Boundless is announcing the general availability of OpenGeo Suite 4.6.1 for all customers and OpenGeo Suite users. This is a patch release primarily intended to address an identified security vulnerability in GeoServer:
- GEOS-7032: Reports the ability to request sensitive files using a careful crafted WFS GetFeature request when running GeoServer as root (which is not recommended for production systems). Please note OpenGeo Suite installs GeoServer using the “tomcat” user, limiting the scope of this vulnerability for our customers. While this reduces the risk, we still encourage all users to update their systems.
At this moment this security update is available via Boundless as part of OpenGeo Suite 4.6.1, which includes the latest GeoServer 2.7.
Boundless is committed to the security and success of our customers, and will continue to provide early access to important updates and fixes.
GeoServer will include this fix in the GeoServer 2.6.4 maintenance release scheduled for availability later today. Those making use of GeoServer 2.7 are encouraged to update to 2.7.2 when it is released later this month.
For more information on availability please see the community release schedule.
UPDATE 06/29/15 – See project blog on GeoServer XEE vulnerability for patched 2.5.x, 2.6.x and 2.7.x releases.