So Ian what is the right thing to do here? Should I not of replied to this message - to limit discussion of security vulnerabilities (reproducing and verification and so on) to the geoserver-security list?
It is a little confusing with your message about not contacting geoserver-security volunteers for announced vulnerabilities. In this case the vulnerability is announced - just not by us! And I agree that the report does not make much sense / poorly written / was not shared with team until now.... In anycase the geoserver-security list is looking at this CVE now and will either: a) dispute it - if it cannot be reproduced (we have done this in the past and it did not work) b) confirm it - by issuing a change / clarification to https://github.com/advisories/GHSA-382v-j99g-hw2p (only thing we can do as we did not publish the original) Reference: https://github.com/geoserver/geoserver/wiki/GSIP-220#publicly-reported-issue -- Jody Garnett On Jul 1, 2024 at 9:55:48 AM, Mark Prins <mc.pr...@gmail.com> wrote: > On 01-07-2024 16:43, Jody Garnett wrote: > > I am not sure we have been notified about that vulnerability, searching > > my email this you are the first. > > > Just because someone has opened a CVE does not indicate they have > > contacted the open source project at all. Please forward to > > geoserver-security email list (see security policy). It would be helpful > > if you describe what steps you have already taken to verify so the > > volunteers do not duplicate your effort. > > > > in fact, just because someone managed to open a CVE record it does not > mean there is an actual vulnerability. > > The records at NIST > > https://nvd.nist.gov/vuln/detail/CVE-2023-5786 > > provide a link to > > https://github.com/Qxyday/GeoServe---unauthorized > > That seems to be the original input and exploit. (based on the > descriptions and that page I fail to see any vulnerability at all!) > > Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5 > years old and no longer used in project-supported versions of GeoServer > afaik. > > Mark > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
