This is very much NOT an appropriate place to discuss. As per our Responsible
Disclosure Policy
<http://docs.geoserver.org/latest/en/user/introduction/gettinginvolved.html#bug-tracking>,
all discussion of any security vulnerability should be by private email to
the PSC or individual developers.

Torben

On Thu, Mar 8, 2018 at 12:36 PM, Erik Merkle <[email protected]>
wrote:

> Hi all, apologies if this isn't the most appropriate place to discuss.
>
> A customer ran a security scan against the GeoFence community module in
> GeoServer and found 4 Medium priority vulnerabilities in the module,
> related to potentially storing passwords in heap/memory. After looking at
> the scan results, the findings were isolated to just
>
> /src/community/geofence/src/main/java/org/geoserver/geoserver/auth
> entication/filter/GeoFenceAuthFilter.java
>
> Upon further investigation, I found that all of the findings were
> contained inside 2 methods, both of which are private. The doAuth() method
> does not appear to be called anywhere in the class, and the getBasicAuth()
> method is only called from within the doAuth() method. I don't really know
> the GeoFence module well, but it would seem that these 2 methods could
> simply be removed from the code.
>
> I have a PR here:
>
> https://github.com/geoserver/geoserver/pull/2791
>
> If I have overlooked something, I would appreciate any comments or
> feedback.
>
>
> Many thanks,
>
> Erik Merkle
> Software Engineer | Boundless
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to