On 26-03-2023 16:06, Jody Garnett wrote:
Right, keep in mind we do not advertise security details such as CVEs until an update is available for stable and maintenance active branches.
that is a moot point when the CVE of a library that is used in GeoServer is published it should be considered common knowledge and obscurity is no longer an option.
Anyone looking at the pom file can see which versions are used, anyone running a tool such as dependency-track can trivially create a detailed report.
In this specific case I did not evaluate the vulnerability effects in GeoServer; I doubt the attack vector exists and that the CVE applies, but the library vendor has provided patch versions along with publishing the CVE that are trivial to apply.
Please discuss on geoserver-security email list if you wish to assess and coordinate a maintenance release for example.
since this is a closed list that I'm not part of discussing there is not available to me.
Mark _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
