Hi Jody, I think it is Ok when a release announcement initially contains an unspecific “security considerations” sections if that is justified and necessary: To me It means I have to keep an eye on that.
But if an release announcement contains no security considerations at all I would assume that there is no security related reason to upgrade to this release and I would not check this announcement again. So: Do I have to expect the “security considerations” are added newly to a release announcement after it has be published, as it was done for 2.23.2 ? Thank you very much for taking care! Best regards, Andreas Watermeyer Von: Jody Garnett <jody.garn...@gmail.com> Gesendet: Samstag, 21. Oktober 2023 08:48 An: Watermeyer, Andreas <andreas.waterme...@its-digital.de> Cc: geoserver-devel@lists.sourceforge.net Betreff: Re: [Geoserver-devel] Security considerations for 2.24.0 and 2.23.2 [Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful when opening links and attachments. Hello, We have been updating our security policy, as we figure out how to inform folks of security vulnerabilities. It is hard to encourage people to update, without being in a position to tell why (yet). Please see GSIP-220 for the proposal: https://github.com/geoserver/geoserver/wiki/GSIP-220 In the coming weeks (maybe at foss4gna) when I have time I will publish some CVE numbers that are presently in draft, and update the release announcement “security vulnerability” sections. But this really is when I have time, and I an quite exhausted :) Jody On Fri, Oct 20, 2023 at 2:28 AM Watermeyer, Andreas <andreas.waterme...@its-digital.de<mailto:andreas.waterme...@its-digital.de>> wrote: Hello community, 1) reviewing the GeoServer security policy I found the approach of a "Coordinated vulnerability disclosure" very reasonable. Thanks for taking security seriously. Regarding: 4. A fix is included for the "stable" and "maintenance" downloads [...] Does that mean, that GeoServer 2.23.2 from 2023-07-21 already contains the security patches relevant for this release ? Or will there a 2.23.3 ? A backport would be useful in this situation because of the GeoTools API-package introduction, making it harder to upgrade. 2) I regularly check for new GeoServer releases and especially the "security considerations" in the release announcements. I am also keeping book of my activities. Result: I checked the GeoServer announcement for 2.23.2 from 2023-07-21 on 2023-08-21 (after my summer vacation :-) ) and I found NO security considerations for this release. Checking the same release *NOW* there *ARE* security considerations for this release. Current announcement for 2.23.2: https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html Original announcement for 2.23.2:: http://web.archive.org/web/20230731072113/https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html<http://web.archive.org/web/20230731072113/https:/geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html> I suppose this happened by mistake or is this expected behavior? Best regards and have a nice weekend, Andreas Watermeyer _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net<mailto:Geoserver-devel@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
