Dominique: You have our security policy <https://github.com/geoserver/geoserver/blob/main/SECURITY.md>, we only mentioned a fix when all active branches are patched. And we do not discuss security vulnerabilities in public ;)
You are correct that many of the libraries and frameworks used encounter vulnerabilities, and not every vulnerability is exploitable from GeoServer. If you wish to discuss this library upgrade, or any other security issue: - Attend one of the bi-weekly meetings - Volunteer to help fix security issues - Check out our commercial support providers (who take part in managing these issues on behalf of their customers). General advice (that does not answer your question) - I would feel much more comfortable if you update you GeoServer to a supported branch. Indeed we mention this every state of GeoServer talk! -- Jody Garnett On Mar 24, 2022 at 2:39:18 PM, "Bessette-Halsema, Dominique E via Geoserver-users" <geoserver-users@lists.sourceforge.net> wrote: > Hello > > > > I saw that we fixed the spring vulnerability issue in GeoServer 2.17. Was > GeoServer 2.15 even vulnerable to this attack? We have some environments > with 2.15 and need to know if they require a patch or upgrade. > > > > https://osgeo-org.atlassian.net/browse/GEOS-9477 > > > > > > > > Dominique Bessette > > Senior Software Engineer > > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
