date:20240704

Re: [Geoserver-users] Query regarding the reproduction steps of vulnerability CVE-2023-5786

2024-07-04 Thread Jody Garnett

The difficulty is if someone else has disclosed publicly eh?

I wrote down some stuff here from GSIP-220 which we can revise over time:
https://docs.geoserver.org/latest/en/developer/policies/security.html

--
Jody Garnett


On Wed, Jul 3, 2024 at 11:16 PM Ian Turton  wrote:

> I think if we have disclosed the CVE then all further discussion should be
> in public, rather than on the security list.
>
> Ian
>
> On Wed, 3 Jul 2024 at 19:20, Jody Garnett  wrote:
>
>> So Ian what is the right thing to do here?
>>
>> Should I not of replied to this message - to limit discussion of security
>> vulnerabilities (reproducing and verification and so on) to the
>> geoserver-security list?
>>
>> It is a little confusing with your message about not contacting
>> geoserver-security volunteers for announced vulnerabilities. In this case
>> the vulnerability is announced - just not by us!  And I agree that the
>> report does not make much sense / poorly written / was not shared with team
>> until now
>>
>> In anycase the geoserver-security list is looking  at this CVE now and
>> will either:
>>
>> a) dispute it - if it cannot be reproduced (we have done this in the past
>> and it did not work)
>> b) confirm it - by issuing a change / clarification to
>> https://github.com/advisories/GHSA-382v-j99g-hw2p (only thing we can do
>> as we did not publish the original)
>>
>> Reference:
>> https://github.com/geoserver/geoserver/wiki/GSIP-220#publicly-reported-issue
>> --
>> Jody Garnett
>>
>>
>> On Jul 1, 2024 at 9:55:48 AM, Mark Prins  wrote:
>>
>>> On 01-07-2024 16:43, Jody Garnett wrote:
>>>
>>> I am not sure we have been notified about that vulnerability, searching
>>>
>>> my email this you are the first.
>>>
>>>
>>> Just because someone has opened a CVE does not indicate they have
>>>
>>> contacted the open source project at all.  Please forward to
>>>
>>> geoserver-security email list (see security policy). It would be helpful
>>>
>>> if you describe what steps you have already taken to verify so the
>>>
>>> volunteers do not duplicate your effort.
>>>
>>>
>>>
>>> in fact, just because someone managed to open a CVE record it does not
>>> mean there is an actual vulnerability.
>>>
>>> The records at NIST
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2023-5786
>>>
>>> provide a link to
>>>
>>> https://github.com/Qxyday/GeoServe---unauthorized
>>>
>>> That seems to be the original input and exploit. (based on the
>>> descriptions and that page I fail to see any vulnerability at all!)
>>>
>>> Note that the CVE is logged against GWC 1.15.0 and 1.15.1, both are >5
>>> years old and no longer used in project-supported versions of GeoServer
>>> afaik.
>>>
>>> Mark
>>>
>>>
>>> ___
>>> Geoserver-users mailing list
>>>
>>> Please make sure you read the following two resources before posting to
>>> this list:
>>> - Earning your support instead of buying it, but Ian Turton:
>>> http://www.ianturton.com/talks/foss4g.html#/
>>> - The GeoServer user list posting guidelines:
>>> http://geoserver.org/comm/userlist-guidelines.html
>>>
>>> If you want to request a feature or an improvement, also see this:
>>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>>
>>>
>>> Geoserver-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>>
>>
>
> --
> Ian Turton
>
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Experimental/External plugin page

2024-07-04 Thread Jody Garnett

I would love to have an actual module system like Jenkins that allowing
plugins to be installed/uninstalled from within the app.

I am not quite sure how they do it?

--
Jody Garnett


On Thu, Jul 4, 2024 at 12:49 AM Tom Chadwin 
wrote:

> I think this is a valid thought - specifically a way in which the
> developer of an extension can get it to users before stable publication.
> Back when I was doing a QGIS plugin, I was encouraged to release very early
> indeed with the "experimental" flag set. It was very difficult to get any
> feedback or testing before doing that, but takeup was subsequently really
> good. Obviously, plugins for a desktop application are a very different
> thing to Geoserver modules/extensions, but some kind of official channel
> would probably help. But there's still a workload - QGIS plugins have to be
> approved to be published in their plugin repo. So it might not be possible.
>
> Tom
>
>
> On Thu, 4 Jul 2024 at 07:44, Alexandre Gacon 
> wrote:
>
>> Hey Jody,
>>
>> The plugin is not mine! So I can't reply to your question on why it is
>> not in community module (but the author mentions they will candidate).
>>
>> Alexandre
>>
>
>> Le jeu. 4 juil. 2024 à 09:24, Ian Turton  a écrit :
>>
>>> In an ideal world the module would live inside the GeoServer source tree
>>> so it would automatically be published on the main extension pages (either
>>> community or supported) - this would also give other developers (and you) a
>>> heads up if something was about to break.
>>>
>>> Ian
>>>
>>> On Thu, 4 Jul 2024 at 06:32, Alexandre Gacon 
>>> wrote:
>>>
 Hi,

 After the short presentation of the GeoServer Monitor PostgreSQL Plugin
  during FOSS4G
 EU, I wonder if there shouldn't be a place somewhere (on github? on
 website?) that provides a list of plugins which are not part of the stable
 or community extensions but that can be tried or used by the community.

 It could improve the visibility of the community.

 I don't have a clear registration process in mind. Perhaps something
 like awesome-geoserver list on GitHub, which could also reference other
 geoserver related stuff.

 What do you think?

