Andreas: Your questions now are the same ones we were thinking about this summer when revising our security policy.
Please read the result of our thinking and see if it makes sense. My goal is: 1. Every release that will eventually have a CVE will have a security considerations heading 2. When the CVE is announced the heading will contain more details 3. This is really a bother ... For any true emergency I would hope that the volunteers on the geoserver-security list are in position to do an emergency release on affected branches and make a prompt disclosure. But the only true way to be informed is to violunteer on geoserver-security email list and help verify incoming reports as they come in. Indeed we have a backlog of such reports since this is not a paid activity, and nobody has staff dedicated to the activity. -- Jody Garnett On Oct 23, 2023 at 2:04:08 AM, "Watermeyer, Andreas" < andreas.waterme...@its-digital.de> wrote: > Hi Jody, > > > > I think it is Ok when a release announcement initially contains an > unspecific “security considerations” sections if that is justified and > necessary: To me It means I have to keep an eye on that. > > > > But if an release announcement contains no security considerations at all > I would assume that there is no security related reason to upgrade to this > release and I would not check this announcement again. > > > > So: Do I have to expect the “security considerations” are added newly to a > release announcement after it has be published, as it was done for 2.23.2 ? > > > > Thank you very much for taking care! > > > > Best regards, > > Andreas Watermeyer > > > > > > *Von:* Jody Garnett <jody.garn...@gmail.com> > *Gesendet:* Samstag, 21. Oktober 2023 08:48 > *An:* Watermeyer, Andreas <andreas.waterme...@its-digital.de> > *Cc:* geoserver-devel@lists.sourceforge.net > *Betreff:* Re: [Geoserver-devel] Security considerations for 2.24.0 and > 2.23.2 > > > > [Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful > when opening links and attachments. > > Hello, > > > > We have been updating our security policy, as we figure out how to inform > folks of security vulnerabilities. > > > > It is hard to encourage people to update, without being in a position to > tell why (yet). > > > > Please see GSIP-220 for the proposal: > > https://github.com/geoserver/geoserver/wiki/GSIP-220 > > > > In the coming weeks (maybe at foss4gna) when I have time I will publish > some CVE numbers that are presently in draft, and update the release > announcement “security vulnerability” sections. > > > > But this really is when I have time, and I an quite exhausted :) > > > > Jody > > > > On Fri, Oct 20, 2023 at 2:28 AM Watermeyer, Andreas < > andreas.waterme...@its-digital.de> wrote: > > Hello community, > > 1) > reviewing the GeoServer security policy I found the approach of a > "Coordinated vulnerability disclosure" very reasonable. Thanks for taking > security seriously. Regarding: > > 4. A fix is included for the "stable" and "maintenance" downloads > [...] > > Does that mean, that GeoServer 2.23.2 from 2023-07-21 already contains the > security patches relevant for this release ? > Or will there a 2.23.3 ? A backport would be useful in this situation > because of the GeoTools API-package introduction, making it harder to > upgrade. > > 2) > I regularly check for new GeoServer releases and especially the "security > considerations" in the release announcements. I am also keeping book of my > activities. Result: I checked the GeoServer announcement for 2.23.2 from > 2023-07-21 on 2023-08-21 (after my summer vacation :-) ) and I found NO > security considerations for this release. Checking the same release *NOW* > there *ARE* security considerations for this release. > > Current announcement for 2.23.2: > > https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html > > Original announcement for 2.23.2:: > > http://web.archive.org/web/20230731072113/https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html > <http://web.archive.org/web/20230731072113/https:/geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html> > > I suppose this happened by mistake or is this expected behavior? > > Best regards and have a nice weekend, > Andreas Watermeyer > > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
