Write a security policy / nominate security contacts #641

miceg · 2024-05-07T04:43:12Z

This repository doesn't list any security policy or security contacts.

I have discovered a low-severity security issue affecting Kartoza's GeoServer Docker image, which is triggered by something in this repository.

I'm in contact with GeoServer folks about the issue, and they've asked me to not share details publicly.

I think Kartoza should be brought into the loop.

NyakudyaA · 2024-05-07T15:37:03Z

@miceg There seems to be a couple of these security issues as indicated here https://github.com/kartoza/docker-geoserver/security/code-scanning, If it's something we can fix please send us a direct email as well. Most of these seem to come from jars

miceg · 2024-05-08T04:46:28Z

I don't have access to that page – but I am pretty confident it's not something a security scanner will find 😄

I'll ask to have you looped in the discussion, thanks 😄

NyakudyaA · 2024-05-08T07:15:25Z

@miceg ping me @addloe@gmail.com and I can share the logs

jodygarnett · 2024-05-08T21:10:07Z

@Admire Nyakudya if you or another Kartoza employee is interested in volunteering on geoserver-security we would appreciate the assistance.

The value proposition is:

Participants help out evaluating and reproducing vulnerabilities as they are reported (providing value to the project)
Earn the insight to take care of their contracts and products in a responsible manner (providing value to their customers)

Thanks

NyakudyaA · 2024-05-11T03:34:07Z

Thanks @jodygarnett I can participate

Provide feedback