I’m currently using an older version of GeoServer (2.2). We ran security scanning software and it came up with a vulnerability against Jetty. The vulnerability # is CVE-2009-1523, which is “Jetty is prone to a cross-site scripting vulnerability and an information-disclosure vulnerability.” I was inquiring if this has been fixed in a later version of GeoServer. Our implementation of GeoServer is stable so I’d only like to upgrade at this time if it fixes this vulnerability. Any insight is appreciated. Thanks.
On Fri, Feb 28, 2014 at 2:16 PM, Plummer, Thomas <thomas.plummer@anonymised.com>wrote:
I'm currently using an older version of GeoServer (2.2). We ran security
scanning software and it came up with a vulnerability against Jetty. The
vulnerability # is CVE-2009-1523, which is "Jetty is prone to a cross-site
scripting vulnerability and an information-disclosure vulnerability." I was
inquiring if this has been fixed in a later version of GeoServer. Our
implementation of GeoServer is stable so I'd only like to upgrade at this
time if it fixes this vulnerability. Any insight is appreciated. Thanks.
No, it has not been fixed. The windows installer/bin packages are meant for
easy testing,
for production usage you should install Tomcat and deploy the war in it
instead
Cheers
Andrea
--
== Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information ==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------