In light of the recent-ish
CVE: https://www.opencve.io/cve/CVE-2024-36401 I am going around and checking our geoserver versions to check if they are vulnerable. I am a little stumped.
We use the official geoserver images tagged
'docker.osgeo.org/geoserver:2.24.x'. In the web interface of a
geoserver so running, the version is reported as 2.24-SNAPSHOT.
According to the CVE, versions prior to 2.24.4 are vulnerable. Now I
think we're fine in practice, because the build date is reported as
2024-07-05 and 24.4.4 was released 3 weeks ago, but still.
I can't anything in the geoserver documentation that details what
exactly the SNAPSHOT version is. Is there a good way to confirm whether
or not the geoserver is vulnerable to CVE-2024-36401 with some amount
of certainty?
A SNAPSHOT version is built on the latest available code base for the branch 2.24.X. As such it should contain the fix for the CVE.
This, in general, is wrong for any -SNAPSHOT versions of GeoServer as it can be anything after the ".0" tag of a stable branch has been pushed; it depends on the moment the build is done and the moment the code is checked out.
To be certain you will need to check the Git Revision shown on the About page of GeoServer after logging in and compare that to Github, looking at the Build Date is second best.
On 11 July 2024 16:03:48 BST, Mark Prins <mc.prins@anonymised.com> wrote:
To be certain you will need to check the Git Revision shown on the About page of GeoServer after logging in and compare that to Github, looking at the Build Date is second best.
This was my instinct too, I couldn't find the referenced revision for some reason, though that's on me. I did compare the build date against the release date of 2.24.4 and convinced myself that I was more than likely safe.
I've now pinned to 2.24.4 explicitly, on advice from previous posts to this thread.
Just from the name of the tag, having done no reading at all (which is to say entirely my fault), I just assumed that 2.24.x meant: The latest patch on the 2.24 major.minor version.