Hey everyone, I trust if you are responsible for a GeoServer instance you managed to update in the last two weeks.
The details vulnerabilities mentioned are now available: - CVE-2024-36401 <https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv>: Remote Code Execution (RCE) vulnerability in evaluating property name expressions - CVE-2024-34696 <https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf>: GeoServer's Server Status shows sensitive environmental variables and Java properties - CVE-2024-24749 <https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3>: Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat I am not going to go over the details in email, one of the goals of using CVE system to avoid duplicated or outdated information. So you always have a single point of truth where you can check on the status. As we are relatively new to using the CVE system to broadcast vulnerabilities I am curious how it is working for you? It is quite complicated to indicate the version range / version patch information to correctly show up for automated scans. If your infrastructure does use automated scans please let me know if scan was able to detect a vulnerable version. A lot of folks put work into GeoServer each month, and this kind of troubleshooting takes some effort to resolve and communicate. If you are a public institution or service provider using GeoServer instance please consider volunteering on the geoserver-security list. We would also really appreciate more participation around testing the release candidates each march / September. These activities are where we as a community share effort, and manage risk, as a team - so it is not so expensive to put out updates each month. Thanks to Steve Ikeoka, David Blasby and Andrea for working on fixes/mitigations. I can also acknolwege Peter and myself for getting release out promptly. This has been a good team effort. And thank you for patching yourself over the last week (and if you have not done so already you best hustle...). -- Jody Garnett On Jun 15, 2024 at 11:46:57 AM, Jody Garnett <jody.garn...@gmail.com> wrote: > Hey folks, > > There will be an important GeoServer drop this upcoming Tuesday where we > do a simultaneous releases of GeoServer 2.25.2 and 2.24.4 - and ask folks > to update promptly. > > Please plan your time this week accordingly. > > https://github.com/geoserver/geoserver/wiki/Release-Schedule > > Thanks to my employer GeoCat (and customers) we will be doing a GeoServer > 2.23.6 release for those not in a position to upgrade quite yet. > > Jody >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
