The comm page, where I believe you found info on registering for the user
list,
has a clear warning not to post security vulnerabilities:
http://geoserver.org/comm/
"If you encounter a security vulnerability in GeoServer please take care to
report the issue in a responsible fashion. Do not use the mailing list, go
intead to the Jira bug tracker instead and follow the "Responsible
disclosure" instructions there."
How do we make it more plain and evident so that grave mistakes do not
occur anymore in the future?
Maybe we should switch the background color of that box to red...
Regards
Andrea
On Wed, Jun 6, 2018 at 11:38 PM, Dave Wichers <dave.wich...@ey.com> wrote:
> In file: https://github.com/geoserver/geoserver/blob/master/src/pom.xml
> is:
>
>
> <dependency>
> <groupId>commons-fileupload</groupId>
> <artifactId>commons-fileupload</artifactId>
> <version>1.2.1</version>
> </dependency>
>
>
> This version of this library has a serious vuln described at:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
>
>
> Even if the geoserver app isn't vulnerable to the specific issue in this
> old version of commons-fileupload, its better to upgrade anyway so others
> don't have to wonder/worry if it introduces a vulnerability.
>
>
> I would also recommend the geoserver project run OWASP's dependency-check
> maven plugin and upgrade any other libraries it flags that have known
> vulnerabilities.
>
>
> -Dave
>
>
>
>
> Any tax advice in this e-mail should be considered in the context of the
> tax services we are providing to you. Preliminary tax advice should not be
> relied upon and may be insufficient for penalty protection.
> ________________________________________________________________________
> The information contained in this message may be privileged and
> confidential and protected from disclosure. If the reader of this message
> is not the intended recipient, or an employee or agent responsible for
> delivering this message to the intended recipient, you are hereby notified
> that any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication in error,
> please notify us immediately by replying to the message and deleting it
> from your computer.
>
> Notice required by law: This e-mail may constitute an advertisement or
> solicitation under U.S. law, if its primary purpose is to advertise or
> promote a commercial product or service. You may choose not to receive
> advertising and promotional messages from Ernst & Young LLP (except for EY
> Client Portal and the ey.com website, which track e-mail preferences
> through a separate process) at this e-mail address by forwarding this
> message to no-more-m...@ey.com. If you do so, the sender of this message
> will be notified promptly. Our principal postal address is 5 Times Square,
> New York, NY 10036. Thank you. Ernst & Young LLP
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines: http://geoserver.org/comm/
> userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-
> requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
--
Regards, Andrea Aime == GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
@geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- *Con riferimento
alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
circostanza inerente alla presente email (il suo contenuto, gli eventuali
allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
sarei comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may contain
information that is privileged, confidential or otherwise protected from
disclosure. We remind that - as provided by European Regulation 2016/679
“GDPR” - copying, dissemination or use of this e-mail or the information
herein by anyone other than the intended recipient is prohibited. If you
have received this email by mistake, please notify us immediately by
telephone or e-mail.*
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
