Not to try and start a huge discussion; but since the cat is out of the bag
so to speak, I also knew of this quite some time(1year+) ago. I don't have
the resources to add bugs to the JIRA, but I was able to find/fix locally
very easily (what you do with open source). I guess I was wondering if you
guys are scanning with any of the free tools, including the one right on
Github that would have spotted this and others.
https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/
I used a tool called Twistlock which is a container scanner; but it draws
from the same NVD database as the free and Github scanners.
All the best,
Joe
On Thu, Jun 7, 2018 at 5:56 PM, Andrea Aime <andrea.a...@geo-solutions.it>
wrote:
> Hi Chris,
> yes, master. Much appreciated!
>
> Cheers
> Andrea
>
> On Thu, Jun 7, 2018 at 4:36 PM, Chris Snider <
> chris.sni...@polarisalpha.com> wrote:
>
>> I can try to do that this weekend. I assume master?
>>
>>
>>
>> Chris Snider
>>
>> Senior Software Engineer
>>
>> [image: cid:image001.png@01D2E6A5.9104F820]
>>
>>
>>
>> *From:* andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] *On Behalf
>> Of *Andrea Aime
>> *Sent:* Thursday, June 07, 2018 8:25 AM
>> *To:* Chris Snider <chris.sni...@polarisalpha.com>
>> *Cc:* Dave Wichers <dave.wich...@ey.com>; geoserver-users@lists.sourcefo
>> rge.net
>>
>> *Subject:* Re: [Geoserver-users] Known vulnerability in
>> commons-fileupload v1.2.1, used by geoserver
>>
>>
>>
>> Hi Chris,
>>
>> that's a sensible suggestion. The web site is on gihub, any chance you
>> could do a pull request? I'm swamped...
>>
>>
>>
>> https://github.com/geoserver/geoserver.github.io
>>
>>
>>
>> Cheers
>>
>> Andrea
>>
>>
>>
>>
>>
>> On Thu, Jun 7, 2018 at 4:18 PM, Chris Snider <
>> chris.sni...@polarisalpha.com> wrote:
>>
>> Andrea,
>>
>>
>>
>> It took me a second to find the security block. I completely overlooked
>> the blue field.
>>
>>
>>
>> Maybe add a new header under the “User List”
>>
>> <h3>User List</h3>
>>
>> This list is for end users blah blah blah
>>
>>
>>
>> <h3>Reporting Security Vulnerabilities</h3>
>>
>> If you encounter a security vulnerability blah blah blah
>>
>>
>>
>> <h3>Posting Guidelines</h3>
>>
>> Please read through etc. etc. etc.
>>
>> Thought I’d say blah again didn’t you
>>
>>
>>
>> <h3>Developer Lists</h3>
>>
>> The rest of the page, and so on
>>
>>
>>
>>
>>
>>
>>
>> This might draw attention?
>>
>>
>>
>> Chris Snider
>>
>> Senior Software Engineer
>>
>> [image: cid:image001.png@01D2E6A5.9104F820]
>>
>>
>>
>> *From:* Andrea Aime [mailto:andrea.a...@geo-solutions.it]
>> *Sent:* Thursday, June 07, 2018 12:23 AM
>> *To:* Dave Wichers <dave.wich...@ey.com>
>> *Cc:* geoserver-users@lists.sourceforge.net
>> *Subject:* Re: [Geoserver-users] Known vulnerability in
>> commons-fileupload v1.2.1, used by geoserver
>>
>>
>>
>> The comm page, where I believe you found info on registering for the user
>> list,
>>
>> has a clear warning not to post security vulnerabilities:
>>
>>
>>
>> http://geoserver.org/comm/
>>
>>
>>
>> "If you encounter a security vulnerability in GeoServer please take care
>> to report the issue in a responsible fashion. Do not use the mailing list,
>> go intead to the Jira bug tracker instead and follow the "Responsible
>> disclosure" instructions there."
>>
>>
>>
>> How do we make it more plain and evident so that grave mistakes do not
>> occur anymore in the future?
>>
>> Maybe we should switch the background color of that box to red...
>>
>>
>>
>> Regards
>>
>> Andrea
>>
>>
>>
>> <removed>
>>
>>
>>
>>
>>
>> --
>>
>> Regards, Andrea Aime == GeoServer Professional Services from the experts!
>> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
>> Massarosa
>> <https://maps.google.com/?q=Via+di+Montramito+3/A+55054+Massarosa&entry=gmail&source=g>
>> (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549
>> http://www.geo-solutions.it http://twitter.com/geosolutions_it
>> ------------------------------------------------------- *Con riferimento
>> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
>> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
>> circostanza inerente alla presente email (il suo contenuto, gli eventuali
>> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
>> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
>> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
>> sarei comunque grato se potesse darmene notizia. This email is intended
>> only for the person or entity to which it is addressed and may contain
>> information that is privileged, confidential or otherwise protected from
>> disclosure. We remind that - as provided by European Regulation 2016/679
>> “GDPR” - copying, dissemination or use of this e-mail or the information
>> herein by anyone other than the intended recipient is prohibited. If you
>> have received this email by mistake, please notify us immediately by
>> telephone or e-mail.*
>>
>
>
>
> --
>
> Regards, Andrea Aime == GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
> ------------------------------------------------------- *Con riferimento
> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
> circostanza inerente alla presente email (il suo contenuto, gli eventuali
> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
> sarei comunque grato se potesse darmene notizia. This email is intended
> only for the person or entity to which it is addressed and may contain
> information that is privileged, confidential or otherwise protected from
> disclosure. We remind that - as provided by European Regulation 2016/679
> “GDPR” - copying, dissemination or use of this e-mail or the information
> herein by anyone other than the intended recipient is prohibited. If you
> have received this email by mistake, please notify us immediately by
> telephone or e-mail.*
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines: http://geoserver.org/comm/
> userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-
> requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
