Mark you can email that list, we can also discuss this issue in today's meeting.
For me I just want a consistent policy; but I agree with you that updating a library which contains security fixes if of interest. What is not established is if GeoServer is vulnerable to the the CVEs mentioned. In this case it is easier to just update the library; but the missing and important step is the analysis which is what would be discussed on the geoserver-security mailing list, and shared with our community when all active branches are patched. Presently it is just unknown; we could phrase the release notes as "out of an abundance of caution" but it still would not address that vulnerability analsyis has not been checked. -- Jody On Tue, Mar 28, 2023 at 3:04 AM Mark Prins <mc.pr...@gmail.com> wrote: > On 26-03-2023 16:06, Jody Garnett wrote: > > Right, keep in mind we do not advertise security details such as CVEs > > until an update is available for stable and maintenance active branches. > > that is a moot point when the CVE of a library that is used in GeoServer > is published it should be considered common knowledge and obscurity is > no longer an option. > > Anyone looking at the pom file can see which versions are used, anyone > running a tool such as dependency-track can trivially create a detailed > report. > > In this specific case I did not evaluate the vulnerability effects in > GeoServer; I doubt the attack vector exists and that the CVE applies, > but the library vendor has provided patch versions along with publishing > the CVE that are trivial to apply. > > > Please discuss on geoserver-security email list if you wish to assess > > and coordinate a maintenance release for example. > > > > since this is a closed list that I'm not part of discussing there is not > available to me. > > Mark > > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- -- Jody Garnett
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
