To add to Ian's answer: As an operator of geoserver take note of the release announcements: - We include a "Security Considerations" heading in each release where there is a security fix - When all active branches have the security fix the security considerations section may contain additional details (such as a ticket number).
If we as a community had capacity (budget or volunteers) there is some infrastructure support available in github <https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories> for managing communication around CVE reports. The PSC maintains a list of known security issues for those volunteering to work on security issues. If you have capacity you may wish to take part. Many of the GeoServer service providers participate on behalf of their customers. -- Jody Garnett On Mon, 28 Feb 2022 at 07:59, Watermeyer, Andreas < andreas.waterme...@its-digital.de> wrote: > Dear GeoServer community, > > > > I have security related questions: > > > > * Is there a procedure by which operators of GeoServer installations can > learn of security vulnerabilities that require updating GeoServer? > > * Is there a list of security-related bug fixes made with a release? > > > > If nothing exists: > > > > * Would it be possible to introduce something like a security-announcement > mailing list? > > * Would it be possible to list fixed security vulnerabilities per release. > For example, Tomcat has a corresponding list, which I find very helpful: > https://tomcat.apache.org/security-9.html > > > > Thank for providing this great tool! > > > > Best regards, > > Andreas > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
