All GeoServer releases except 2.6.4 have a remote file disclosure vulnerability that permits an unauthenticated remote attacker to use a malicious request view any file on the server visible to GeoServer, including files outside the data directory.
This vulnerability is fixed in 2.6.4 and in all nightlies including those for stable (2.7.x) and master. All future GeoServer releases will contain a fix for this vulnerability. See: https://osgeo-org.atlassian.net/browse/GEOS-7032 http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html Kind regards, Ben. -------- Forwarded Message -------- Subject: [Geoserver-users] GeoServer 2.6.4 Released Date: Fri, 19 Jun 2015 08:40:59 +1200 From: Ben Caradoc-Davies <[email protected]> To: [email protected] http://blog.geoserver.org/2015/06/18/geoserver-2-6-4-released/ [...] The GeoServer team is pleased to announce the release of GeoServer 2.6.4 [...] GeoServer 2.6.4 is a maintenance release of GeoServer recommended for production deployment. This release contains *IMPORTANT SECURITY FIXES* so please upgrade. [...] * *SECURITY*: Fixed a serious vulnerability that allowed arbitrary files on the server to be read by crafting a malicious WFS request <https://osgeo-org.atlassian.net/browse/GEOS-7032> -- Ben Caradoc-Davies <[email protected]> Director Transient Software Limited <http://transient.nz/> New Zealand ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
