Jody, Sorry, to avoid further confusion a short update. Ik see some reference to other CVE’s then I was referring to. Maybe caused by me.
But my prime question was that I found a reference stating that for NCSC-2024-0274 there where fixes released for 2.25, 2.24, 2.23, 2.21. Version 2.22 was missing in this list and if there was a reason for that or that we could use the fixes o versie 2.21 als on 2.22. Met vriendelijke groet, Pieter van der Gijp Solution Architect Leidseveer 2, 3511 SB Utrecht | www.bij12.nl<http://www.bij12.nl/> M +31(0)6-14138580 E pieter.vanderg...@bij12.nl<mailto:pieter.vanderg...@bij12.nl> Van: Jody Garnett <jody.garn...@gmail.com> Verzonden: woensdag 3 juli 2024 18:21 Aan: Mark Prins <mc.pr...@gmail.com>; Ian Turton <ijtur...@gmail.com> CC: geoserver-users@lists.sourceforge.net Onderwerp: Re: [Geoserver-users] Query regarding the reproduction steps of vulnerability CVE-2023-5786 U ontvangt niet vaak e-mail van jody.garn...@gmail.com<mailto:jody.garn...@gmail.com>. Meer informatie over waarom dit belangrijk is<https://aka.ms/LearnAboutSenderIdentification> So Ian what is the right thing to do here? Should I not of replied to this message - to limit discussion of security vulnerabilities (reproducing and verification and so on) to the geoserver-security list? It is a little confusing with your message about not contacting geoserver-security volunteers for announced vulnerabilities. In this case the vulnerability is announced - just not by us! And I agree that the report does not make much sense / poorly written / was not shared with team until now.... In anycase the geoserver-security list is looking at this CVE now and will either: a) dispute it - if it cannot be reproduced (we have done this in the past and it did not work) b) confirm it - by issuing a change / clarification to https://github.com/advisories/GHSA-382v-j99g-hw2p (only thing we can do as we did not publish the original) Reference: https://github.com/geoserver/geoserver/wiki/GSIP-220#publicly-reported-issue -- Jody Garnett On Jul 1, 2024 at 9:55:48 AM, Mark Prins <mc.pr...@gmail.com<mailto:mc.pr...@gmail.com>> wrote: On 01-07-2024 16:43, Jody Garnett wrote: I am not sure we have been notified about that vulnerability, searching my email this you are the first. Just because someone has opened a CVE does not indicate they have contacted the open source project at all. Please forward to geoserver-security email list (see security policy). It would be helpful if you describe what steps you have already taken to verify so the volunteers do not duplicate your effort. in fact, just because someone managed to open a CVE record it does not mean there is an actual vulnerability. The records at NIST https://eu01.z.antigena.com/l/adj3oXEQ88o95NyjPoYNbs9rZHodQq5eCk34xVXwkcYP1qMIJdYTWPZEBZKckClcMCYr~cFyL7DeDUsgsV-4BA_B9q1lzjbnggrx2E5iE22do9b-Kz7MJ9~5_G21xZaX8ny4NGnKZmCP1gUM_6sR1eQTq98uCKcWyHX3yBWjfOjpmnnLLDGZJKcFMCl4fMXNQDbT1z7 provide a link to https://github.com/Qxyday/GeoServe---unauthorized That seems to be the original input and exploit. (based on the descriptions and that page I fail to see any vulnerability at all!) Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5 years old and no longer used in project-supported versions of GeoServer afaik. Mark _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
