GeoServer Blog

GeoServer 2.23-RC1 Release

Mar 14, 2023 • Gabriel Roldan

GeoServer 2.23-RC1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a release candidate intended for public review and feedback, made in conjunction with GeoTools 29-RC1 and GeoWebCache 1.23-RC1.

Thanks to Gabriel Roldan (Camptocamp), Jody Garnett (GeoCat), and Andrea Aime (Geosolutions) for making this release candidate.

Release candidate public testing and feedback

Testing and providing feedback on releases is part of the open-source social contract. The development team (and their employers and customers) are responsible for sharing this great technology with you.

The collaborative part of open-source happens now - we ask you to test this release candidate in your environment and with your data. Try out the new features, double check if the documentation makes sense, and most importantly let us know!

If you spot something that is incorrect or not working do not assume it is obvious and we will notice. We request and depend on your email and bug reports at this time. If you are working with commercial support your provider is expected to participate on your behalf.

Keeping GeoServer sustainable requires a long term community commitment. If you are unable to contribute time, sponsorship options are available via OSGeo.

Java 11 Minimum

With this release GeoServer no longer supports Java 8, and it is time to upgrade to Java 11 at a minimum. Our build system tests GeoServer in with Java 11 and Java 17 which are both long-term-support OpenJDK releases.

JVM 11 Minimum

If you try starting this version of GeoServer with Java 8 it will produce the following failure:

java.lang.UnsupportedClassVersionError: org/geoserver/GeoserverInitStartupListener
has been compiled by a more recent version of the Java Runtime (class file version 55.0),
this version of the Java Runtime only recognizes class file versions up to 52.0

For more information please see our User Manual Installation (User Manual) and Java Considerations (User Manual) pages.

CSS Cleanup

The first big internal change for this release of GeoServer is a cleanup of the theme used for the GeoServer web administration application. Previously the pages had lots of little styling adjustments to try and get components to line up correctly and appear okay.

With this update all of the handmade styling changes have been removed, and everything is managed by the “geoserver.css” theme.

Thanks to Michel Gabriël (GeoCat) who started this work at the Bolsena code-sprint as a labour of love (well frustration).

Spring Upgrade

The second internal change for this release of GeoServer in an upgrade to the Spring Framework used to wire the internals of GeoServer together.

While this should not result in any change to functionality, it has resulted in quite a lot of carefult quality assurance and testing to ensure everything is still connected and works as intended.

Your “it works” feedback during the release-candidate testing cycle is valuable and will make Joseph Miller (GeoSolution) who worked on this activity feel good.

  • GEOS-10779 Upgrade GeoServer Core Spring to 5.3.23 and Spring Security to 5.7.3

Windows installer Java 11 Update

We are especially interested in feedback on the Java 11 minium transition for those using the Windows Installer (none of our core development team is in position to test so we are depending on you).

The installer will correctly detect the Adoptium JRE 11:

Oracle JDK 17 Manual

Early feedback indicates it is unable to detect Oracle JDK 17; but you can use Browse to manually select this JDK:

Oracle JDK 17 Manual

Thanks to Juan Luis Rodríguez (GeoCat) for troubleshooting the windows installer for this release.

  • GEOS-10890 Wrong path for the license file in the Windows installer script

Feature Type Description

A welcome new feature, building on top of the ability to customize FeatureTypes is the ability to provide a description for each attribute. This information is used in WFS DescribeFeatureType to provide a human readable name or description for the attributes being published.

Attribute Descriptions

  • GEOS-10868 Add support for editable description in GeoServer customize feature type table

OGC CITE Fixes

The traditional OGC Open Web Services have not had automated CITE tests run for a while, but a few fixes have been made to restore CITE compliance:

  • GEOS-10787 CITE WCS 1.1.1 - Throw exception on bad ‘store’ parameter

  • GEOS-10788 CITE WCS 1.1.1 - Empty InterpolationMethod should throw exception

  • GEOS-10757 CITE: WMS <Style> has elements in wrong order (DTD validation)

  • GEOS-10782 CITE WFS 1.1 - HITS mimetype is incorrect

  • GEOS-10783 CITE WFS 1.1 - Check customized feature type to determine if transform wrapper needed

  • GEOS-10784 CITE WFS 1.1 - don’t do illegal geometry conversions

  • GEOS-10785 CITE WFS 1.1 - Data Dir - allow anonymous users to modify data

Thanks to David Blasby (GeoCat) for this work on behalf of the GeoCat Live Project. David address several errors in the CITE testing for these services while addressing the above issues for the GeoServer community.

A number of CITE conformance issues remain open, notably the handling of acceptsVersions with a mix of older protocols (such as WFS 2.0, WFS 1.1 and WFS 1.0). If you are interested in funding or sponsoring this activity please visit our sponsorship page.

Community Updates

The following community module has been retired:

  • GEOS-10778 Retire GeoStyler community module

    The plugin is now maintained outside of the GeoServer repository at https://github.com/geostyler .

