Dear GeoServer Users and Developers! Some days ago I was happy to find out that the LOG4J 1.2 component is going to replaced in the next major release of geoserver: https://github.com/geoserver/geoserver/wiki/Update-or-replace-Log4J-1-library . Since the topic of security vulnerabilities in libraries is an important issue right now I have done an dependency check on the GeoServer release 2.20.2 recently. If I am right there are the following libraries used that have CVEs reported on nvd.nist.gov:
- apache-httpclient : commons-httpclient : 3.1: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Ahttpclient&cpe_version=cpe%3A%2F%3Aapache%3Ahttpclient%3A3.1 - com.h2database : h2 : 1.1.119: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Ah2database&cpe_product=cpe%3A%2F%3Ah2database%3Ah2&cpe_version=cpe%3A%2F%3Ah2database%3Ah2%3A1.1.119 - com.lowagie : itext : 2.1.5: https://nvd.nist.gov/vuln/detail/CVE-2017-9096 - com.thoughtworks.xstream : xstream : 1.4.11.1: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Axstream_project&cpe_product=cpe%3A%2F%3Axstream_project%3Axstream&cpe_version=cpe%3A%2F%3Axstream_project%3Axstream%3A1.4.11.1 - org.apache.wicket : wicket-core : 7.6.0: https://nvd.nist.gov/vuln/detail/CVE-2015-9251 - jquery 1.12.4: https://nvd.nist.gov/vuln/detail/CVE-2015-9251 - jquery 2.2.4: https://nvd.nist.gov/vuln/detail/CVE-2015-9251 - org.springframework.security : spring-security-core : 5.1.13.RELEASE: https://nvd.nist.gov/vuln/detail/CVE-2021-22112 Are there any plans to update the libraries to a save version? Thanks for your short feedback and all the best, Michael
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
