The GeoServer team is pleased to announce the release of GeoServer 2.8.5. Download bundles are provided (bin, war, dmg and exe) along with documentation and extensions.

GeoServer 2.8.5 is the final maintenance release of the 2.8.x series. This release is made by Ben Caradoc-Davies (Transient) in conjunction with GeoTools 14.5 and GeoWebCache 1.8.3. We thank the many contributors who have made this release possible.

The GeoServer 2.8.5 release notes detail the changes in this release. These include:

• Fixes for WFS editing failing for geometries in full 3D CRS

• ColorMap variable substitution now working correctly for multiple layers in a GetMap request

• Fixed a missing JNA jar in the netcdf-out plugin

• KML placemarks now being set correctly when KMSCORE=0

• Support for multivalued xlink:href ClientProperty in app-schema mappings, even without feature chaining

• Support requiring files to exist for GeoServer startup, to protect against insecure fallback when a data directory on a network share is unavailable

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

• Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

• Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

• Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.8

• State of GeoServer 2015 (FOSS4G)

• XEE Vunerability (GeoServer)

• Remote Execution Vulnerability (GeoServer)

• Z ordering features within and across feature types and layers (User Manual)

• JAI-Ext, the Open Source replacement for Oracle JAI (GeoSolutions)

• Customizable arrow in GeoServer (GeoSolutions)

• PostGIS Curve Support (GeoSolutions)

• Improved NetCDF/GRIB support in GeoServer (GeoSolutions)

• Initial GeoServer 2.8.0 release announcement  (GeoServer)

The GeoServer team is pleased to announce the release of GeoServer 2.9.1. Download bundles are provided (bin, war, dmg and exe) along with documentation and extensions.

GeoServer 2.9.1 is the latest stable release of GeoServer and is recommended for production deployment. This release is made in conjunction with GeoTools 15.1 and GeoWebCache 1.9.1. Thanks to all contributors. Fixes and new functionality include:

• Fixes for WFS editing failing for geometries in full 3D CRS

• ColorMap variable substitution now working correctly for multiple layers in a GetMap request

• PDF printing fixed to properly render SLD “shape://horline” symbol, prevent invalid polygon generation, out of memory errors, and large file generation.

• Integrated GeoFence DB path is now set correctly in Windows.

• KML placemarks now being set correctly when KMSCORE=0

• Support for rotated pole projection NetCDF and GRIB2 files, including the native GRIB2 file format used by the NOAA Rapid Refresh (RAPv3) weather forecast model

• Support for multivalued xlink:href ClientProperty in app-schema mappings

• Support requiring files to exist for GeoServer startup, to protect against insecure fallback when a data directory on a network share is unavailable

• And much more, see all the tickets resolved in the release notes

This release has been made by Devon Tucker (Boundless) with help and encouragement from the GeoServer community.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

• Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

• Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

• Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.9

Articles, docs, blog posts and presentations:

• Lots of goodies in the original 2.9.0 announcement (GeoServer Blog)

• Results of our Bug Stomp Mini Code Sprint in July (GeoServer blog)

• Internals upgrade to spring-4 for Java 8 compatibility (User Guide)

• GeoServer code sprint success and wicket migration code sprint (GeoServer Blog)

• GeoServer Plugin for QGIS (Boundless)

• Simplify complex feature mappings setup with HALE (GeoSolutions)

• REST management of Resources (User Guide)

Dear Readers,

A few words to report on the results of the Online GeoServer Bug Stomp that took place on the 22nd of July 2016.

The goal, as indicated, was to look at GeoServer and GeoServer JIRA and clean old, useless reports as well as to fix as many bugs as possible within the day of the sprint. Well, the results are not bad, as the image below shows.

Numbers are as follow:

• Improvements closed **103 **(9 fixed - remainder failed to attract budget/interest after quite some time)

• Bugs closed **35 **(25 fixed - followed by 6 won’t fix, 3 cannot reproduce, 1 not a bug )

• New Feature **14 **(2 fixed - with 12 not a bug)

• Task **9 **(2 fixed - with 7 not a bug)

• Wish **2 **(not a bug)

• Subtask 1

• TOTAL 164

You can check the live report here:

• Thanks to everybody who participated (a list of the participating people can be found in this spreadsheet).

• As noted above many new features/improvements/wishes were quite old and had failed to attract budget/volunteers

• The not-a-bug category is used for ideas or conversations which are best taken to the developers or users list for discussion

• Not shown is the review of incoming issues to see which issues are ready to be worked on, or held back for further clarification before they can be reproduced.

If you did not participate this month don’t worry, we are going to have this event again on August 27-28th as part of the foss4g post-sprint. Remember, we want to make this event a periodic gathering so keep following this blog for news.

Happy GeoServer to everybody!

Dear Readers,

a quick post to spread the word about the Online GeoServer Bug Stomp which will take place this Friday, the 22nd of July 2016.

Developers as well as users from the GeoServer community will gather online to spend up to a full day (in their timezone) on tasks like:

• Reviewing JIRA Reports to make sure they are valid

• Fix bugs as we come across them

• Improved docs

• Test and report new bugs or close existing reports

The rules of engagement as well as a first rough list of participants can be found in this document; the event is an online gathering, people will be working from their place coordinating using the GeoServer Gitter channel with whomever will be online in their timezone.

If you feel like helping don’t be scared, jump onboard, read the rules of engagement say hi on the gitter channel (github login required) and help us make GeoServer even better.

If you cannot, don’t worry, we are going to try and make this event a monthly event.

Happy GeoServer to everybody!

The FOSS4G North America (NA) 2016 was held in North Carolina from 02 and 05th May. This year’s FOSS4G NA conference is yet another collaborative effort involving OSGeo and LocationTech. The conference provides opportunities for the FOSS4G community to learn, explore, share, and collaborate on the latest ideas and information.

If you can not attend the event, you can watch the videos of the presentations that were made available on YouTube Channel of FOSS4G NA.

Below is a list of presentations (in video) related to GeoServer:

• Vector Tiles with GeoServer and OpenLayers - David Blasby and Andreas Hocevar (Boundless)

• Bring Your Maps into Focus: Processing Raster Data for Online Use - Megan Slemons and Jay Varner (Emory University Library)

• Uncovering the Ancient Mound Builders Using Open Data and FOSS Software - Calvin Hamilton

• High Performance GeoServer Clusters - Derek Kern (Ubisense, Inc.)

• Image Mosaics & Automation - Jonathan Meyer (Applied Information Sciences)

Some talks were not available in video, but you can download the presentations in PDF format.

• Introduction to GeoServer - Mike Pumphrey and Andreas Hocevar (Boundless)

• GeoSHAPE: FOSS GIS Collaboration Platform with Web & Mobile Clients - Syrus Mesdaghi (Prominent Edge) and Daniel Berry (Boundless)

• Using Open Source Web GIS for Analysis of Transnational Illicit Trafficking - Eunjung Elle Lim (University of Maryland)

• Terra Populus: Free Human-Environment Spatial Data - David Haynes