From 1f8f741b66c7aa45809d59d34e0ed9418a42cbd2 Mon Sep 17 00:00:00 2001 From: Jeff McKenna Date: Thu, 7 May 2026 10:46:34 -0300 Subject: [PATCH 1/3] update for 8.6.3 release [build_translations] --- conf.py | 2 +- en/MIGRATION_GUIDE.txt | 27 ++++++++++++++++--- en/announcements/announcements_archive.txt | 31 +++++++++++++++++----- en/development/changelog/changelog-8-6.txt | 10 +++++++ en/download.txt | 2 +- en/download_archives.txt | 2 ++ en/include/announcements.inc | 28 ++++++++++++++----- en/mapscript/index.txt | 2 +- en/mapscript/mapscript-api/index.rst | 2 +- 9 files changed, 86 insertions(+), 20 deletions(-) diff --git a/conf.py b/conf.py index 685e39ae8af..838b90ee425 100644 --- a/conf.py +++ b/conf.py @@ -94,7 +94,7 @@ def __getattr__(cls, name): # The short X.Y version. version = '8.6' # The full version, including alpha/beta/rc tags. -release = '8.6.2' +release = '8.6.3' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. #language = None diff --git a/en/MIGRATION_GUIDE.txt b/en/MIGRATION_GUIDE.txt index 1235989f67c..5b129593047 100644 --- a/en/MIGRATION_GUIDE.txt +++ b/en/MIGRATION_GUIDE.txt @@ -6,7 +6,7 @@ MapServer Migration Guide ***************************************************************************** -:Last Updated: 2026-05-01 +:Last Updated: 2026-05-07 .. contents:: Table of Contents :depth: 2 @@ -22,10 +22,29 @@ MapServer Migration Guide MapServer 8.4 to 8.6 Migration ============================== -- The 8.6.2 release includes a fix for a security flaw in the OpenLayers viewer +- The 8.6.3 release includes a fix for a vulnerability in the SLD parser + (see MapServer's `Security Advisory `__) + + Reminder: you can also disable external SLD access for your WMS services + by setting the following in your mapfile: + + .. code-block:: mapfile + + MAP + ... + WEB + METADATA + "wms_sld_enabled" "false" + ... + END #metadata + END #web + ... + + +- The 8.6.2 release includes a fix for a vulnerability in the OpenLayers viewer (see MapServer's `Security Advisory `__) -- The 8.6.1 release includes a fix for a security flaw in the SLD parser +- The 8.6.1 release includes a fix for a vulnerability in the SLD parser (see CVE record: `CVE-2026-33721 `__, or see MapServer's `Security Advisory `__) @@ -151,7 +170,7 @@ MapServer 8.4 to 8.6 Migration MapServer 8.2 to 8.4 Migration ============================== -- The 8.4.1 release includes a fix for a security flaw for WFS filter requests to +- The 8.4.1 release includes a fix for a vulnerability for WFS filter requests to an OGR backend connection (see CVE record: `CVE-2025-59431 `__, or MapServer's `Security Advisory `__) diff --git a/en/announcements/announcements_archive.txt b/en/announcements/announcements_archive.txt index b7f78c077ae..91d1b9ea6a9 100644 --- a/en/announcements/announcements_archive.txt +++ b/en/announcements/announcements_archive.txt @@ -4,6 +4,22 @@ MapServer Announcement Archives ***************************************************************************** +**2026-05-07 - MapServer 8.6.3 is released** + +.. important:: + Security release available + +The security release of MapServer 8.6.3 has been issued in order to fix +a vulnerability in the SLD parser. See the :ref:`changelog ` +for the list of changes. +You may also review this `Security Advisory `__, +as well as MapServer's `Security Policy `__. +As security for the 7.6 branch has ended, and branches 8.4, 8.2 & 8.0 are not supported, +all users are strongly encouraged to upgrade to the MapServer 8.6.3 release (see the +:ref:`Migration Guide `). + +Head to :ref:`download` to obtain a copy. + **2026-04-20 - MapCache 1.16.0 is released** The major version MapCache 1.16.0 has been released. @@ -17,8 +33,8 @@ Head to :ref:`download` to obtain a copy. .. important:: Security release available -The maintenance release of MapServer 8.6.2 has been issued in order to fix -a security flaw in the OpenLayers viewer (with WMS 1.3.0 requests). +The security release of MapServer 8.6.2 has been issued in order to fix +a vulnerability in the OpenLayers viewer (with WMS 1.3.0 requests). See the :ref:`changelog ` for the list of changes. You may also review this `Security Advisory `__, as well as MapServer's `Security Policy `__. @@ -33,8 +49,8 @@ Head to :ref:`download` to obtain a copy. .. important:: Security release available -The maintenance release of MapServer 8.6.1 has been issued in order to fix -a security flaw in the SLD parser. +The security release of MapServer 8.6.1 has been issued in order to fix +a vulnerability in the SLD parser. See the :ref:`changelog ` for the list of changes. You may also review this `Security Advisory `__, the CVE record: `CVE-2026-33721 `__, @@ -73,8 +89,11 @@ for the full list of changes and head to :ref:`download` to obtain a copy. **2025-09-19 - MapServer 8.4.1 is released** -The maintenance release of MapServer 8.4.1 has been issued in order to fix -a security flaw for WFS filters through OGR. +.. important:: + Security release available + +The security release of MapServer 8.4.1 has been issued in order to fix +a vulnerability for WFS filters through OGR. See the :ref:`changelog ` for the list of changes. You may also review MapServer's `Security Policy `__, the CVE record: `CVE-2025-59431 `__, diff --git a/en/development/changelog/changelog-8-6.txt b/en/development/changelog/changelog-8-6.txt index 1bfb917d42c..2ed2af9df84 100644 --- a/en/development/changelog/changelog-8-6.txt +++ b/en/development/changelog/changelog-8-6.txt @@ -7,6 +7,16 @@ The summary of major changes for this release can be found in the `HISTORY.md `__ file from the source directory. +.. _changelog-8-6-3: + +Changes from 8.6.2 to 8.6.3 +=========================== + +* SLD parser: fix out of bounds access on SLD with only a Rule with a ElseFilter but without a symbolizer ( `#7497 `__ ) (Even Rouault) : `0f05c57 `__ +* Oracle: revert change regarding case insensitive ogc filters ( `#7493 `__ ) (Pierre-Étienne Lord) : `ce02b66 `__ +* update CMake install README ( `#7488 `__ ) (Jeff McKenna) : `dcdfcda `__ +* Oracle: revert change regarding adding subquery to apply sortBy before rownum paging ( `#7491 `__ ) (Jeff McKenna) : `448c69f `__ + .. _changelog-8-6-2: Changes from 8.6.1 to 8.6.2 diff --git a/en/download.txt b/en/download.txt index 2d8ca01608c..3c3cf8185ad 100644 --- a/en/download.txt +++ b/en/download.txt @@ -18,7 +18,7 @@ Current Release(s) * MapServer - * **2026-04-19** MapServer-8.6.2 `tar.gz `__ | `.zip `__ | :ref:`Changelog ` + * **2026-05-07** MapServer-8.6.3 `tar.gz `__ | `.zip `__ | :ref:`Changelog ` * **2025-09-19** MapServer-8.4.1 `tar.gz `__ | `.zip `__ | :ref:`Changelog ` * **2024-09-02** MapServer-8.2.2 `tar.gz `__ | `.zip `__ | :ref:`Changelog ` * **2024-06-11** MapServer-8.0.2 `tar.gz `__ | :ref:`Changelog ` diff --git a/en/download_archives.txt b/en/download_archives.txt index dac607ef3cf..edd1ac14280 100644 --- a/en/download_archives.txt +++ b/en/download_archives.txt @@ -15,6 +15,8 @@ Past Releases .............................................................................. +* **2026-05-07** MapServer-8.6.3 `tar.gz `__ | `.zip `__ | :ref:`Changelog ` + * **2026-04-20** MapCache-1.16.0 `tar.gz `__ | `.zip `__ | :ref:`Changelog ` * **2026-04-19** MapServer-8.6.2 `tar.gz `__ | `.zip `__ | :ref:`Changelog ` diff --git a/en/include/announcements.inc b/en/include/announcements.inc index 05927fedd88..d6741220ab7 100644 --- a/en/include/announcements.inc +++ b/en/include/announcements.inc @@ -1,3 +1,19 @@ +**2026-05-07 - MapServer 8.6.3 is released** + +.. important:: + Security release available + +The security release of MapServer 8.6.3 has been issued in order to fix +a vulnerability in the SLD parser. See the :ref:`changelog ` +for the list of changes. +You may also review this `Security Advisory `__, +as well as MapServer's `Security Policy `__. +As security for the 7.6 branch has ended, and branches 8.4, 8.2 & 8.0 are not supported, +all users are strongly encouraged to upgrade to the MapServer 8.6.3 release (see the +:ref:`Migration Guide `). + +Head to :ref:`download` to obtain a copy. + **2026-04-20 - MapCache 1.16.0 is released** The major version MapCache 1.16.0 has been released. @@ -11,8 +27,8 @@ Head to :ref:`download` to obtain a copy. .. important:: Security release available -The maintenance release of MapServer 8.6.2 has been issued in order to fix -a security flaw in the OpenLayers