All,
Thanks for jumping on this so quickly. First off, I have no idea if geoserver
is vulnerable to the issue in this specific component as I have no idea how it
uses this component or if it even actually uses it at all. Lots of projects
have dependencies they don't, or barely use. If I knew geoserver was actually
vulnerable, I wouldn't have posted it here. I did see the warning about not
posting vulns. All I know is that a vulnerable component is included in
geoserver. That's all.
I wanted to simply open a JIRA ticket requesting this upgrade, but that option
isn't on/available in GitHub for this project so this mailing list seemed like
the only easy way to get in touch with the community on this topic.
I'm glad to see you guys are not only willing to quickly upgrade, but are
willing to adopt open source security plugins to help detect such issues in the
future, so you can simply fix them in a timely manner as part of your natural
maintenance of this project.
Thanks, Dave
________________________________
From: Jim Hughes <jhug...@ccri.com>
Sent: Thursday, June 7, 2018 5:32:40 PM
To: Joe Murphy; Andrea Aime
Cc: GeoServer Mailing List List
Subject: Re: [Geoserver-users] Known vulnerability in commons-fileupload
v1.2.1, used by geoserver
Hi all,
Apologies for not reading more carefully. Looks like
https://github.com/OSSIndex/ossindex-maven-plugin and the DependencyCheck
plugin are the winners for the Maven ecosystem.
Andrea, other PSCers, I got interested in the plugins, and have fiddled with
them some this afternoon. I'm going to volunteer some time later this month to
work on JTS. I could be up for working on some of this with Jody.
Cheers,
Jim
On 06/07/2018 04:27 PM, Joe Murphy wrote:
Sounds like you guys have a solution. But, here's some links, one that looks
like it could plugin to your Atlassian Suite, and one that looks like it may
answer the Maven question that Jim asked.
https://techbeacon.com/13-tools-checking-security-risk-open-source-dependencies-0
https://github.com/jeremylong/DependencyCheck
Hope I helped more than got in the way.
Joe
On Thu, Jun 7, 2018 at 7:57 PM, Andrea Aime
<andrea.a...@geo-solutions.it<mailto:andrea.a...@geo-solutions.it>> wrote:
Hi Jim,
Dave already suggested an approach.. that should not be too hard, maybe setting
up a Jenkins build
that reports only to the PSC... that's not the problem, it's a one time thing.
It's upgrading the libraries that will be trouble, we depend on various old
ones, we tried to organize
a code sprint with many devs, but failed to get it going (when Jody proposed to
do 2 or 3 sprints
on different topics everybody looked elsewhere, it was just not serious,
finding time for one co-located
sprint a year is already hard enough).
My hope is that commons-fileupload will be a seamless upgrade, but in general,
we'll need a concerted
effort, various devs for one week, to get widespread upgrades going (e.g., many
of the libs we're using
have done API or format breaking changes, it will not be a simple "change the
dep and rebuid" gig).
Cheers
Andrea
On Thu, Jun 7, 2018 at 8:43 PM, Jim Hughes
<jhug...@ccri.com<mailto:jhug...@ccri.com>> wrote:
Hi Joe,
The GitHub security alerts seem to only be available for JavaScript and Ruby.
Is there a scanner which would work with a Maven/JVM project that you can
recommend?
Cheers,
Jim
On 06/07/2018 02:18 PM, Joe Murphy wrote:
Not to try and start a huge discussion; but since the cat is out of the bag so
to speak, I also knew of this quite some time(1year+) ago. I don't have the
resources to add bugs to the JIRA, but I was able to find/fix locally very
easily (what you do with open source). I guess I was wondering if you guys are
scanning with any of the free tools, including the one right on Github that
would have spotted this and others.
https://blog.github.com/2017-11-16-introducing-security-alerts-on-github/
I used a tool called Twistlock which is a container scanner; but it draws from
the same NVD database as the free and Github scanners.
All the best,
Joe
On Thu, Jun 7, 2018 at 5:56 PM, Andrea Aime
<andrea.a...@geo-solutions.it<mailto:andrea.a...@geo-solutions.it>> wrote:
Hi Chris,
yes, master. Much appreciated!
Cheers
Andrea
On Thu, Jun 7, 2018 at 4:36 PM, Chris Snider
<chris.sni...@polarisalpha.com<mailto:chris.sni...@polarisalpha.com>> wrote:
I can try to do that this weekend. I assume master?
