On Sat, 22 Oct 2022, 17:23 Jody Garnett, <jody.garn...@gmail.com> wrote:
> We do not have a ticket for it (since we were not affected). > Well we do have a ticket, it just doesn't mention the cve. I've answered one question on the security list and one on gis.se so people seem worried about it. > I think I am against reporting CVEs from dependencies where our software > is not affected. It just adds "noise". I would prefer when we have a > security vulnerability section that everyone take it seriously and > upgrade.... > > What do you think? > Since we do use the effected jar it is probably worth mentioning in the release notes. Ian > > Jody > > On Sat, Oct 22, 2022 at 3:01 AM Ian Turton <ijtur...@gmail.com> wrote: > >> Do we want to mention the CVE-2022-42889 >> <https://nvd.nist.gov/vuln/detail/CVE-2022-42889> vulnerability, that >> doesn't actually affect us and is now patched anyway? >> >> Ian >> >> On Sat, 22 Oct 2022 at 04:52, Jody Garnett <jody.garn...@gmail.com> >> wrote: >> >>> Here is draft blog post while we wait for build process: >>> https://github.com/geoserver/geoserver.github.io/pull/135 >>> >>> Okay, gather the bits for release: >>> >>> - Security hiding layer groups: >>> https://github.com/geoserver/geoserver/pull/6290 (done) >>> - Windows installer needs assembly changes backport >>> https://github.com/geoserver/geoserver/pull/6291 (done) >>> - aside: Noticed many of the assembles try and gather >>> src/release/RELEASE_NOTES.txt >>> >>> <https://github.com/geoserver/geoserver/blob/2.13.x/src/release/RELEASE_NOTES.txt> >>> ... which has not been present since 2.13.x >>> - Did a round up of other backports, we should be good ... >>> >>> -- >>> Jody Garnett >>> >>> >>> On Thu, 20 Oct 2022 at 07:17, Jody Garnett <jody.garn...@gmail.com> >>> wrote: >>> >>>> With the RC out of the way; I still have some customers waiting on a >>>> stable release for security improvements. >>>> >>>> Is it okay if I make a 2.21.x release? That way we still get a stable >>>> release for October here. >>>> >>>> Jody >>>> -- >>>> -- >>>> Jody Garnett >>>> >>> _______________________________________________ >> >> >>> Geoserver-devel mailing list >>> Geoserver-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>> >> >> >> -- >> Ian Turton >> > -- > -- > Jody Garnett >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel