On Saturday, 26 February 2022 8:26:31 AM AEDT Michael Steigemann via Geoserver-users wrote: > Some days ago I was happy to find out that the LOG4J 1.2 component is going > to replaced in the next major release of geoserver: > https://github.com/geoserver/geoserver/wiki/Update-or-replace-Log4J-1-librar > y . Indeed, and anyone who has an interest in this outcome should contribute to the fund-raising efforts that make that happen (https://github.com/geoserver/ geoserver/wiki/Sponsor)
> Since the topic of security vulnerabilities in libraries is an important > issue right now I have done an dependency check on the GeoServer release > 2.20.2 recently. Please understand that this is not very useful (in some ways its just alarmist) without some analysis. In particular, determining whether geoserver is susceptible to the kind of attacks that are listed, and under what circumstances, is important. If you do have a security issue to report on the basis of the analysis, please follow the responsible disclosure policy at https://github.com/geoserver/ geoserver/blob/main/SECURITY.md#reporting-a-vulnerability and if the issue is important to you, please consider a commercial support option (see http:// geoserver.org/support/ for a list, none of which I am associated with) if you are unable to provide the fix yourself. > Are there any plans to update the libraries to a save version? Public plans for larger upgrades are on the wiki (see https://github.com/ geoserver/geoserver/wiki/Proposals). Brad _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
