mirror of
https://github.com/osm-search/Nominatim.git
synced 2024-11-25 08:52:52 +03:00
42 lines
1.8 KiB
Markdown
42 lines
1.8 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
All Nominatim releases receive security updates for two years.
|
|
|
|
The following table lists the end of support for all currently supported
|
|
versions.
|
|
|
|
| Version | End of support for security updates |
|
|
| ------- | ----------------------------------- |
|
|
| 4.4.x | 2026-03-07 |
|
|
| 4.3.x | 2025-09-07 |
|
|
| 4.2.x | 2024-11-24 |
|
|
| 4.1.x | 2024-08-05 |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
If you believe, you have found an issue in Nominatim that has implications on
|
|
security, please send a description of the issue to **security@nominatim.org**.
|
|
You will receive an acknowledgement of your mail within 3 work days where we
|
|
also notify you of the next steps.
|
|
|
|
## How we Disclose Security Issues
|
|
|
|
** The following section only applies to security issues found in released
|
|
versions. Issues that concern the master development branch only will be
|
|
fixed immediately on the branch with the corresponding PR containing the
|
|
description of the nature and severity of the issue. **
|
|
|
|
Patches for identified security issues are applied to all affected versions and
|
|
new minor versions are released. At the same time we release a statement at
|
|
the [Nominatim blog](https://nominatim.org/blog/) describing the nature of the
|
|
incident. Announcements will also be published at the
|
|
[geocoding mailinglist](https://lists.openstreetmap.org/listinfo/geocoding).
|
|
|
|
## List of Previous Incidents
|
|
|
|
* 2023-11-20 - [SQL injection vulnerability](https://nominatim.org/2023/11/20/release-432.html)
|
|
* 2023-02-21 - [cross-site scripting vulnerability](https://nominatim.org/2023/02/21/release-421.html)
|
|
* 2020-05-04 - [SQL injection issue on /details endpoint](https://lists.openstreetmap.org/pipermail/geocoding/2020-May/002012.html)
|