Security community modules

With the upgrade to Spring Security to 5.7.3 mentioned above, now is a good time for any teams working with community security modules to perform integration testing.

A reminder that these modules are in need of your support to be recognized as an extension (and be included in our automated testing). Contact the appropriate module maintainer (Alessio or David) to see how you can assist.

OGCAPI community module Updates

The OGCAPI community module remains under active development:

  • GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections

  • GEOS-10888 OGC API styles OpenAPI document points to dangling remote resources

  • GEOS-10854 Move the OGC API OpenAPI definitions to the “openapi” resource

  • GEOS-10855 Update the new OGC APIs so that the major version number is part of the path

  • GEOS-10881 Add Content-Crs header to OGC API

  • GEOS-10885 Remove Axis Order from OGC API Header

Andrea (GeoSolutions) has been working towards CITE compliance on behalf of Geonovum.

OGC API Features

OGC API Features

As a community module GeoServer OGC API is made available to developers for collaboration, and can also be accessed as a nightly build for feedback. If you are in a position to support this activity with time, money or resources please contact Andrea.

OGC API Features

Improvements and Fixes

New Feature:

  • GEOS-10696 Allow configuration of Output Format types allowed in GetFeature

Improvement:

  • GEOS-10735 Obfuscate secret key in S3 Blob Store, avoiding requiring reentry when editing and HTML source visibility

  • GEOS-10739 Contact information user interface feedback for welcome message

  • GEOS-10740 Service enabled does not respect minimal/custom service names

  • GEOS-10750 German Translation Overhaul Part 1

  • GEOS-10755 WCS 2.0 module should not use string concatenation to build XML

  • GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates

  • GEOS-10814 Update jdbc config to use consistent SQL formatting

  • GEOS-10879 Dispatcher should not respond to non standard HTTP methods

Tasks:

  • GEOS-10798 Sphinx site http://sphinx.pocoo.org/ is outdate

For the complete list see 2.23-RC1 release notes.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

Release notes: ( 2.23-RC1 )

Read More

OGC Filter Injection Vulnerability Statement

Feb 20, 2023 • Jody Garnett

A vulnerability has located in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions.

If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.

Assessment

SQL Injection Vulnerabilities have been found with:

  • PropertyIsLike filter, when used with a String field and any relational database based Store, or with a PostGIS DataStore with encode functions enabled, or with any image mosaic with an index stored in a relational database.
  • strEndsWith function, when used with a PostGIS DataStore with encode functions enabled
  • strStartsWith function, when used with a PostGIS DataStore with encode functions enabled
  • FeatureId filter, when used with any database table having a String primary key column and when prepared statements are disabled
  • jsonArrayContains function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)
  • DWithin filter, when used with an Oracle DataStore

Mitigation

We recommend upgrading. The following list of mitigations is addressing some of the issues (e.g., the PropertyIsLike issue has no mitigation for tables with a string field):

  1. Disabling the PostGIS Datastore encode functions setting to mitigate strEndsWith, strStartsWith (will cause severe slowdowns in parts of the WMTS multidimensional plugin functionality, if in use).
  2. Enabling the PostGIS DataStore preparedStatements setting to mitigate the FeatureId vulnerability.
  3. No mitigation is available for PropertyIsLike filter, you may choose to disable database DataStores until you are able to upgrade.
  4. No mitigation is available for DWithin with Oracle DataStore, you may choose to disable Oracle DataStores until you are able to upgrade.
  5. As a good practice to limit the attack surface, it’s important to give the database account used for connection pools the minimum required level of privileges (e.g., read-only unless WFS-T/importer/REST granule harvesting are used, access limited only to the schemas and tables needed for production usage)

Resolution

Issues:

Patched releases:

If you wish to volunteer to backport these fixes to other GeoServer series and make a release co-ordinate on the developers list. If you are not in a position to collaborate reach out to a commercial support provider to act on your behalf.

Thanks to Steve Ikeoka for responsibly reporting and fixing these issues. Thanks to Jody Garnett (GeoCat) for the stable and maintenance releases. Thanks to Andrea Aime (GeoSolutions) for back porting this fix to versions of GeoTools and GeoServer that are otherwise no longer receiving releases.

Read More

GeoServer 2.22.2 Release

Feb 20, 2023 • Jody Garnett

GeoServer 2.22.2 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.2 and GeoWebCache 1.22.1.

This release was scheduled early to address a security vulnerability. Thanks to Jody Garnett for making this release on behalf of GeoCat Live.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

For more information see OGC Filter Injection Vulnerability Statement.

