Re: [Geoserver-users] GeoServer 2.15 Spring vulnerability

[Jody Garnett]

Dominique:

You have our security policy
, we only
mentioned a fix when all active branches are patched. And we do not discuss
security vulnerabilities in public ;)

You are correct that many of the libraries and frameworks used encounter
vulnerabilities, and not every vulnerability is exploitable from
GeoServer.  If you wish to discuss this library upgrade, or any other
security issue:

   - Attend one of the bi-weekly meetings
   - Volunteer to help fix security issues
   - Check out our commercial support providers (who take part in managing
   these issues on behalf of their customers).


General advice (that does not answer your question) - I would feel much
more comfortable if you update you GeoServer to a supported branch. Indeed
we mention this every state of GeoServer talk!
--
Jody Garnett


On Mar 24, 2022 at 2:39:18 PM, "Bessette-Halsema, Dominique E via
Geoserver-users"  wrote:

> Hello
>
>
>
> I saw that we fixed the spring vulnerability issue in GeoServer 2.17.  Was
> GeoServer 2.15 even vulnerable to this attack?  We have some environments
> with 2.15 and need to know if they require a patch or upgrade.
>
>
>
> https://osgeo-org.atlassian.net/browse/GEOS-9477
>
>
>
>
>
>
>
> Dominique Bessette
>
> Senior Software Engineer
>
>
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[Geoserver-users] GeoServer 2.15 Spring vulnerability

[Bessette-Halsema, Dominique E via Geoserver-users]

Hello

I saw that we fixed the spring vulnerability issue in GeoServer 2.17.  Was 
GeoServer 2.15 even vulnerable to this attack?  We have some environments with 
2.15 and need to know if they require a patch or upgrade.

https://osgeo-org.atlassian.net/browse/GEOS-9477



Dominique Bessette
Senior Software Engineer


___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users