Andreas: Calling out this week's announcement(s): - 2.19.5 and 2.20.3 are being announced together with a clear "security considerations" heading - In this case the details of what has been fixed is included ... because the fix is being made available on all active branches (stable and maintenance)
This also thanks the group responsible for funding the fix (Fisheries and Oceans Canada/PĂȘches et OcĂ©ans Canada). -- Jody Garnett On Tue, 1 Mar 2022 at 00:41, Jody Garnett <jody.garn...@gmail.com> wrote: > To add to Ian's answer: > > As an operator of geoserver take note of the release announcements: > - We include a "Security Considerations" heading in each release where > there is a security fix > - When all active branches have the security fix the security > considerations section may contain additional details (such as a ticket > number). > > If we as a community had capacity (budget or volunteers) there is some > infrastructure > support available in github > <https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories> > for > managing communication around CVE reports. > > The PSC maintains a list of known security issues for those volunteering > to work on security issues. If you have capacity you may wish to take part. > Many of the GeoServer service providers participate on behalf of their > customers. > -- > Jody Garnett > > > On Mon, 28 Feb 2022 at 07:59, Watermeyer, Andreas < > andreas.waterme...@its-digital.de> wrote: > >> Dear GeoServer community, >> >> >> >> I have security related questions: >> >> >> >> * Is there a procedure by which operators of GeoServer installations can >> learn of security vulnerabilities that require updating GeoServer? >> >> * Is there a list of security-related bug fixes made with a release? >> >> >> >> If nothing exists: >> >> >> >> * Would it be possible to introduce something like a >> security-announcement mailing list? >> >> * Would it be possible to list fixed security vulnerabilities per >> release. For example, Tomcat has a corresponding list, which I find very >> helpful: https://tomcat.apache.org/security-9.html >> >> >> >> Thank for providing this great tool! >> >> >> >> Best regards, >> >> Andreas >> >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
