Thanks Ben and Andrea for handling this in a clear manner.
We now have three releases available with the fix:
* http://sourceforge.net/projects/geoserver/files/GeoServer/2.7.1.1/
* http://sourceforge.net/projects/geoserver/files/GeoServer/2.6.4/
* http://sourceforge.net/projects/geoserver/files/GeoServer/2.5.5.1/
The website will be updated shortly, for now please consider the above
links.
--
Jody Garnett
On 23 June 2015 at 13:14, Ben Caradoc-Davies <[email protected]> wrote:
> All GeoServer releases except 2.6.4 have a remote file disclosure
> vulnerability that permits an unauthenticated remote attacker to use a
> malicious request view any file on the server visible to GeoServer,
> including files outside the data directory.
>
> This vulnerability is fixed in 2.6.4 and in all nightlies including
> those for stable (2.7.x) and master.
>
> All future GeoServer releases will contain a fix for this vulnerability.
>
> See:
>
> https://osgeo-org.atlassian.net/browse/GEOS-7032
>
> http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html
>
> Kind regards,
> Ben.
>
>
> -------- Forwarded Message --------
> Subject: [Geoserver-users] GeoServer 2.6.4 Released
> Date: Fri, 19 Jun 2015 08:40:59 +1200
> From: Ben Caradoc-Davies <[email protected]>
> To: [email protected]
>
> http://blog.geoserver.org/2015/06/18/geoserver-2-6-4-released/
> [...]
> The GeoServer team is pleased to announce the release of GeoServer 2.6.4
> [...]
> GeoServer 2.6.4 is a maintenance release of GeoServer recommended for
> production deployment. This release contains *IMPORTANT SECURITY FIXES*
> so please upgrade.
> [...]
> * *SECURITY*: Fixed a serious vulnerability that allowed arbitrary
> files on the server to be read by crafting a malicious WFS request
> <https://osgeo-org.atlassian.net/browse/GEOS-7032>
>
>
> --
> Ben Caradoc-Davies <[email protected]>
> Director
> Transient Software Limited <http://transient.nz/>
> New Zealand
>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
