GeoTechFirst

GeoServer users should upgrade to the 2.28.1 release immediately to address critical security vulnerabilities that are actively being exploited in the wild.  The most severe issue, CVE-2025-58360 (CVSS 9.8), is an unauthenticated XML External Entity (XXE) vulnerability in the WMS GetMap endpoint that allows attackers to read arbitrary files, perform port scanning, or launch Server-Side Request Forgery (SSRF) attacks.  Additionally, this release patches a moderate-severity Reflected Cross-Site Scripting (XSS) flaw CVE-2025-21621 that enables a remote attacker to execute arbitrary JavaScript code in a victim's browser through specially crafted SLD_BODY parameters. Because these flaws pose a significant risk to production systems and have already been added to CISA's Known Exploited Vulnerabilities catalog, upgrading is considered a mandatory step for maintaining the integrity and security of geospatial data environments. [1] https://geoserver.org/announcements/vulnerability/...

The October 23, 2025, report by The Register details a 15-hour AWS outage triggered by a "race condition" in DynamoDB’s automated DNS management. Lets summarize the key points: - The Cause: A conflict between two internal systems (the "Planner" and "Enactor") caused an automated cleanup script to accidentally delete the IP addresses for DynamoDB in the US-EAST-1 region.   - The Impact: Because DynamoDB is a core dependency, it crippled other services like EC2, IAM, and Lambda. This sidelined everything from global banking to smart home devices (Ring, Peloton). - The "Traffic Jam": Recovery was delayed by "congestive collapse," where millions of devices trying to reconnect at once overwhelmed the system.   - The Fix: Amazon has disabled that specific DNS automation and is adding "guardrails" to prevent automated scripts from making such destructive changes in the future.   [1] https://www.theregister.com/2025/10/23/amazon_outag...

If you use Log4j please update your libraries to the latest non affected version.  Recommended version is  2.17.0 . 0-day exploit in the popular Java logging library log4j was discovered that results in Remote Code Execution (RCE) by logging a certain string. https://www.lunasec.io/docs/blog/log4j-zero-day 

Excellent presentation by Gobe Hobona about about OGC WEB APIs. A GIS standard that everyone should ensure awareness off.  Youtube link: https://www.youtube.com/watch?v=qSiTaZB9-Xw&t=4675s

An unknown attacker had gained unauthorized access to GoDaddy's managed WordPress site passwords. If you have a site with them make sure you change your password. Source link:  https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/

 Video playlist for FOSS4G 2021 Argentina is available on youtube, Youtube playlist Schedule of the talks is here:  https://2021.foss4g.org/schedule/outline.html