Pieter asks: Sorry, to avoid further confusion a short update. Ik see some reference to > other CVE’s then I was referring to. Maybe caused by me. > > > > But my prime question was that I found a reference stating that for > NCSC-2024-0274 there where fixes released for 2.25, 2.24, 2.23, 2.21. > Version 2.22 was missing in this list and if there was a reason for that or > that we could use the fixes o versie 2.21 als on 2.22. >
You asked on a number of channels, here is my response from OSGeo general chat: I assume the volunteer who made a patch jar (which is just a mitigation not > a full release) only had need to patch select versions. > 2.22.x is well out of community support. It is kind of GeoSolutions to > share “hot fix” jars as part of the response. > My own question, we communicate the need to update and urgency two weeks > ago, before public disclosure. How did you learn about the above now? > (We recently adjusted our security policies ahead of European regulation > and I seek to learn about our communication channels) > So there is no technical limitation; folks just do what they can. Aside: What is NCSC-2024-0274 number? Looks to be a country specific number for CVE-2024-36401 ... -- Jody Garnett On Jun 30, 2024 at 10:42:11 PM, Jody Garnett <jody.garn...@gmail.com> wrote: > Hey everyone, > > I trust if you are responsible for a GeoServer instance you managed to > update in the last two weeks. > > The details vulnerabilities mentioned are now available: > > - CVE-2024-36401 > > <https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv>: > Remote > Code Execution (RCE) vulnerability in evaluating property name expressions > - CVE-2024-34696 > > <https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf>: > GeoServer's Server Status shows sensitive environmental variables and Java > properties > - CVE-2024-24749 > > <https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3>: > Classpath > resource disclosure in GWC Web Resource API on Windows / Tomcat > > > I am not going to go over the details in email, one of the goals of using > CVE system to avoid duplicated or outdated information. So you always have > a single point of truth where you can check on the status. > > As we are relatively new to using the CVE system to broadcast > vulnerabilities I am curious how it is working for you? It is quite > complicated to indicate the version range / version patch information to > correctly show up for automated scans. If your infrastructure does use > automated scans please let me know if scan was able to detect a vulnerable > version. > > A lot of folks put work into GeoServer each month, and this kind of > troubleshooting takes some effort to resolve and communicate. If you are a > public institution or service provider using GeoServer instance please > consider volunteering on the geoserver-security list. > > We would also really appreciate more participation around testing the > release candidates each march / September. > These activities are where we as a community share effort, and manage > risk, as a team - so it is not so expensive to put out updates each month. > > Thanks to Steve Ikeoka, David Blasby and Andrea for working on > fixes/mitigations. I can also acknolwege Peter and myself for getting > release out promptly. This has been a good team effort. > > And thank you for patching yourself over the last week (and if you have > not done so already you best hustle...). > -- > Jody Garnett > > > On Jun 15, 2024 at 11:46:57 AM, Jody Garnett <jody.garn...@gmail.com> > wrote: > >> Hey folks, >> >> There will be an important GeoServer drop this upcoming Tuesday where we >> do a simultaneous releases of GeoServer 2.25.2 and 2.24.4 - and ask folks >> to update promptly. >> >> Please plan your time this week accordingly. >> >> https://github.com/geoserver/geoserver/wiki/Release-Schedule >> >> Thanks to my employer GeoCat (and customers) we will be doing a GeoServer >> 2.23.6 release for those not in a position to upgrade quite yet. >> >> Jody >> >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