Chris Snider
Senior Software Engineer
[cid:image001.png@01D2E6A5.9104F820]
From: andrea.a...@gmail.com<mailto:andrea.a...@gmail.com>
[mailto:andrea.a...@gmail.com<mailto:andrea.a...@gmail.com>] On Behalf Of
Andrea Aime
Sent: Thursday, June 07, 2018 8:25 AM
To: Chris Snider
<chris.sni...@polarisalpha.com<mailto:chris.sni...@polarisalpha.com>>
Cc: Dave Wichers <dave.wich...@ey.com<mailto:dave.wich...@ey.com>>;
geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>
Subject: Re: [Geoserver-users] Known vulnerability in commons-fileupload
v1.2.1, used by geoserver
Hi Chris,
that's a sensible suggestion. The web site is on gihub, any chance you could do
a pull request? I'm swamped...
https://github.com/geoserver/geoserver.github.io
Cheers
Andrea
On Thu, Jun 7, 2018 at 4:18 PM, Chris Snider
<chris.sni...@polarisalpha.com<mailto:chris.sni...@polarisalpha.com>> wrote:
Andrea,
It took me a second to find the security block. I completely overlooked the
blue field.
Maybe add a new header under the “User List”
<h3>User List</h3>
This list is for end users blah blah blah
<h3>Reporting Security Vulnerabilities</h3>
If you encounter a security vulnerability blah blah blah
<h3>Posting Guidelines</h3>
Please read through etc. etc. etc.
Thought I’d say blah again didn’t you
<h3>Developer Lists</h3>
The rest of the page, and so on
This might draw attention?
Chris Snider
Senior Software Engineer
[cid:image001.png@01D2E6A5.9104F820]
From: Andrea Aime
[mailto:andrea.a...@geo-solutions.it<mailto:andrea.a...@geo-solutions.it>]
Sent: Thursday, June 07, 2018 12:23 AM
To: Dave Wichers <dave.wich...@ey.com<mailto:dave.wich...@ey.com>>
Cc:
geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net>
Subject: Re: [Geoserver-users] Known vulnerability in commons-fileupload
v1.2.1, used by geoserver
The comm page, where I believe you found info on registering for the user list,
has a clear warning not to post security vulnerabilities:
http://geoserver.org/comm/
"If you encounter a security vulnerability in GeoServer please take care to
report the issue in a responsible fashion. Do not use the mailing list, go
intead to the Jira bug tracker instead and follow the "Responsible disclosure"
instructions there."
How do we make it more plain and evident so that grave mistakes do not occur
anymore in the future?
Maybe we should switch the background color of that box to red...
Regards
Andrea
<removed>
--
Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf
Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
Massarosa<https://maps.google.com/?q=Via+di+Montramito+3/A+55054+Massarosa&entry=gmail&source=g>
(LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549
http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- Con riferimento alla
normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento
generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza
inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è
un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo
scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo,
ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene
notizia. This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by European
Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or
the information herein by anyone other than the intended recipient is
prohibited. If you have received this email by mistake, please notify us
immediately by telephone or e-mail.
--
Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf
Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU)
phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549
http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- Con riferimento alla
normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento
generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza
inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è
un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo
scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo,
ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene
notizia. This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by European
Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or
the information herein by anyone other than the intended recipient is
prohibited. If you have received this email by mistake, please notify us
immediately by telephone or e-mail.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf
Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU)
phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549
http://www.geo-solutions.it http://twitter.com/geosolutions_it
------------------------------------------------------- Con riferimento alla
normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento
generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza
inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è
un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo
scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo,
ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene
notizia. This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by European
Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or
the information herein by anyone other than the intended recipient is
prohibited. If you have received this email by mistake, please notify us
immediately by telephone or e-mail.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Any tax advice in this e-mail should be considered in the context of the tax
services we are providing to you. Preliminary tax advice should not be relied
upon and may be insufficient for penalty protection.
________________________________________________________________________
The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Notice required by law: This e-mail may constitute an advertisement or
solicitation under U.S. law, if its primary purpose is to advertise or promote
a commercial product or service. You may choose not to receive advertising and
promotional messages from Ernst & Young LLP (except for EY Client Portal and
the ey.com website, which track e-mail preferences through a separate process)
at this e-mail address by forwarding this message to no-more-m...@ey.com. If
you do so, the sender of this message will be notified promptly. Our principal
postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young
LLP
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