 --
 Alexandre Gacon
 ___
 Geoserver-users mailing list

 Please make sure you read the following two resources before posting to
 this list:
 - Earning your support instead of buying it, but Ian Turton:
 http://www.ianturton.com/talks/foss4g.html#/
 - The GeoServer user list posting guidelines:
 http://geoserver.org/comm/userlist-guidelines.html

 If you want to request a feature or an improvement, also see this:
 https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


 Geoserver-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/geoserver-users

>>>
>>>
>>> --
>>> Ian Turton
>>>
>> ___
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>
> --
>
>- Book a call  
> with
>one of us
>- Sign up to our mailing list
> for any
>updates
>
> iShare - enterprise geographic intelligence platform
> 
> GeoServer, PostGIS and QGIS training
> 
> Open Source Support 
>
> Astun Technology Ltd t:+44 1372 744 009 contact us online
> 
> web: astuntechnology.com   twitter:
> @astuntech 
> Company registration no. 5410695. Registered in England and Wales.
> Registered office: Penrose House, 67 Hightown Road, Banbury, OX16 9BE
> 
> VAT no. 864201149.
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> h

Re: [Geoserver-users] Set aside time for a GeoServer update this Tuesday

2024-07-04 Thread Andrea Aime

On Wed, Jul 3, 2024 at 9:46 PM Jody Garnett  wrote:

> But my prime question was that I found a reference stating that for
>> NCSC-2024-0274 there where fixes released for 2.25, 2.24, 2.23, 2.21.
>> Version 2.22 was missing in this list and if there was a reason for that or
>> that we could use the fixes o versie 2.21 als on 2.22.
>>
> When a new vulnerability is known and a fix is merged, commercial support
providers have the time to
contact their clients, advise that a patch is needed (without further
details), and perform a timely delivery for it.
In the case of GeoSolutions, we enumerated all clients, found the ones that
were not in a position to upgrade
to an official release right away, and prepared a hotfix for their specific
version.
As the public announcement went out, we took the occasion to share the hot
fixes with the rest of the community as well.

Cheers
Andrea (GeoSolutions)
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Set aside time for a GeoServer update this Tuesday

2024-07-04 Thread Mark Prins


On 03-07-2024 20:44, Jody Garnett wrote:


Aside: What is NCSC-2024-0274 number? Looks to be a country specific 
number for CVE-2024-36401 ...


yes: https://advisories.ncsc.nl/advisory?id=NCSC-2024-0274


___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Experimental/External plugin page

2024-07-04 Thread Tom Chadwin

I think this is a valid thought - specifically a way in which the developer
of an extension can get it to users before stable publication. Back when I
was doing a QGIS plugin, I was encouraged to release very early indeed with
the "experimental" flag set. It was very difficult to get any feedback or
testing before doing that, but takeup was subsequently really good.
Obviously, plugins for a desktop application are a very different thing to
Geoserver modules/extensions, but some kind of official channel would
probably help. But there's still a workload - QGIS plugins have to be
approved to be published in their plugin repo. So it might not be possible.

Tom


On Thu, 4 Jul 2024 at 07:44, Alexandre Gacon 
wrote:

> Hey Jody,
>
> The plugin is not mine! So I can't reply to your question on why it is not
> in community module (but the author mentions they will candidate).
>
> Alexandre
>
> Le jeu. 4 juil. 2024 à 09:24, Ian Turton  a écrit :
>
>> In an ideal world the module would live inside the GeoServer source tree
>> so it would automatically be published on the main extension pages (either
>> community or supported) - this would also give other developers (and you) a
>> heads up if something was about to break.
>>
>> Ian
>>
>> On Thu, 4 Jul 2024 at 06:32, Alexandre Gacon 
>> wrote:
>>
>>> Hi,
>>>
>>> After the short presentation of the GeoServer Monitor PostgreSQL Plugin
>>>  during FOSS4G
>>> EU, I wonder if there shouldn't be a place somewhere (on github? on
>>> website?) that provides a list of plugins which are not part of the stable
>>> or community extensions but that can be tried or used by the community.
>>>
>>> It could improve the visibility of the community.
>>>
>>> I don't have a clear registration process in mind. Perhaps something
>>> like awesome-geoserver list on GitHub, which could also reference other
>>> geoserver related stuff.
>>>
>>> What do you think?
>>>
>>> --
>>> Alexandre Gacon
>>> ___
>>> Geoserver-users mailing list
>>>
>>> Please make sure you read the following two resources before posting to
>>> this list:
>>> - Earning your support instead of buying it, but Ian Turton:
>>> http://www.ianturton.com/talks/foss4g.html#/
>>> - The GeoServer user list posting guidelines:
>>> http://geoserver.org/comm/userlist-guidelines.html
>>>
>>> If you want to request a feature or an improvement, also see this:
>>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>>
>>>
>>> Geoserver-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>>
>>
>>
>> --
>> Ian Turton
>>
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>

-- 
-- 


  * Book a call 
 with one of us
  
* Sign up to our mailing list 
 for any 
updates
iShare - enterprise geographic intelligence platform 


GeoServer, 
PostGIS and QGIS training 
Open 
Source Support 




Astun 
Technology Ltd t:+44 1372 744 009 contact us online 

web: astuntechnology.com  
 twitter:@astuntech 





Company registration no. 5410695. 
Registered in England and Wales. Registered office: Penrose House, 67 
Hightown Road, Banbury, OX16 9BE VAT no. 864201149.


___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Query regarding the reproduction steps of vulnerability CVE-2023-5786

Re: [Geoserver-users] Experimental/External plugin page

Re: [Geoserver-users] Set aside time for a GeoServer update this Tuesday

Re: [Geoserver-users] Set aside time for a GeoServer update this Tuesday

Re: [Geoserver-users] Experimental/External plugin page

5 matches

Site Navigation

Mail list logo

Footer information