viewer (with WMS 1.3.0 requests). +The security release of MapServer 8.6.2 has been issued in order to fix +a vulnerability in the OpenLayers viewer (with WMS 1.3.0 requests). See the :ref:`changelog ` for the list of changes. You may also review this `Security Advisory `__, as well as MapServer's `Security Policy `__. @@ -27,8 +43,8 @@ Head to :ref:`download` to obtain a copy. .. important:: Security release available -The maintenance release of MapServer 8.6.1 has been issued in order to fix -a security flaw in the SLD parser. +The security release of MapServer 8.6.1 has been issued in order to fix +a vulnerability in the SLD parser. See the :ref:`changelog ` for the list of changes. You may also review this `Security Advisory `__, the CVE record: `CVE-2026-33721 `__, @@ -51,8 +67,8 @@ for the full list of changes and head to :ref:`download` to obtain a copy. .. important:: Security release available -The maintenance release of MapServer 8.4.1 has been issued in order to fix -a security flaw for WFS filters through OGR. +The security release of MapServer 8.4.1 has been issued in order to fix +a vulnerability for WFS filters through OGR. See the :ref:`changelog ` for the list of changes. You may also review MapServer's `Security Policy `__, the CVE record: `CVE-2025-59431 `__, diff --git a/en/mapscript/index.txt b/en/mapscript/index.txt index 69ddd4a58d9..bbd0da14d48 100644 --- a/en/mapscript/index.txt +++ b/en/mapscript/index.txt @@ -10,7 +10,7 @@ Since the MapServer 8.0.0 release PHP support is only available through MapServer's :ref:`SWIG API `. Supported versions are PHP 8.5 and - PHP 8.4 with MapServer 8.6.1 + PHP 8.4 with MapServer 8.6.3 .. toctree:: :maxdepth: 2 diff --git a/en/mapscript/mapscript-api/index.rst b/en/mapscript/mapscript-api/index.rst index 2f8db486b07..4916dd607e9 100644 --- a/en/mapscript/mapscript-api/index.rst +++ b/en/mapscript/mapscript-api/index.rst @@ -47,7 +47,7 @@ meaningless, and even dangerous attributes might be exposed by objects. Since the MapServer 8.0.0 release PHP support is only available through MapServer's :ref:`SWIG API `. Supported versions are PHP 8.5 and - PHP 8.4 with MapServer 8.6.1 + PHP 8.4 with MapServer 8.6.3 ============================================================================= Appendices From ed1b0b07210bf572c1124757d276d4a2ce342d76 Mon Sep 17 00:00:00 2001 From: Jeff McKenna Date: Thu, 7 May 2026 10:49:09 -0300 Subject: [PATCH 2/3] update for 8.6.3 release [build_translations] --- en/development/changelog/changelog-8-6.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/en/development/changelog/changelog-8-6.txt b/en/development/changelog/changelog-8-6.txt index 2ed2af9df84..74db82380a5 100644 --- a/en/development/changelog/changelog-8-6.txt +++ b/en/development/changelog/changelog-8-6.txt @@ -12,10 +12,10 @@ file from the source directory. Changes from 8.6.2 to 8.6.3 =========================== -* SLD parser: fix out of bounds access on SLD with only a Rule with a ElseFilter but without a symbolizer ( `#7497 `__ ) (Even Rouault) : `0f05c57 `__ -* Oracle: revert change regarding case insensitive ogc filters ( `#7493 `__ ) (Pierre-Étienne Lord) : `ce02b66 `__ -* update CMake install README ( `#7488 `__ ) (Jeff McKenna) : `dcdfcda `__ -* Oracle: revert change regarding adding subquery to apply sortBy before rownum paging ( `#7491 `__ ) (Jeff McKenna) : `448c69f `__ +* SLD parser: fix out of bounds access on SLD with only a Rule with a ElseFilter but without a symbolizer ( `#7497 `__ ) (Even Rouault) : `0f05c57 `__ +* Oracle: revert change regarding case insensitive ogc filters ( `#7493 `__ ) (Pierre-Étienne Lord) : `ce02b66 `__ +* update CMake install README ( `#7488 `__ ) (Jeff McKenna) : `dcdfcda `__ +* Oracle: revert change regarding adding subquery to apply sortBy before rownum paging ( `#7491 `__ ) (Jeff McKenna) : `448c69f `__ .. _changelog-8-6-2: From 45899da13e390896a2831267abd37bd375e9e03a Mon Sep 17 00:00:00 2001 From: Jeff McKenna Date: Mon, 1 Jun 2026 15:34:04 -0300 Subject: [PATCH 3/3] update for 8.6.4 release [build_translations] --- conf.py | 2 +- en/MIGRATION_GUIDE.txt | 5 +++++ en/announcements/announcements_archive.txt | 20 ++++++++++++++++++++ en/development/changelog/changelog-8-6.txt | 11 +++++++++++ en/include/announcements.inc | 20 ++++++++++++++++++++ 5 files changed, 57 insertions(+), 1 deletion(-) diff --git a/conf.py b/conf.py index 838b90ee425..8ea91b66971 100644 --- a/conf.py +++ b/conf.py @@ -94,7 +94,7 @@ def __getattr__(cls, name): # The short X.Y version. version = '8.6' # The full version, including alpha/beta/rc tags. -release = '8.6.3' +release = '8.6.4' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. #language = None diff --git a/en/MIGRATION_GUIDE.txt b/en/MIGRATION_GUIDE.txt index 5b129593047..0b844b3b64e 100644 --- a/en/MIGRATION_GUIDE.txt +++ b/en/MIGRATION_GUIDE.txt @@ -22,6 +22,11 @@ MapServer Migration Guide MapServer 8.4 to 8.6 Migration ============================== +- The 8.6.4 release includes fixes for two vulnerabilities, see the advisories: + + - `OpenLayers viewer with WMS `__ advisory + - `PostGIS support `__ advisory + - The 8.6.3 release includes a fix for a vulnerability in the SLD parser (see MapServer's `Security Advisory `__) diff --git a/en/announcements/announcements_archive.txt b/en/announcements/announcements_archive.txt index 91d1b9ea6a9..e15290096d9 100644 --- a/en/announcements/announcements_archive.txt +++ b/en/announcements/announcements_archive.txt @@ -4,6 +4,26 @@ MapServer Announcement Archives ***************************************************************************** +**2026-06-01 - MapServer 8.6.4 is released** + +.. important:: + Security release available + +The security release of MapServer 8.6.4 has been issued in order to fix +two vulnerabilities. See the :ref:`changelog ` +for the list of changes. +You may also review the security advisories for this release: + +1. `OpenLayers viewer with WMS `__ advisory +2. `PostGIS support `__ advisory + +You may also review MapServer's `Security Policy `__. +As security for the 7.6 branch has ended, and branches 8.4, 8.2 & 8.0 are not supported, +all users are strongly encouraged to upgrade to the MapServer 8.6.4 release (see the +:ref:`Migration Guide `). + +Head to :ref:`download` to obtain a copy. + **2026-05-07 - MapServer 8.6.3 is released** .. important:: diff --git a/en/development/changelog/changelog-8-6.txt b/en/development/changelog/changelog-8-6.txt index 74db82380a5..6b9e32cdc31 100644 --- a/en/development/changelog/changelog-8-6.txt +++ b/en/development/changelog/changelog-8-6.txt @@ -7,6 +7,17 @@ The summary of major changes for this release can be found in the `HISTORY.md `__ file from the source directory. +.. _changelog-8-6-4: + +Changes from 8.6.3 to 8.6.4 +=========================== + +* PostGIS: make sure identifier value is numeric when the declared type is numeric too ( `#7519 `__ ) (Even Rouault) : `65f1b53 `__ +* WMS OpenLayers output: properly escape mapserv_onlineresource ( `#7518 `__ ) (Even Rouault) : `ff17ef1 `__ +* cgiutil: fix handling of malformed percent-encoding ( `#7515 `__ ) (Stefan Gloor) : `6364c71 `__ +* PostGIS: fix wfs_use_default_extent_for_getfeature=false and PROCESSING=NATIVE_FILTER ( `#7514 `__ ) (Even Rouault) : `6bb14b2 `__ +* Fix incorrect JSON error message output on Index Pages ( `#7513 `__ ) (Seth Girvin) : `7f18840 `__ + .. _changelog-8-6-3: Changes from 8.6.2 to 8.6.3 diff --git a/en/include/announcements.inc b/en/include/announcements.inc index d6741220ab7..5a788c9c114 100644 --- a/en/include/announcements.inc +++ b/en/include/announcements.inc @@ -1,3 +1,23 @@ +**2026-06-01 - MapServer 8.6.4 is released** + +.. important:: + Security release available + +The security release of MapServer 8.6.4 has been issued in order to fix +two vulnerabilities. See the :ref:`changelog ` +for the list of changes. +You may also review the security advisories for this release: + +1. `OpenLayers viewer with WMS `__ advisory +2. `PostGIS support `__ advisory + +You may also review MapServer's `Security Policy `__. +As security for the 7.6 branch has ended, and branches 8.4, 8.2 & 8.0 are not supported, +all users are strongly encouraged to upgrade to the MapServer 8.6.4 release (see the +:ref:`Migration Guide `). + +Head to :ref:`download` to obtain a copy. + **2026-05-07 - MapServer 8.6.3 is released** .. important::