The difficulty is if someone else has disclosed publicly eh? I wrote down some stuff here from GSIP-220 which we can revise over time: https://docs.geoserver.org/latest/en/developer/policies/security.html
-- Jody Garnett On Wed, Jul 3, 2024 at 11:16 PM Ian Turton <ijtur...@gmail.com> wrote: > I think if we have disclosed the CVE then all further discussion should be > in public, rather than on the security list. > > Ian > > On Wed, 3 Jul 2024 at 19:20, Jody Garnett <jody.garn...@gmail.com> wrote: > >> So Ian what is the right thing to do here? >> >> Should I not of replied to this message - to limit discussion of security >> vulnerabilities (reproducing and verification and so on) to the >> geoserver-security list? >> >> It is a little confusing with your message about not contacting >> geoserver-security volunteers for announced vulnerabilities. In this case >> the vulnerability is announced - just not by us! And I agree that the >> report does not make much sense / poorly written / was not shared with team >> until now.... >> >> In anycase the geoserver-security list is looking at this CVE now and >> will either: >> >> a) dispute it - if it cannot be reproduced (we have done this in the past >> and it did not work) >> b) confirm it - by issuing a change / clarification to >> https://github.com/advisories/GHSA-382v-j99g-hw2p (only thing we can do >> as we did not publish the original) >> >> Reference: >> https://github.com/geoserver/geoserver/wiki/GSIP-220#publicly-reported-issue >> -- >> Jody Garnett >> >> >> On Jul 1, 2024 at 9:55:48 AM, Mark Prins <mc.pr...@gmail.com> wrote: >> >>> On 01-07-2024 16:43, Jody Garnett wrote: >>> >>> I am not sure we have been notified about that vulnerability, searching >>> >>> my email this you are the first. >>> >>> >>> Just because someone has opened a CVE does not indicate they have >>> >>> contacted the open source project at all. Please forward to >>> >>> geoserver-security email list (see security policy). It would be helpful >>> >>> if you describe what steps you have already taken to verify so the >>> >>> volunteers do not duplicate your effort. >>> >>> >>> >>> in fact, just because someone managed to open a CVE record it does not >>> mean there is an actual vulnerability. >>> >>> The records at NIST >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2023-5786 >>> >>> provide a link to >>> >>> https://github.com/Qxyday/GeoServe---unauthorized >>> >>> That seems to be the original input and exploit. (based on the >>> descriptions and that page I fail to see any vulnerability at all!) >>> >>> Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5 >>> years old and no longer used in project-supported versions of GeoServer >>> afaik. >>> >>> Mark >>> >>> >>> _______________________________________________ >>> Geoserver-users mailing list >>> >>> Please make sure you read the following two resources before posting to >>> this list: >>> - Earning your support instead of buying it, but Ian Turton: >>> http://www.ianturton.com/talks/foss4g.html#/ >>> - The GeoServer user list posting guidelines: >>> http://geoserver.org/comm/userlist-guidelines.html >>> >>> If you want to request a feature or an improvement, also see this: >>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >>> >>> >>> Geoserver-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>> >> > > -- > Ian Turton >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
