Hello community,
1)
reviewing the GeoServer security policy I found the approach of a "Coordinated
vulnerability disclosure" very reasonable. Thanks for taking security
seriously. Regarding:
4. A fix is included for the "stable" and "maintenance" downloads [...]
Does that mean, that GeoServer 2.23.2 from 2023-07-21 already contains the
security patches relevant for this release ?
Or will there a 2.23.3 ? A backport would be useful in this situation because
of the GeoTools API-package introduction, making it harder to upgrade.
2)
I regularly check for new GeoServer releases and especially the "security
considerations" in the release announcements. I am also keeping book of my
activities. Result: I checked the GeoServer announcement for 2.23.2 from
2023-07-21 on 2023-08-21 (after my summer vacation :-) ) and I found NO
security considerations for this release. Checking the same release *NOW* there
*ARE* security considerations for this release.
Current announcement for 2.23.2:
https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html
Original announcement for 2.23.2::
http://web.archive.org/web/20230731072113/https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html
I suppose this happened by mistake or is this expected behavior?
Best regards and have a nice weekend,
Andreas Watermeyer
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
