I think if we have disclosed the CVE then all further discussion should be in public, rather than on the security list.
Ian On Wed, 3 Jul 2024 at 19:20, Jody Garnett <jody.garn...@gmail.com> wrote: > So Ian what is the right thing to do here? > > Should I not of replied to this message - to limit discussion of security > vulnerabilities (reproducing and verification and so on) to the > geoserver-security list? > > It is a little confusing with your message about not contacting > geoserver-security volunteers for announced vulnerabilities. In this case > the vulnerability is announced - just not by us! And I agree that the > report does not make much sense / poorly written / was not shared with team > until now.... > > In anycase the geoserver-security list is looking at this CVE now and > will either: > > a) dispute it - if it cannot be reproduced (we have done this in the past > and it did not work) > b) confirm it - by issuing a change / clarification to > https://github.com/advisories/GHSA-382v-j99g-hw2p (only thing we can do > as we did not publish the original) > > Reference: > https://github.com/geoserver/geoserver/wiki/GSIP-220#publicly-reported-issue > -- > Jody Garnett > > > On Jul 1, 2024 at 9:55:48 AM, Mark Prins <mc.pr...@gmail.com> wrote: > >> On 01-07-2024 16:43, Jody Garnett wrote: >> >> I am not sure we have been notified about that vulnerability, searching >> >> my email this you are the first. >> >> >> Just because someone has opened a CVE does not indicate they have >> >> contacted the open source project at all. Please forward to >> >> geoserver-security email list (see security policy). It would be helpful >> >> if you describe what steps you have already taken to verify so the >> >> volunteers do not duplicate your effort. >> >> >> >> in fact, just because someone managed to open a CVE record it does not >> mean there is an actual vulnerability. >> >> The records at NIST >> >> https://nvd.nist.gov/vuln/detail/CVE-2023-5786 >> >> provide a link to >> >> https://github.com/Qxyday/GeoServe---unauthorized >> >> That seems to be the original input and exploit. (based on the >> descriptions and that page I fail to see any vulnerability at all!) >> >> Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5 >> years old and no longer used in project-supported versions of GeoServer >> afaik. >> >> Mark >> >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > -- Ian Turton
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
