Sounds good Ian, please make the change as a suggestion to the PR and it should go in :) -- Jody Garnett
On Sat, 22 Oct 2022 at 10:28, Ian Turton <ijtur...@gmail.com> wrote: > > > On Sat, 22 Oct 2022, 17:23 Jody Garnett, <jody.garn...@gmail.com> wrote: > >> We do not have a ticket for it (since we were not affected). >> > > Well we do have a ticket, it just doesn't mention the cve. I've answered > one question on the security list and one on gis.se so people seem > worried about it. > > > >> I think I am against reporting CVEs from dependencies where our software >> is not affected. It just adds "noise". I would prefer when we have a >> security vulnerability section that everyone take it seriously and >> upgrade.... >> >> What do you think? >> > > Since we do use the effected jar it is probably worth mentioning in the > release notes. > > Ian > >> >> Jody >> >> On Sat, Oct 22, 2022 at 3:01 AM Ian Turton <ijtur...@gmail.com> wrote: >> >>> Do we want to mention the CVE-2022-42889 >>> <https://nvd.nist.gov/vuln/detail/CVE-2022-42889> vulnerability, that >>> doesn't actually affect us and is now patched anyway? >>> >>> Ian >>> >>> On Sat, 22 Oct 2022 at 04:52, Jody Garnett <jody.garn...@gmail.com> >>> wrote: >>> >>>> Here is draft blog post while we wait for build process: >>>> https://github.com/geoserver/geoserver.github.io/pull/135 >>>> >>>> Okay, gather the bits for release: >>>> >>>> - Security hiding layer groups: >>>> https://github.com/geoserver/geoserver/pull/6290 (done) >>>> - Windows installer needs assembly changes backport >>>> https://github.com/geoserver/geoserver/pull/6291 (done) >>>> - aside: Noticed many of the assembles try and gather >>>> src/release/RELEASE_NOTES.txt >>>> >>>> <https://github.com/geoserver/geoserver/blob/2.13.x/src/release/RELEASE_NOTES.txt> >>>> ... which has not been present since 2.13.x >>>> - Did a round up of other backports, we should be good ... >>>> >>>> -- >>>> Jody Garnett >>>> >>>> >>>> On Thu, 20 Oct 2022 at 07:17, Jody Garnett <jody.garn...@gmail.com> >>>> wrote: >>>> >>>>> With the RC out of the way; I still have some customers waiting on a >>>>> stable release for security improvements. >>>>> >>>>> Is it okay if I make a 2.21.x release? That way we still get a stable >>>>> release for October here. >>>>> >>>>> Jody >>>>> -- >>>>> -- >>>>> Jody Garnett >>>>> >>>> _______________________________________________ >>> >>> >>>> Geoserver-devel mailing list >>>> Geoserver-devel@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>>> >>> >>> >>> -- >>> Ian Turton >>> >> -- >> -- >> Jody Garnett >> >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
