GeoNode versions supported with security updates.
| Version | Supported |
|---|---|
| 5.1.x | ✅ |
| 5.0.x | ✅ |
| < 5 | ❌ |
This approach provides ample time for upgrading ensuring you are always working with a supported GeoNode release.
If your organization is making use of a GeoNode version that is no longer in use by the community all is not lost. You can volunteer on the developer list to make additional releases, or engage with one of our Commercial Support providers.
-
DO NOT report vulnerabilities on the public mailing list or any other public channel
-
There are two options to report a security vulnerability:
- Send the report by email to geonode-psc@lists.osgeo.org and be prepared to collaborate with the GeoNode PSC
- Navigate to Private vulnerability reporting and create a new vulnerability report. For more information see GitHub documentation.
-
There is no expected response time.
-
Keep in mind participants are volunteering their time, an extensive fix may require fundraising/resources.
Thanks for you support and help!
Disclosure policy:
- The reported vulnerability has been verified by working with the GeoNode PSC
- GitHub security advisory is used to reserve a CVE number by the GeoNode Organization
- A fix or documentation clarification is accepted and backported to active branches
- A fix is included for the active branches release downloads (reelases, or issued via emergency update)
- The CVE vulnerability is published by the GeoNode Organization with mitigation and patch instructions
This represents a balance between transparency and participation that does not overwhelm participants. Those seeking greater visibility are encouraged to volunteer with the geonode-devel list; or work with one of the commercial support providers who participate on behalf of their customers.