GeoServer 2.23.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.23.3 is made in conjunction with GeoTools 29.3, and GeoWebCache 1.23.2.

Thanks to Peter Smythe (AfriGIS) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

  • CVE-2024-23818 Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format (Moderate).
  • CVE-2024-23640 Stored Cross-Site Scripting (XSS) vulnerability in Style Publisher (Moderate).
  • CVE-2023-51445 Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API (Moderate).

This release includes security patches from projects that GeoServer depends on.

  • GEOS-11030 Update jetty-server to 9.4.51.v20230217

See project security policy for more information on how security vulnerabilities are managed.

Also, another reminder of the URL check security setting that was introduced in version 2.22.4 and version 2.23.2 (but turned off by default). The latest GeoServer 2.24.0 release has this setting enabled by default. If you are not yet in a position to upgrade to 2.24.0 you are encouraged to enable this recommended setting.

Release notes

New Feature:

  • GEOS-11000 WPS process to provide elevation profile for a linestring

Improvement:

  • GEOS-10856 geoserver monitor plugin - scaling troubles
  • GEOS-11081 Add option to disable GetFeatureInfo transforming raster layers
  • GEOS-11087 Fix IsolatedCatalogFacade unnecessary performance overhead
  • GEOS-11089 Performance penalty adding namespaces while loading catalog
  • GEOS-11090 Use Catalog streaming API in WorkspacePage
  • GEOS-11099 ElasticSearch DataStore Documentation Update for RESPONSE_BUFFER_LIMIT
  • GEOS-11100 Add opacity parameter to the layer definitions in WPS-Download download maps
  • GEOS-11102 Allow configuration of the CSV date format
  • GEOS-11114 Improve extensibility in Pre-Authentication scenarios
  • GEOS-11116 GetMap/GetFeatureInfo with groups and view params can with mismatched layers/params
  • GEOS-11120 Create aggregates filterFunction in OSEO to support STAC Datacube extension implementation
  • GEOS-11130 Sort parent role dropdown in Add a new role
  • GEOS-11142 Add mime type mapping for yaml files
  • GEOS-11148 Update response headers for the Resources REST API
  • GEOS-11149 Update response headers for the Style Publisher
  • GEOS-11153 Improve handling special characters in the WMS OpenLayers Format
  • GEOS-11155 Add the X-Content-Type-Options header

Bug:

  • GEOS-10452 Use of Active Directory authorisation seems broken since 2.15.2 (LDAP still works)
  • GEOS-11032 Unlucky init order with GeoWebCacheExtension gwcFacade before DiskQuotaMonitor
  • GEOS-11138 Jetty unable to start cvc-elt.1.a / org.xml.sax.SAXParseException
  • GEOS-11140 WPS download can leak image references in the RasterCleaner
  • GEOS-11145 The GUI “wait spinner” is not visible any longer
  • GEOS-11166 OGC API Maps HTML representation fail without datetime parameter

Task:

  • GEOS-10248 WPSInitializer NPE failure during GeoServer reload
  • GEOS-11030 Update jetty-server to 9.4.51.v20230217
  • GEOS-11084 Update text field css styling to look visually distinct
  • GEOS-11091 Upgrade spring-security to 5.7.10
  • GEOS-11092 acme-ldap.jar is compiled with Java 8
  • GEOS-11094 Bump org.hsqldb:hsqldb:2.7.1 to 2.7.2
  • GEOS-11124 Update json dependency to 20230227 in geowebcache-rest
  • GEOS-11141 production consideration for logging configuration hardening

For the complete list see 2.23.3 release notes.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

Release notes: ( 2.23.3 | 2.23.2 | 2.23.1 | 2.23.0 | 2.23-RC1 )