Actually I have an idea, searching for all announcements that have a
"security considerations" heading, and adding the vulnerability category
gives me this:
- https://github.com/geoserver/geoserver.github.io/pull/121
Vulnerability:
GeoServer 2.19.4 Released
GeoServer 2.16.1 released
GeoServer 2.14.0 Released
GeoServer 2.14-RC released
GeoServer 2.12.5 released
GeoServer 2.13.2 released
GeoServer 2.12.4 Release
GeoServer 2.12.3 Released
GeoServer 2.10.4 Released
GeoServer 2.11.1 Released
Not the best as we do not have a landing page for vulnerabilities; but it
is at least interesting.
--
Jody Garnett
On Tue, 1 Mar 2022 at 00:41, Jody Garnett <jody.garn...@gmail.com> wrote:
> To add to Ian's answer:
>
> As an operator of geoserver take note of the release announcements:
> - We include a "Security Considerations" heading in each release where
> there is a security fix
> - When all active branches have the security fix the security
> considerations section may contain additional details (such as a ticket
> number).
>
> If we as a community had capacity (budget or volunteers) there is some
> infrastructure
> support available in github
> <https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories>
> for
> managing communication around CVE reports.
>
> The PSC maintains a list of known security issues for those volunteering
> to work on security issues. If you have capacity you may wish to take part.
> Many of the GeoServer service providers participate on behalf of their
> customers.
> --
> Jody Garnett
>
>
> On Mon, 28 Feb 2022 at 07:59, Watermeyer, Andreas <
> andreas.waterme...@its-digital.de> wrote:
>
>> Dear GeoServer community,
>>
>>
>>
>> I have security related questions:
>>
>>
>>
>> * Is there a procedure by which operators of GeoServer installations can
>> learn of security vulnerabilities that require updating GeoServer?
>>
>> * Is there a list of security-related bug fixes made with a release?
>>
>>
>>
>> If nothing exists:
>>
>>
>>
>> * Would it be possible to introduce something like a
>> security-announcement mailing list?
>>
>> * Would it be possible to list fixed security vulnerabilities per
>> release. For example, Tomcat has a corresponding list, which I find very
>> helpful: https://tomcat.apache.org/security-9.html
>>
>>
>>
>> Thank for providing this great tool!
>>
>>
>>
>> Best regards,
>>
>> Andreas
>>
>>
>> _______________________________________________
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
