Hi Jody, we will continue to watch for the “security considerations”. I just wanted to make sure I am not missing something essential.
The category vulnerability is also very helpful. Good idea. Have a nice day and thank you all, Andreas Von: Jody Garnett <jody.garn...@gmail.com> Gesendet: Dienstag, 1. März 2022 09:45 An: Watermeyer, Andreas <andreas.waterme...@its-digital.de> Cc: geoserver-users@lists.sourceforge.net Betreff: Re: [Geoserver-users] Notifications about vulnerabilities Actually I have an idea, searching for all announcements that have a "security considerations" heading, and adding the vulnerability category gives me this: - https://github.com/geoserver/geoserver.github.io/pull/121 Vulnerability: GeoServer 2.19.4 Released GeoServer 2.16.1 released GeoServer 2.14.0 Released GeoServer 2.14-RC released GeoServer 2.12.5 released GeoServer 2.13.2 released GeoServer 2.12.4 Release GeoServer 2.12.3 Released GeoServer 2.10.4 Released GeoServer 2.11.1 Released Not the best as we do not have a landing page for vulnerabilities; but it is at least interesting. -- Jody Garnett On Tue, 1 Mar 2022 at 00:41, Jody Garnett <jody.garn...@gmail.com<mailto:jody.garn...@gmail.com>> wrote: To add to Ian's answer: As an operator of geoserver take note of the release announcements: - We include a "Security Considerations" heading in each release where there is a security fix - When all active branches have the security fix the security considerations section may contain additional details (such as a ticket number). If we as a community had capacity (budget or volunteers) there is some infrastructure support available in github<https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories> for managing communication around CVE reports. The PSC maintains a list of known security issues for those volunteering to work on security issues. If you have capacity you may wish to take part. Many of the GeoServer service providers participate on behalf of their customers. -- Jody Garnett On Mon, 28 Feb 2022 at 07:59, Watermeyer, Andreas <andreas.waterme...@its-digital.de<mailto:andreas.waterme...@its-digital.de>> wrote: Dear GeoServer community, I have security related questions: * Is there a procedure by which operators of GeoServer installations can learn of security vulnerabilities that require updating GeoServer? * Is there a list of security-related bug fixes made with a release? If nothing exists: * Would it be possible to introduce something like a security-announcement mailing list? * Would it be possible to list fixed security vulnerabilities per release. For example, Tomcat has a corresponding list, which I find very helpful: https://tomcat.apache.org/security-9.html Thank for providing this great tool! Best regards, Andreas _______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
