The GeoNetwork community takes the security of the software and all services based on the software product seriously. On this page you can find the versions for which the community provides security patches.
If you believe you have found a security vulnerability in the software or an implementation of the software, please report it here as described below. Do not publish the vulnerability in any public forums (such as Twitter/X, email list or issue tracker).
Each GeoNetwork release is supported with bug fixes for a limited period, with patch releases made approximately every three to six months.
- We recommend to update to latest incremental release as soon as possible to address security vulnerabilities.
- Some overlap is provided when major versions are announced with both a current version and a maintenance version being made available to provide time for organizations to upgrade.
| Version | Supported | Comment |
|---|---|---|
| 4.4.x | ✅ | Latest version |
| 4.2.x | ✅ | Stable version |
| 3.12.x | ✅ | Maintenance version |
If your organisation is making use of a GeoNetwork version that is no longer in use by the community all is not lost. You can volunteer on the developer list to make additional releases, or engage with one of our Commercial Support providers.
If you encounter a security vulnerability in GeoNetwork please take care to report in a responsible fashion:
- Keep exploit details out of mailing list and issue tracker (instead provide details to the Project Steering Committee via the GitHub Report a vulnerability option link at the top of this page or send an email to geonetwork@osgeo.org)
- Be prepared to work with community members on a solution
- Keep in mind that community members are volunteers and an extensive fix may require fundraising / resources
For more information see How to contribute.