The my.geocat.net knowledge base documents resolved security vulnerabilities subject to the GeoServer coordinated vulnerability disclosure policy.
As a member of the GeoServer community GeoCat respects the coordinated disclosure policy, working on your behalf to address security vulnerabilities and concerns.
GeoServer Enterprise customers are asked to report any security concerns via the my.geocat.net support portal and we will work with you to assess issue severity, establish any mitigation measures, and long term resolution.
Please keep in mind:
- GeoServer is a popular open source project and is subject to many security audits each year, only a small portion of which are reported in an actionable manner.
- GeoCat provides setup guidance for production, with recommendations and topics addressing common security considerations. Please review this guidance and contact support if you require assistance.
- Tip: The majority of audit software is designed to test the web interface provided for geoserver administration. In a production environment you may consider turning off this user interface using GEOSERVER_CONSOLE_DISABLED=true system property (see production considerations)
By working with GeoCat you are actively contributing to GeoServer sustainability and we thank you for your patronage.
Reporting a Vulnerability
If you encounter a security vulnerability in GeoServer please take care to report in a responsible fashion:
-
Keep exploit details out of public mailing lists and issue tracker.
-
There are two options to report a security vulnerability:
- To report via email:
Please send an email directly to the volunteers on the private geoserver-security@lists.osgeo.org mailing list. Provide information about the security vulnerability you might have found in your email. - To report via GitHub:
Navigate to security page, use link for Private vulnerability reporting. For more information see GitHub documentation.
- To report via email:
- There is no expected response time. Be prepared to work with geoserver-security email list volunteers on a solution.
- Keep in mind participants are volunteering their time, an extensive fix may require fundraising/resources.
Coordinated vulnerability disclosure
Disclosure policy:
- The reported vulnerability has been verified by working with the geoserver-security list
- GitHub security advisory is used to reserve a CVE number
- A fix or documentation clarification is accepted and backported to both the "stable" and "maintenance" branches
- A fix is included for the "stable" and "maintenance" downloads (released as scheduled, or issued via emergency update)
- The CVE vulnerability is published with mitigation and patch instructions
