Hi all,
working hours done, I've managed to read a bit about the CVE. I don't think
GeoServer is vulnerable, look like in order to
leverage it the code has to serialize and deserialize a certain FileUpload
class, and the attacker needs to manipulate
the serialized version on disk before it gets deserialized.
As far as I can tell, we are not doing anything like that, but just in
case, I've tried a build with the latest version of
commons-fileupload, which is used in the main OGC dispatcher, as well as in
the importer and the backup-restore module.
Both have tests, and the importer definitely does file uploads (think
backup/restore too, but unsure),
so if the build works, there is a good chance we are in a good position (we
got lucky).
Made a pull request here:
https://github.com/geoserver/geoserver/pull/2906
Would be nice if someone could do some manual testing though
Cheers
Andrea
On Fri, Jun 8, 2018 at 7:25 PM, Andrea Aime <andrea.a...@geo-solutions.it>
wrote:
> On Fri, Jun 8, 2018 at 7:02 PM, Dave Wichers <dave.wich...@ey.com> wrote:
>
>> All,
>>
>>
>> Thanks for jumping on this so quickly. First off, I have no idea if
>> geoserver is vulnerable to the issue in this specific component as I have
>> no idea how it uses this component or if it even actually uses it at all.
>> Lots of projects have dependencies they don't, or barely use. If I knew
>> geoserver was actually vulnerable, I wouldn't have posted it here. I did
>> see the warning about not posting vulns. All I know is that a vulnerable
>> component is included in geoserver. That's all.
>>
>
> Even the suspiction of a vulnerability should not be posted anywhere
> public. We should reword that warning accordingly.
>
>
>> I wanted to simply open a JIRA ticket requesting this upgrade, but that
>> option isn't on/available in GitHub for this project so this mailing list
>> seemed like the only easy way to get in touch with the community on this
>> topic.
>>
>
> Github does not track issue indeed, Jira does, we are asking people not to
> report it there either (it's another public place):
> http://geoserver.org/issues/
> https://osgeo-org.atlassian.net/projects/GEOS/summary
>
>
>> I'm glad to see you guys are not only willing to quickly upgrade, but are
>> willing to adopt open source security plugins to help detect such issues in
>> the future, so you can simply fix them in a timely manner as part of your
>> natural maintenance of this project.
>>
>
> I'm afraid there is no such a thing as "natural maintenance", funds flows
> in based on support contracts and implementation
> of new features. Companies allow their devs to do free bug fixing one day
> a month (known as bug fix code sprint), the rest is spare time,
> or it happens that some paying customer wants a particular bug fix and
> this allows it to be done in working hours.
> Library upgrades typically happen during co-located code sprints, that
> happen once a year, for a week (not every year),
> because binary compatibility is not exactly a hallmark of java libraries,
> and we often have to deal with (sometimes significant)
> API and behavioral breaks while doing the upgrade.
>
> Anyone reading this message with java coding skills... please jump in and
> help :-)
>
> Cheers
> Andrea
>
> ==
>
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf
> Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa
> (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549
> http://www.geo-solutions.it http://twitter.com/geosolutions_it
> ------------------------------------------------------- *Con riferimento
> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
> circostanza inerente alla presente email (il suo contenuto, gli eventuali
> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
> sarei comunque grato se potesse darmene notizia. This email is intended
> only for the person or entity to which it is addressed and may contain
> information that is privileged, confidential or otherwise protected from
> disclosure. We remind that - as provided by European Regulation 2016/679
> “GDPR” - copying, dissemination or use of this e-mail or the information
> herein by anyone other than the intended recipient is prohibited. If you
> have received this email by mistake, please notify us immediately by
> telephone or e-mail.*
>
--
Regards, Andrea Aime == GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
@geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- *Con riferimento
alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
circostanza inerente alla presente email (il suo contenuto, gli eventuali
allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
sarei comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may contain
information that is privileged, confidential or otherwise protected from
disclosure. We remind that - as provided by European Regulation 2016/679
“GDPR” - copying, dissemination or use of this e-mail or the information
herein by anyone other than the intended recipient is prohibited. If you
have received this email by mistake, please notify us immediately by
telephone or e-mail.*
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
