Good evening everyone, with the recent Log4Shell vulnerabilities it has come to our attention that unchecked JNDI lookups are inadvisable.
The GeoTools utility class centralizes JNDI lookups in the library, and we have taken the opportunity to introduce a check limiting JNDI lookups to no-schema and java lookups: DataSource dataSource = (DataSource) GeoTools.jndiLookup(name); This fix is available in the newly made GeoTools 26.4, GeoTools 25.6 and GeoTools 24.6 releases (which are available in maven and on source forge but I have not made blog posts for them all yet). If you have any questions please reply to this email. For more information: - https://github.com/geotools/geotools/security/advisories/GHSA-jvh2-668r-g75x - https://nvd.nist.gov/vuln/detail/CVE-2022-24818 - http://geotoolsnews.blogspot.com/2022/04/unchecked-jndi-lookups-in-geotools-cve.html -- Jody Garnett
_______________________________________________ GeoTools-GT2-Users mailing list GeoTools-GT2-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users
