Ben:
(1) Doing a mvn dependency:tree shows that the commons-beanutils jar is
coming from gt-imagemosaic. This is probably something we should fix.
Talking to Kevin, upgrading this will include a version update of the jar,
so will need some testing. Also note that the gt-imagemosaic jar is a
dependancy for several other geotools modules.
(2) I just took a look at the GeoTools 15.1 bin, and it also contains
gt-complex-15.1-tests.jar. I am equally curious as to why this is included,
although perhaps not curious enough for it to hold up this milestone
release.
I am going to move forward with the milestone release, but we should
definately keep both these issues in mind moving forward (and also take a
look at GeoTools 15, as it is affected by both these issues).
Torben
On Fri, Aug 12, 2016 at 5:17 PM, Ben Caradoc-Davies <b...@transient.nz>
wrote:
> Looking through the bin.zip, I noticed:
>
> (1) commons-beanutils-1.7.0.jar is present. This JAR was removed from
> GeoServer and replaced with the customised
> commons-beanutils-1.9.2-noclassprop.jar
> because it enabled a remote code execution vulnerability. See Kevin and
> Andrea for details. Should GeoTools ship 1.7.0 or switch to
> 1.9.2-noclassprop to protect GeoTools users?
>
> (2) gt-complex-16-M0-tests.jar is present. This is the only *-tests.jar
> included in the bin-zip. I wonder why?
>
> All the other contents look sane to me.
>
> Kind regards,
> Ben.
>
>
> On 13/08/16 11:50, Torben Barsballe wrote:
>
>> The GeoTools 16-M0 release artifacts available for testing from:
>> http://ares.boundlessgeo.com/geotools/release/16-M0/
>>
>> Torben
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> What NetFlow Analyzer can do for you? Monitors network bandwidth and
>> traffic
>> patterns at an interface-level. Reveals which users, apps, and protocols
>> are
>> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
>> J-Flow, sFlow and other flows. Make informed decisions using capacity
>> planning reports. http://sdm.link/zohodev2dev
>>
>>
>>
>> _______________________________________________
>> GeoTools-Devel mailing list
>> GeoTools-Devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geotools-devel
>>
>>
> --
> Ben Caradoc-Davies <b...@transient.nz>
> Director
> Transient Software Limited <http://transient.nz/>
> New Zealand
>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
