On Tue, Jun 23, 2015 at 10:14 PM, Ben Caradoc-Davies <ben@anonymised.com> wrote:

All GeoServer releases except 2.6.4 have a remote file disclosure
vulnerability that permits an unauthenticated remote attacker to use a
malicious request view any file on the server visible to GeoServer,
including files outside the data directory.

This vulnerability is fixed in 2.6.4 and in all nightlies including
those for stable (2.7.x) and master.

All future GeoServer releases will contain a fix for this vulnerability.

See:

https://osgeo-org.atlassian.net/browse/GEOS-7032
http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html

Kind regards,
Ben.

-------- Forwarded Message --------
Subject: [Geoserver-users] GeoServer 2.6.4 Released
Date: Fri, 19 Jun 2015 08:40:59 +1200
From: Ben Caradoc-Davies <ben@anonymised.com…>
To: geoserver-users@lists.sourceforge.net

http://blog.geoserver.org/2015/06/18/geoserver-2-6-4-released/
[…]
The GeoServer team is pleased to announce the release of GeoServer 2.6.4
[…]
GeoServer 2.6.4 is a maintenance release of GeoServer recommended for
production deployment. This release contains IMPORTANT SECURITY FIXES
so please upgrade.
[…]

• SECURITY: Fixed a serious vulnerability that allowed arbitrary
  files on the server to be read by crafting a malicious WFS request
  <https://osgeo-org.atlassian.net/browse/GEOS-7032>

–
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

---

Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

---

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

On Thu, Jun 25, 2015 at 1:28 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi all,
for those that are still stuck on 2.5.x, and are not ready to upgrade to 2.6.x yet,
we have prepared a 2.5.5.1 release containing the fixes against the
XXE vulnerability, you can find it here:

https://sourceforge.net/projects/geoserver/files/GeoServer/2.5.5.1

Cheers
Andrea

---

Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

---

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

On Tue, Jun 23, 2015 at 10:14 PM, Ben Caradoc-Davies <ben@anonymised.com> wrote:

All GeoServer releases except 2.6.4 have a remote file disclosure
vulnerability that permits an unauthenticated remote attacker to use a
malicious request view any file on the server visible to GeoServer,
including files outside the data directory.

This vulnerability is fixed in 2.6.4 and in all nightlies including
those for stable (2.7.x) and master.

All future GeoServer releases will contain a fix for this vulnerability.

See:

https://osgeo-org.atlassian.net/browse/GEOS-7032
http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html

Kind regards,
Ben.

-------- Forwarded Message --------
Subject: [Geoserver-users] GeoServer 2.6.4 Released
Date: Fri, 19 Jun 2015 08:40:59 +1200
From: Ben Caradoc-Davies <ben@anonymised.com>
To: geoserver-users@lists.sourceforge.net

http://blog.geoserver.org/2015/06/18/geoserver-2-6-4-released/
[…]
The GeoServer team is pleased to announce the release of GeoServer 2.6.4
[…]
GeoServer 2.6.4 is a maintenance release of GeoServer recommended for
production deployment. This release contains IMPORTANT SECURITY FIXES
so please upgrade.
[…]

• SECURITY: Fixed a serious vulnerability that allowed arbitrary
  files on the server to be read by crafting a malicious WFS request
  <https://osgeo-org.atlassian.net/browse/GEOS-7032>

–
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

---

Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

---

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

On 23 June 2015 at 13:14, Ben Caradoc-Davies <ben@anonymised.com> wrote:

All GeoServer releases except 2.6.4 have a remote file disclosure
vulnerability that permits an unauthenticated remote attacker to use a
malicious request view any file on the server visible to GeoServer,
including files outside the data directory.

This vulnerability is fixed in 2.6.4 and in all nightlies including
those for stable (2.7.x) and master.

All future GeoServer releases will contain a fix for this vulnerability.

See:

https://osgeo-org.atlassian.net/browse/GEOS-7032
http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html

Kind regards,
Ben.

-------- Forwarded Message --------
Subject: [Geoserver-users] GeoServer 2.6.4 Released
Date: Fri, 19 Jun 2015 08:40:59 +1200
From: Ben Caradoc-Davies <ben@anonymised.com…>
To: geoserver-users@lists.sourceforge.net

http://blog.geoserver.org/2015/06/18/geoserver-2-6-4-released/
[…]
The GeoServer team is pleased to announce the release of GeoServer 2.6.4
[…]
GeoServer 2.6.4 is a maintenance release of GeoServer recommended for
production deployment. This release contains IMPORTANT SECURITY FIXES
so please upgrade.
[…]

• SECURITY: Fixed a serious vulnerability that allowed arbitrary
  files on the server to be read by crafting a malicious WFS request
  <https://osgeo-org.atlassian.net/browse/GEOS-7032>

–
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

---

Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o

---

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–
Jody Garnett