In file: https://github.com/geoserver/geoserver/blob/master/src/pom.xml is:
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>1.2.1</version>
</dependency>
This version of this library has a serious vuln described at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Even if the geoserver app isn't vulnerable to the specific issue in this old
version of commons-fileupload, its better to upgrade anyway so others don't
have to wonder/worry if it introduces a vulnerability.
I would also recommend the geoserver project run OWASP's dependency-check maven
plugin and upgrade any other libraries it flags that have known vulnerabilities.
-Dave
Any tax advice in this e-mail should be considered in the context of the tax
services we are providing to you. Preliminary tax advice should not be relied
upon and may be insufficient for penalty protection.
________________________________________________________________________
The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Notice required by law: This e-mail may constitute an advertisement or
solicitation under U.S. law, if its primary purpose is to advertise or promote
a commercial product or service. You may choose not to receive advertising and
promotional messages from Ernst & Young LLP (except for EY Client Portal and
the ey.com website, which track e-mail preferences through a separate process)
at this e-mail address by forwarding this message to no-more-m...@ey.com. If
you do so, the sender of this message will be notified promptly. Our principal
postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young
LLP
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
