In the mean time MapServer 7.0.4 has been released fixing CVE-2017-5522. The packages in Debian have been updated to include the fix, as have the packages in the UbuntuGIS PPA.
I've also prepared updates for Ubuntu fixing both CVE-2016-9839 & CVE-2017-5522: https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-precise https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-trusty https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-vivid https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-xenial https://anonscm.debian.org/cgit/pkg-grass/mapserver.git/log/?h=ubuntu-yakkety ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2017-5522 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1648998 Title: WMS exception may expose PostGIS connection details for users To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/1648998/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
