Ben, Andrea, All:
For those of us who can, would an adequate temporary mitigation for this be
to disable WFS until patches/upgrades can be applied?
Thanks,
Mike Grogan
On Thu, Jun 25, 2015 at 1:28 PM, Andrea Aime <[email protected]>
wrote:
> Hi all,
> for those that are still stuck on 2.5.x, and are not ready to upgrade to
> 2.6.x yet,
> we have prepared a 2.5.5.1 release containing the fixes against the
> XXE vulnerability, you can find it here:
>
> https://sourceforge.net/projects/geoserver/files/GeoServer/2.5.5.1
>
> Cheers
> Andrea
>
>
> On Tue, Jun 23, 2015 at 10:14 PM, Ben Caradoc-Davies <[email protected]>
> wrote:
>
>> All GeoServer releases except 2.6.4 have a remote file disclosure
>> vulnerability that permits an unauthenticated remote attacker to use a
>> malicious request view any file on the server visible to GeoServer,
>> including files outside the data directory.
>>
>> This vulnerability is fixed in 2.6.4 and in all nightlies including
>> those for stable (2.7.x) and master.
>>
>> All future GeoServer releases will contain a fix for this vulnerability.
>>
>> See:
>>
>> https://osgeo-org.atlassian.net/browse/GEOS-7032
>>
>> http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html
>>
>> Kind regards,
>> Ben.
>>
>>
>> -------- Forwarded Message --------
>> Subject: [Geoserver-users] GeoServer 2.6.4 Released
>> Date: Fri, 19 Jun 2015 08:40:59 +1200
>> From: Ben Caradoc-Davies <[email protected]>
>> To: [email protected]
>>
>> http://blog.geoserver.org/2015/06/18/geoserver-2-6-4-released/
>> [...]
>> The GeoServer team is pleased to announce the release of GeoServer 2.6.4
>> [...]
>> GeoServer 2.6.4 is a maintenance release of GeoServer recommended for
>> production deployment. This release contains *IMPORTANT SECURITY FIXES*
>> so please upgrade.
>> [...]
>> * *SECURITY*: Fixed a serious vulnerability that allowed arbitrary
>> files on the server to be read by crafting a malicious WFS request
>> <https://osgeo-org.atlassian.net/browse/GEOS-7032>
>>
>>
>> --
>> Ben Caradoc-Davies <[email protected]>
>> Director
>> Transient Software Limited <http://transient.nz/>
>> New Zealand
>>
>>
>> ------------------------------------------------------------------------------
>> Monitor 25 network devices or servers for free with OpManager!
>> OpManager is web-based network management software that monitors
>> network devices and physical & virtual servers, alerts via email & sms
>> for fault. Monitor 25 devices for free with no restriction. Download now
>> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
>> _______________________________________________
>> Geoserver-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>
>
>
> --
> ==
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
> mob: +39 339 8844549
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
>
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
> -------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Monitor 25 network devices or servers for free with OpManager!
> OpManager is web-based network management software that monitors
> network devices and physical & virtual servers, alerts via email & sms
> for fault. Monitor 25 devices for free with no restriction. Download now
> http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
