Right, keep in mind we do not advertise security details such as CVEs until an update is available for stable and maintenance active branches.
that is a moot point when the CVE of a library that is used in GeoServer is published it should be considered common knowledge and obscurity is no longer an option.
Anyone looking at the pom file can see which versions are used, anyone running a tool such as dependency-track can trivially create a detailed report.
In this specific case I did not evaluate the vulnerability effects in GeoServer; I doubt the attack vector exists and that the CVE applies, but the library vendor has provided patch versions along with publishing the CVE that are trivial to apply.
Please discuss on geoserver-security email list if you wish to assess and coordinate a maintenance release for example.
since this is a closed list that I'm not part of discussing there is not available to me.
Mark you can email that list, we can also discuss this issue in today’s meeting.
For me I just want a consistent policy; but I agree with you that updating a library which contains security fixes if of interest. What is not established is if GeoServer is vulnerable to the the CVEs mentioned.
In this case it is easier to just update the library; but the missing and important step is the analysis which is what would be discussed on the geoserver-security mailing list, and shared with our community when all active branches are patched.
Presently it is just unknown; we could phrase the release notes as “out of an abundance of caution” but it still would not address that vulnerability analsyis has not been checked.