Hello, We have been updating our security policy, as we figure out how to inform folks of security vulnerabilities.
It is hard to encourage people to update, without being in a position to tell why (yet). Please see GSIP-220 for the proposal: https://github.com/geoserver/geoserver/wiki/GSIP-220 In the coming weeks (maybe at foss4gna) when I have time I will publish some CVE numbers that are presently in draft, and update the release announcement “security vulnerability” sections. But this really is when I have time, and I an quite exhausted :) Jody On Fri, Oct 20, 2023 at 2:28 AM Watermeyer, Andreas < andreas.waterme...@its-digital.de> wrote: > Hello community, > > 1) > reviewing the GeoServer security policy I found the approach of a > "Coordinated vulnerability disclosure" very reasonable. Thanks for taking > security seriously. Regarding: > > 4. A fix is included for the "stable" and "maintenance" downloads > [...] > > Does that mean, that GeoServer 2.23.2 from 2023-07-21 already contains the > security patches relevant for this release ? > Or will there a 2.23.3 ? A backport would be useful in this situation > because of the GeoTools API-package introduction, making it harder to > upgrade. > > 2) > I regularly check for new GeoServer releases and especially the "security > considerations" in the release announcements. I am also keeping book of my > activities. Result: I checked the GeoServer announcement for 2.23.2 from > 2023-07-21 on 2023-08-21 (after my summer vacation :-) ) and I found NO > security considerations for this release. Checking the same release *NOW* > there *ARE* security considerations for this release. > > Current announcement for 2.23.2: > > https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html > > Original announcement for 2.23.2:: > > http://web.archive.org/web/20230731072113/https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html > > I suppose this happened by mistake or is this expected behavior? > > Best regards and have a nice weekend, > Andreas Watermeyer > > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
