Hi Max, First up I am glad you are updating / several proof of concepts hit the internet a couple days after disclosure and warnings have escalated a bit in the national security registries as a result.
Running snapshots is great for nightly builds and helping out with development - but not recommended for production. For the level of visibility you seek you should consider volunteering for the geoserver-security list. If you are in position to run snapshots you have the technical skills to assist in verifying and managing incoming and outstanding reports. I updated the guidance last week and would appreciate your questions and feedback: https://docs.geoserver.org/latest/en/developer/policies/security.html I am trying to be far more forthright about this project needing capacity (financial and manpower). Thanks for your understanding. At current engagement the community here is managing to make a release each month. For greater service there is the option of commercial support or participation. -- Jody Garnett On Mon, Jul 8, 2024 at 6:53 AM Maximilian Friedersdorff < m...@friedersdorff.com> wrote: > Hi All, > > In light of the recent-ish > CVE: https://www.opencve.io/cve/CVE-2024-36401 I am going around and > checking our geoserver versions to check if they are vulnerable. I am a > little stumped. > > We use the official geoserver images tagged > 'docker.osgeo.org/geoserver:2.24.x'. In the web interface of a > geoserver so running, the version is reported as 2.24-SNAPSHOT. > According to the CVE, versions prior to 2.24.4 are vulnerable. Now I > think we're fine in practice, because the build date is reported as > 2024-07-05 and 24.4.4 was released 3 weeks ago, but still. > > I can't anything in the geoserver documentation that details what > exactly the SNAPSHOT version is. Is there a good way to confirm whether > or not the geoserver is vulnerable to CVE-2024-36401 with some amount > of certainty? > > Many Thanks > Max > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
