[Geoserver-devel] Security considerations for 2.24.0 and 2.23.2

Hello community,

1)
reviewing the GeoServer security policy I found the approach of a "Coordinated vulnerability disclosure" very reasonable. Thanks for taking security seriously. Regarding:

  4. A fix is included for the "stable" and "maintenance" downloads [...]

Does that mean, that GeoServer 2.23.2 from 2023-07-21 already contains the security patches relevant for this release ?
Or will there a 2.23.3 ? A backport would be useful in this situation because of the GeoTools API-package introduction, making it harder to upgrade.

2)
I regularly check for new GeoServer releases and especially the "security considerations" in the release announcements. I am also keeping book of my activities. Result: I checked the GeoServer announcement for 2.23.2 from 2023-07-21 on 2023-08-21 (after my summer vacation :slight_smile: ) and I found NO security considerations for this release. Checking the same release *NOW* there *ARE* security considerations for this release.

Current announcement for 2.23.2:
https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

Original announcement for 2.23.2::
http://web.archive.org/web/20230731072113/https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

I suppose this happened by mistake or is this expected behavior?

Best regards and have a nice weekend,
Andreas Watermeyer

Hello,

We have been updating our security policy, as we figure out how to inform folks of security vulnerabilities.

It is hard to encourage people to update, without being in a position to tell why (yet).

Please see GSIP-220 for the proposal:
https://github.com/geoserver/geoserver/wiki/GSIP-220

In the coming weeks (maybe at foss4gna) when I have time I will publish some CVE numbers that are presently in draft, and update the release announcement “security vulnerability” sections.

But this really is when I have time, and I an quite exhausted :slight_smile:

Jody

On Fri, Oct 20, 2023 at 2:28 AM Watermeyer, Andreas <Andreas.Watermeyer@anonymised.com> wrote:

Hello community,

reviewing the GeoServer security policy I found the approach of a “Coordinated vulnerability disclosure” very reasonable. Thanks for taking security seriously. Regarding:

  1. A fix is included for the “stable” and “maintenance” downloads […]

Does that mean, that GeoServer 2.23.2 from 2023-07-21 already contains the security patches relevant for this release ?
Or will there a 2.23.3 ? A backport would be useful in this situation because of the GeoTools API-package introduction, making it harder to upgrade.

I regularly check for new GeoServer releases and especially the “security considerations” in the release announcements. I am also keeping book of my activities. Result: I checked the GeoServer announcement for 2.23.2 from 2023-07-21 on 2023-08-21 (after my summer vacation :slight_smile: ) and I found NO security considerations for this release. Checking the same release NOW there ARE security considerations for this release.

Current announcement for 2.23.2:
https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

Original announcement for 2.23.2::
http://web.archive.org/web/20230731072113/https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

I suppose this happened by mistake or is this expected behavior?

Best regards and have a nice weekend,
Andreas Watermeyer


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi Jody,

I think it is Ok when a release announcement initially contains an unspecific “security considerations” sections if that is justified and necessary: To me It means I have to keep an eye on that.

But if an release announcement contains no security considerations at all I would assume that there is no security related reason to upgrade to this release and I would not check this announcement again.

···

So: Do I have to expect the “security considerations” are added newly to a release announcement after it has be published, as it was done for 2.23.2 ?

Thank you very much for taking care!

Best regards,

Andreas Watermeyer

Von: Jody Garnett <jody.garnett@…403…>
Gesendet: Samstag, 21. Oktober 2023 08:48
An: Watermeyer, Andreas <Andreas.Watermeyer@…4886…>
Cc: geoserver-devel@lists.sourceforge.net
Betreff: Re: [Geoserver-devel] Security considerations for 2.24.0 and 2.23.2

[Externe E-Mail] Vorsicht beim Öffnen von Links und Anhängen. / Be careful when opening links and attachments.

Hello,

We have been updating our security policy, as we figure out how to inform folks of security vulnerabilities.

It is hard to encourage people to update, without being in a position to tell why (yet).

Please see GSIP-220 for the proposal:

https://github.com/geoserver/geoserver/wiki/GSIP-220

In the coming weeks (maybe at foss4gna) when I have time I will publish some CVE numbers that are presently in draft, and update the release announcement “security vulnerability” sections.

But this really is when I have time, and I an quite exhausted :slight_smile:

Jody

On Fri, Oct 20, 2023 at 2:28 AM Watermeyer, Andreas <Andreas.Watermeyer@…4886…> wrote:

Hello community,

reviewing the GeoServer security policy I found the approach of a “Coordinated vulnerability disclosure” very reasonable. Thanks for taking security seriously. Regarding:

  1. A fix is included for the “stable” and “maintenance” downloads […]

Does that mean, that GeoServer 2.23.2 from 2023-07-21 already contains the security patches relevant for this release ?
Or will there a 2.23.3 ? A backport would be useful in this situation because of the GeoTools API-package introduction, making it harder to upgrade.

I regularly check for new GeoServer releases and especially the “security considerations” in the release announcements. I am also keeping book of my activities. Result: I checked the GeoServer announcement for 2.23.2 from 2023-07-21 on 2023-08-21 (after my summer vacation :slight_smile: ) and I found NO security considerations for this release. Checking the same release NOW there ARE security considerations for this release.

Current announcement for 2.23.2:
https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

Original announcement for 2.23.2::
http://web.archive.org/web/20230731072113/https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

I suppose this happened by mistake or is this expected behavior?

Best regards and have a nice weekend,
Andreas Watermeyer


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Andreas:

Your questions now are the same ones we were thinking about this summer when revising our security policy.

Please read the result of our thinking and see if it makes sense.

My goal is:

  1. Every release that will eventually have a CVE will have a security considerations heading
  2. When the CVE is announced the heading will contain more details
  3. This is really a bother …

For any true emergency I would hope that the volunteers on the geoserver-security list are in position to do an emergency release on affected branches and make a prompt disclosure.

But the only true way to be informed is to violunteer on geoserver-security email list and help verify incoming reports as they come in. Indeed we have a backlog of such reports since this is not a paid activity, and nobody has staff dedicated to the activity.

···


Jody Garnett