|
| 1 | +# MapServer Security Policy |
| 2 | + |
| 3 | +## Reporting a Vulnerability in MapServer |
| 4 | + |
| 5 | +Security/vulnerability reports should not be submitted through GitHub tickets or the public mailing lists, but instead please send your report |
| 6 | +to the email address: **mapserver-security nospam @ osgeo.org** (remove the blanks and ‘nospam’). |
| 7 | + |
| 8 | +Please follow the general guidelines for bug |
| 9 | +submissions, when describing the vulnerability (see https://mapserver.org/development/bugs.html). |
| 10 | + |
| 11 | +## Supported Versions |
| 12 | + |
| 13 | +The MapServer PSC (Project Steering Committee) will release patches for security vulnerabilities |
| 14 | +for the last release branch of the **two most recent release series** (such as 8.x, 7.x. 6.x, etc...). |
| 15 | +Patches will only be provided **for a period of three years** from the release date of the current series. |
| 16 | +For example, as 8.0 has been released, now only 8.0.x and 7.6.x will be supported/patched and 7.6.x will |
| 17 | +only be supported for three years from the date of the 8.0 series release. |
| 18 | + |
| 19 | +Currently, the following versions are supported: |
| 20 | + |
| 21 | +| Version | Supported | |
| 22 | +| ------- | ------------------ | |
| 23 | +| 8.0.x | :white_check_mark: | |
| 24 | +| 7.6.x | :white_check_mark: | |
| 25 | +| 7.4.x | :x: | |
| 26 | +| 7.2.x | :x: | |
| 27 | +| 7.0.x | :x: | |
| 28 | +| 6.4.x | :x: | |
| 29 | +| < 6.4 | :x: | |
| 30 | + |
| 31 | +Note: _MapServer 8.0.0 was released on 2022-09-12._ |
| 32 | +Note: _MapServer 7.0.0 was released on 2015-07-24._ |
| 33 | + |
| 34 | +## Version Numbering: Explained |
| 35 | + |
| 36 | +version x.y.z means: |
| 37 | + |
| 38 | +**x** |
| 39 | +- Major release series number. |
| 40 | +- Major releases indicate substantial changes to the software and |
| 41 | + backwards compatibility is not guaranteed across series. Current |
| 42 | + release series is 8. |
| 43 | + |
| 44 | +**y** |
| 45 | +- Minor release series number. |
| 46 | +- Minor releases indicate smaller, functional additions or improvements |
| 47 | + to the software and should be generally backwards compatible within a |
| 48 | + major release series. Users should be able to confidently upgrade |
| 49 | + from one minor release to another within the same release series, so |
| 50 | + from 7.4.x to 7.6.x. |
| 51 | + |
| 52 | +**z** |
| 53 | +- Point release series number. |
| 54 | +- Point releases indicate maintenance releases - usually a combination of |
| 55 | + bug and security fixes and perhaps small feature additions. Backwards |
| 56 | + compatibility should be preserved and users should be able to confidently |
| 57 | + upgrade between point releases within the same release series, |
| 58 | + so from 7.6.4 to 7.6.5. |
0 commit comments