Torben, neither are blockers, just observations, and I agree that addressing them should be deferred for future work. Including tests jars causes no harm. commons-beanutils is only a vulnerability in specific types of applications. There is also a hardcoded commons-beanutils 1.7.0 in gt-app-schema.
Kind regards, Ben. On 13/08/16 12:33, Torben Barsballe wrote: > Ben: > (1) Doing a mvn dependency:tree shows that the commons-beanutils jar is > coming from gt-imagemosaic. This is probably something we should fix. > Talking to Kevin, upgrading this will include a version update of the jar, > so will need some testing. Also note that the gt-imagemosaic jar is a > dependancy for several other geotools modules. > > (2) I just took a look at the GeoTools 15.1 bin, and it also contains > gt-complex-15.1-tests.jar. I am equally curious as to why this is included, > although perhaps not curious enough for it to hold up this milestone > release. > > I am going to move forward with the milestone release, but we should > definately keep both these issues in mind moving forward (and also take a > look at GeoTools 15, as it is affected by both these issues). > > Torben > > > On Fri, Aug 12, 2016 at 5:17 PM, Ben Caradoc-Davies <b...@transient.nz> > wrote: > >> Looking through the bin.zip, I noticed: >> >> (1) commons-beanutils-1.7.0.jar is present. This JAR was removed from >> GeoServer and replaced with the customised >> commons-beanutils-1.9.2-noclassprop.jar >> because it enabled a remote code execution vulnerability. See Kevin and >> Andrea for details. Should GeoTools ship 1.7.0 or switch to >> 1.9.2-noclassprop to protect GeoTools users? >> >> (2) gt-complex-16-M0-tests.jar is present. This is the only *-tests.jar >> included in the bin-zip. I wonder why? >> >> All the other contents look sane to me. >> >> Kind regards, >> Ben. >> >> >> On 13/08/16 11:50, Torben Barsballe wrote: >> >>> The GeoTools 16-M0 release artifacts available for testing from: >>> http://ares.boundlessgeo.com/geotools/release/16-M0/ >>> >>> Torben >>> >>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> What NetFlow Analyzer can do for you? Monitors network bandwidth and >>> traffic >>> patterns at an interface-level. Reveals which users, apps, and protocols >>> are >>> consuming the most bandwidth. Provides multi-vendor support for NetFlow, >>> J-Flow, sFlow and other flows. Make informed decisions using capacity >>> planning reports. http://sdm.link/zohodev2dev >>> >>> >>> >>> _______________________________________________ >>> GeoTools-Devel mailing list >>> GeoTools-Devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/geotools-devel >>> >>> >> -- >> Ben Caradoc-Davies <b...@transient.nz> >> Director >> Transient Software Limited <http://transient.nz/> >> New Zealand >> > -- Ben Caradoc-Davies <b...@transient.nz> Director Transient Software Limited <http://transient.nz/> New Zealand ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