Natural Earth 50m Sample Data

The Natural Earth ne workspace has been improved with 1:50m sample data offering the following:

  • improved detail
  • country labels in multiple languages
  • disputed regions

World 50m Update

The countries.sld style includes the following:

<sld:TextSymbolizer>
  <sld:Label>
    <ogc:Function name="Recode">
      <ogc:Function name="language"/>
      <ogc:Literal/>
      <ogc:PropertyName>NAME</ogc:PropertyName>
      <ogc:Literal>en</ogc:Literal>
      <ogc:PropertyName>NAME</ogc:PropertyName>
      <ogc:Literal>it</ogc:Literal>
      <ogc:PropertyName>NAME_IT</ogc:PropertyName>
      <ogc:Literal>fr</ogc:Literal>
      <ogc:PropertyName>NAME_FR</ogc:PropertyName>
    </ogc:Function>
  </sld:Label>

To try this out in French append &LANGUAGE=fr to any GetMap request, including Layer Preview.

World 50m French

These styles also now validate. Thanks to Jody Garnett (GeoCat) for this work.

  • GEOS-10624 Data directory and documentation update
  • GEOS-10836 The demo styles in “ne” workspace do not validate

Welcome Page Performance Improvements

The welcome page loading is now limited to a short amount of time to retrieve the list of workspaces and layers to select from. For large catalogues, with lots of security restrictions, that are unable to respond in this time, a simple text field is provided.

Welcome Dropdown Selection

To force the use of a simple text field the property GeoServerHomePage.selectionMode=TEXT can be used. Use DROPDOWN to force a selection control to be used, or AUTOMATIC to determine the behaviour based on catalogue performance as described above.

The default time out GeoServerHomePage.selectionTimeout=5000 for interaction can be adjusted if you would like to provide the catalogue more time to respond.

By default GeoServerHomePage.selectionMaxItems=1000 workspaces or layers can be loaded. This number may be limited further if you find browser performance is affected.

Thanks to Andrea (GeoSolutions) for these performance improvements, and Jody Garnett for a number of smaller fixes.

  • GEOS-10833 GeoServerHomePage unresponsive against large catalogs

  • GEOS-10759 Welcome page unreachable with large / slow catalogue configuration

  • GEOS-10838 Speed up DefaultResourceAccessManager securityFilter implementation

  • GEOS-10834 Catalog.list might require a lot of time due to security filtering

  • GEOS-10847 Selecting a raster layer in home page shows incorrect services

  • GEOS-10861 Welcome blurb i18n not respecting language switch

Community Modules

OGC API updates:

  • GEOS-10860 OGC API should return version including minor and patch in HTTP Response Header

  • GEOS-10828 OGC API - Features - Plugin breaks core `/rest` API with JSON payloads

The JDBC Config module received several important fixes:

  • GEOS-10814 Update jdbc config to use consistent SQL formatting

  • GEOS-10813 jdbc config cache bug

  • GEOS-10829 JDBC Config missing some nested layer properties

  • GEOS-10842 Escape user inputs in SQL queries

Release notes

Improvement:

  • GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart

Bug:

  • GEOS-7506 shutdown.bat cannot run without JAVA_HOME set

  • GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat

  • GEOS-10846 Enable auto-escaping for REST HTML templates

Task:

  • GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11

  • GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI

For complete information see 2.22.2 release notes.

About GeoServer 2.22

Additional information on GeoServer 2.22 series:

Release notes: ( 2.22.2 | 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )

Read More

GeoServer 2.21.4 Release

Feb 20, 2023 • Jody Garnett

GeoServer 2.21.4 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.4 and GeoWebCache 1.21.4.

Thanks to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

For more information see OGC Filter Injection Vulnerability Statement.

Community Modules

The JDBC Config module received several important fixes:

  • GEOS-10814 Update jdbc config to use consistent SQL formatting

  • GEOS-10813 jdbc config cache bug

  • GEOS-10829 JDBC Config missing some nested layer properties

  • GEOS-10842 JDBCConfig: escape user inputs in SQL queries

Release notes

Bug:

  • GEOS-7506 shutdown.bat cannot run without JAVA_HOME set

  • GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11

  • GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat

  • GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute

  • GEOS-10817 Features Templating - XML HTML output doesn’t escape all html and xml symbols

  • GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties

  • GEOS-10846 Enable auto-escaping for REST HTML templates

Improvement:

  • GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates

  • GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI

  • GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart

For complete information see 2.21.4 release notes.

About GeoServer 2.21

Additional information on GeoServer 2.21 series:

Release notes: ( 2.21.4 | 2.21.3 | 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )

Read More

GeoServer 2.20.7 Released

Feb 20, 2023 • Andrea Aime

GeoServer 2.20.7 release is available with downloads (bin, war, windows), along with docs and extensions.

This series has previously reached end-of-life, with a release being issued to address an urdent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.

Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of the GeoNode project.

This release was made in conjunction with GeoTools 26.7.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

For more information see OGC Filter Injection Vulnerability Statement.

Improvements and Fixes

For the full list of fixes and improvements, see 2.20.7 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

Release notes: ( 2.20.7 | 2.20.6 | 2.20.5 | 2.20.4 | 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )

Read More

 Announcements

 Tutorials

 Vulnerability

 Behind The Scenes

 Developer notes