Hey Peter, I will answer you on the other discussion thread so we do not get too confusing. -- Jody Garnett
On Jul 3, 2024 at 9:41:49 AM, Pieter van der Gijp < pieter.vanderg...@bij12.nl> wrote: > Jody, > > > > Sorry, to avoid further confusion a short update. Ik see some reference to > other CVE’s then I was referring to. Maybe caused by me. > > > > But my prime question was that I found a reference stating that for > NCSC-2024-0274 there where fixes released for 2.25, 2.24, 2.23, 2.21. > Version 2.22 was missing in this list and if there was a reason for that or > that we could use the fixes o versie 2.21 als on 2.22. > > > > Met vriendelijke groet, > > Pieter van der Gijp > *Solution Architect* > > Leidseveer 2, 3511 SB Utrecht | www.bij12.nl > > M +31(0)6-14138580 > E pieter.vanderg...@bij12.nl > > > > *Van:* Jody Garnett <jody.garn...@gmail.com> > *Verzonden:* woensdag 3 juli 2024 18:21 > *Aan:* Mark Prins <mc.pr...@gmail.com>; Ian Turton <ijtur...@gmail.com> > *CC:* geoserver-users@lists.sourceforge.net > *Onderwerp:* Re: [Geoserver-users] Query regarding the reproduction steps > of vulnerability CVE-2023-5786 > > > > U ontvangt niet vaak e-mail van jody.garn...@gmail.com. Meer informatie > over waarom dit belangrijk is > <https://aka.ms/LearnAboutSenderIdentification> > > So Ian what is the right thing to do here? > > > > Should I not of replied to this message - to limit discussion of security > vulnerabilities (reproducing and verification and so on) to the > geoserver-security list? > > > > It is a little confusing with your message about not contacting > geoserver-security volunteers for announced vulnerabilities. In this case > the vulnerability is announced - just not by us! And I agree that the > report does not make much sense / poorly written / was not shared with team > until now.... > > > > In anycase the geoserver-security list is looking at this CVE now and > will either: > > > > a) dispute it - if it cannot be reproduced (we have done this in the past > and it did not work) > > b) confirm it - by issuing a change / clarification to > https://github.com/advisories/GHSA-382v-j99g-hw2p (only thing we can do > as we did not publish the original) > > > > Reference: > https://github.com/geoserver/geoserver/wiki/GSIP-220#publicly-reported-issue > > -- > > Jody Garnett > > > > > > On Jul 1, 2024 at 9:55:48 AM, Mark Prins <mc.pr...@gmail.com> wrote: > > On 01-07-2024 16:43, Jody Garnett wrote: > > I am not sure we have been notified about that vulnerability, searching > > my email this you are the first. > > > > Just because someone has opened a CVE does not indicate they have > > contacted the open source project at all. Please forward to > > geoserver-security email list (see security policy). It would be helpful > > if you describe what steps you have already taken to verify so the > > volunteers do not duplicate your effort. > > > > > in fact, just because someone managed to open a CVE record it does not > mean there is an actual vulnerability. > > The records at NIST > > https://eu01.z.antigena.com/l/adj3oXEQ88o95NyjPoYNbs9rZHodQq5eCk34xVXwkcYP1qMIJdYTWPZEBZKckClcMCYr~cFyL7DeDUsgsV-4BA_B9q1lzjbnggrx2E5iE22do9b-Kz7MJ9~5_G21xZaX8ny4NGnKZmCP1gUM_6sR1eQTq98uCKcWyHX3yBWjfOjpmnnLLDGZJKcFMCl4fMXNQDbT1z7 > > > provide a link to > > https://github.com/Qxyday/GeoServe---unauthorized > > That seems to be the original input and exploit. (based on the > descriptions and that page I fail to see any vulnerability at all!) > > Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5 > years old and no longer used in project-supported versions of GeoServer > afaik. > > Mark > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
