As an organization using GeoServer in a production environment, I was wondering if there is an existing mailing list or some other mechanism that can notify me when a geoserver update resolves security issues (particularly application vulnerabilities)? If no such thing exists, it may be possible to do this for myself with a filter subscription in the OSGeo JIRA instance. Are there any issue attributes (labels, issue types, etc.) that are reliably and consistently used to mark issues related to application vulnerabilities?
Thanks.
Clifford M. Harms
Hi Clifford,
I don’t think so, though I can see how it would be useful.
The blog has a “vulnerability” category, though little used:
http://blog.geoserver.org/category/vulnerability/
And a tag for “security” (also little used):
http://blog.geoserver.org/tag/security/
On JIRA, it looks like there is a “Vulnerability” “component”:
https://osgeo-org.atlassian.net/browse/GEOS-8041?jql=project%20%3D%20GEOS%20AND%20component%20%3D%20Vulnerability
and a “label” for “security”:
https://osgeo-org.atlassian.net/browse/GEOS-7744?jql=labels%20%3D%20security
As to how often they’re not used when they should be? No idea.
The release notes for a specific version usually do mention textually (even if not as a category/label/tag/whatever) that something is a security issue.
Cheers,
Jonathan
---- On Mon, 10 Apr 2017 18:44:24 +0100 Clifford M CIV NAVOCEANO, N642 Harms clifford.harms@anonymised.com wrote ----
As an organization using GeoServer in a production environment, I was wondering if there is an existing mailing list or some other mechanism that can notify me when a geoserver update resolves security issues (particularly application vulnerabilities)? If no such thing exists, it may be possible to do this for myself with a filter subscription in the OSGeo JIRA instance. Are there any issue attributes (labels, issue types, etc.) that are reliably and consistently used to mark issues related to application vulnerabilities?
Thanks.
Clifford M. Harms
Check out the vibrant tech community on one of the world’s most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Geoserver-users mailing list
Geoserver-users@anonymised.comnet
https://lists.sourceforge.net/lists/listinfo/geoserver-users