 8.4.0-4 MIGRATED to testing (Debian testing watch)
[2025-04-02] Accepted mapserver 8.4.0-4 (source) into unstable (Bas Couwenberg) (signed by: Sebastiaan Couwenberg)

1
2

bugs [bug history graph]

all: 0

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 8.6.4-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing