2021-07-09 12:36:59 +03:00
|
|
|
# Security Policy
|
|
|
|
|
|
|
|
## Supported Versions
|
|
|
|
|
|
|
|
All Nominatim releases receive security updates for two years.
|
|
|
|
|
|
|
|
The following table lists the end of support for all currently supported
|
|
|
|
versions.
|
|
|
|
|
|
|
|
| Version | End of support for security updates |
|
|
|
|
| ------- | ----------------------------------- |
|
2024-03-07 13:43:01 +03:00
|
|
|
| 4.4.x | 2026-03-07 |
|
2023-09-06 21:08:28 +03:00
|
|
|
| 4.3.x | 2025-09-07 |
|
2022-11-24 12:43:29 +03:00
|
|
|
| 4.2.x | 2024-11-24 |
|
2022-09-13 09:58:31 +03:00
|
|
|
| 4.1.x | 2024-08-05 |
|
2021-07-09 12:36:59 +03:00
|
|
|
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
|
|
|
|
If you believe, you have found an issue in Nominatim that has implications on
|
|
|
|
security, please send a description of the issue to **security@nominatim.org**.
|
|
|
|
You will receive an acknowledgement of your mail within 3 work days where we
|
|
|
|
also notify you of the next steps.
|
|
|
|
|
|
|
|
## How we Disclose Security Issues
|
|
|
|
|
|
|
|
** The following section only applies to security issues found in released
|
|
|
|
versions. Issues that concern the master development branch only will be
|
|
|
|
fixed immediately on the branch with the corresponding PR containing the
|
|
|
|
description of the nature and severity of the issue. **
|
|
|
|
|
|
|
|
Patches for identified security issues are applied to all affected versions and
|
|
|
|
new minor versions are released. At the same time we release a statement at
|
|
|
|
the [Nominatim blog](https://nominatim.org/blog/) describing the nature of the
|
|
|
|
incident. Announcements will also be published at the
|
|
|
|
[geocoding mailinglist](https://lists.openstreetmap.org/listinfo/geocoding).
|
|
|
|
|
|
|
|
## List of Previous Incidents
|
|
|
|
|
2023-11-20 12:44:48 +03:00
|
|
|
* 2023-11-20 - [SQL injection vulnerability](https://nominatim.org/2023/11/20/release-432.html)
|
2023-02-22 13:24:04 +03:00
|
|
|
* 2023-02-21 - [cross-site scripting vulnerability](https://nominatim.org/2023/02/21/release-421.html)
|
2023-11-20 12:44:48 +03:00
|
|
|
* 2020-05-04 - [SQL injection issue on /details endpoint](https://lists.openstreetmap.org/pipermail/geocoding/2020-May/002012.html)
|