GeoServer 2.18.7 release is now available with downloads (bin, war, windows), along with docs and extensions.

This series has previously reached end-of-life, with an extra maintenance release being issued to address an urgent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.

Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of GeoSolutions customers.

This release was made in conjunction with GeoTools 24.7.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

• CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
• CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)

For more information see OGC Filter Injection Vulnerability Statement.

• GEOT-7302 Escape user inputs in SQL queries
• GEOS-10842 JDBCConfig: escape user inputs in SQL queries
• GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing

Improvements and Fixes

For more information see 2.18.7 release notes.

About GeoServer 2.18

Additional information on GeoServer 2.18 series:

• Jiffle and GeoTools RCE vulnerabilities
• Log4J2 zero day vulnerability assessment
• State of GeoServer 2.18 (slides)

• GeoServer Orientation (slides

  video)

Release Notes ( 2.18.7 | 2.18.6 | 2.18.5 | 2.18.4 | 2.18.3 | 2.18.2 | 2.18.1 | 2.18.0 | 2.18-RC )

GeoServer 2.22.1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.1 and GeoWebCache 1.22.0.

Thanks to Ian Turton (Astun Technology) for making this release.

Bugs

• GEOS-10632 Make sure GetLegendGraphics honors the WMS memory service limits
• GEOS-10704 Task Manager Metadata wrong gs-metadata dependency
• GEOS-10753 GeoServer can create GML output that is not valid XML
• GEOS-10757 CITE: WMS
• GEOS-10770 Support list of audiences (aud) when validating Oauth 2.0 Bearer Tokens
• GEOS-10794 Add a new vector data source (Web Feature Server (NG)) Filter compliance level bug
• GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute
• GEOS-10809 Keycloak : add support for usernames with spaces
• GEOS-10813 jdbc config cache bug
• GEOS-10817 Features Templating - XML HTML output doesn’t escape all html and xml symbols
• GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties
• GEOS-10829 JDBC Config missing some nested layer properties

Improvement

• GEOS-10673 Add example of using FlatGeobuf granules to the Vector Mosaic documentation
• GEOS-10746 STAC Sortables should be a subset of the configured queryables
• GEOS-10755 WCS 2.0 module should not use string concatenation to build XML
• GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates
• GEOS-10773 Enable localized MapML responses that use WMS language parameter
• GEOS-10777 Update MapML viewer to latest release
• GEOS-10790 Allow to control map transparency in DownloadMapProcess
• GEOS-10810 Enable internationalized layer label / MapML document title
• GEOS-10814 Update jdbc config to use consistent SQL formatting
• GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates
• GEOS-10827 Document property selection in image mosaic

New Feature

• GEOS-10716 Build schema for simple feature types leveraging column descriptions, when available
• GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections

Task

• GEOS-10775 Update xmlunit to 1.6
• GEOS-10778 Retire GeoStyler community module
• GEOS-10812 Update Jettison to 1.5.3

For complete information see 2.22.1 release notes.

About GeoServer 2.22

Additional information on GeoServer 2.22 series:

• Update Instructions
• Metadata extension
• CSW ISO Metadata extension
• State of GeoServer (FOSS4G Presentation)
• GeoServer Beginner Workshop (FOSS4G Workshop)
• Welcome page (User Guide)

Release notes: ( 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )

GeoServer 2.21.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.3 and GeoWebCache 1.21.3.

Thanks to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.

Notables changes

Among the many changes included in this release, we’d like to point out:

• Ability to report PostgreSQL column comments in WFS DescribeFeatureType output (needs a store flag to enable).
• Ability to turn on and off GetFeature output formats, much like the existing WMS controls over GetMap/GetFeatureInfo output formats.
• Fixed concurrent edit of users, roles and data access rules thorough the REST API.
• Fixed database connection leak while editing SQL views in the GUI.

Release notes

Bug:

• GEOS-4727 Editing SQL views seems to be leaking connections

• GEOS-10632 Make sure GetLegendGraphics honors the WMS memory service limits

• GEOS-10667 WFS: inconsistent srsDimension=4 with topp:tasmania_roads layer

• GEOS-10707 GeoFence internal LayerGroup Limit merge inconsistency

• GEOS-10710 Features Templating backward mapping with back xpath (’../my/property/name’) doesn’t work

• GEOS-10714 DefaultGeoServerFacade throws ConcurrentModificationException for workspace settings and services

• GEOS-10729 Concurrent access on data access rules (authorization) can lead to loss of configured catalog mode, and lost rules

• GEOS-10731 GWC variable Parameterization does not work with geoserver-environment.properties due to the bean initialization order

• GEOS-10736 OSEO product creation via REST API fails if the product id starts with a valid ISO date

• GEOS-10737 GeoCSS misses support for labelInFeatureInfo and labelAttributeName vendor options

• GEOS-10741 Remove deprecated YUI usage

• GEOS-10753 GeoServer can create GML output that is not valid XML

• GEOS-10757 CITE: WMS

• GEOS-10809 Keycloak : add support for usernames with spaces

• GEOS-10782 CITE WFS 1.1 - HITS mimetype is incorrect

• GEOS-10783 CITE WFS 1.1 - Check customized feature type to determine if transform wrapper needed

• GEOS-10784 CITE WFS 1.1 - don’t do illegal geometry conversions

• GEOS-10785 CITE WFS 1.1 - Data Dir - allow anonymous users to modify data

Improvement:

• GEOS-10606 Generate html notice and license information for release assemblies

• GEOS-10673 Add example of using FlatGeobuf granules to the Vector Mosaic documentation

• GEOS-10696 Allow configuration of Output Format types allowed in GetFeature

• GEOS-10717 XStreamServiceLoader performance improvement with XstreamPersister caching

• GEOS-10718 [OIDC] the OIDC plugin does not currently take into account the id_token_hint parameter

• GEOS-10735 Obfuscate secret key in S3 Blob Store, avoiding requiring reentry when editing and HTML source visibility

• GEOS-10746 STAC Sortables should be a subset of the configured queryables

• GEOS-10755 WCS 2.0 module should not use string concatenation to build XML

• GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates

• GEOS-10773 Enable localized MapML responses that use WMS language parameter

• GEOS-10777 Update MapML viewer to latest release

• GEOS-10790 Allow to control map transparency in DownloadMapProcess

• GEOS-10810 Enable internationalized layer label / MapML document title

New Feature:

• GEOS-10716 Build schema for simple feature types leveraging column descriptions, when available

• GEOS-10734 SpatialJSON WFS output format community module

• GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections

Task:

• GEOS-10721 Bump jettison from 1.4.1 to 1.5.1

• GEOS-10775 Update xmlunit to 1.6

See also the 2.21.3 release notes.

About GeoServer 2.21

Additional information on GeoServer 2.21 series:

• Feature Type Customization
• Add Styles support to LayerGroup
• Log4j1 update or replace activity

Release notes: ( 2.21.3 | 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )

GeoServer 2.22.0 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.0 and GeoWebCache 1.22.0.

All major new features have been described in the Release Candidate (RC) Blog post.

Thanks to Martha Nagginda (GeoSolutions) and Andrea Aime (GeoSolutions) for making this release.

We would like to thank everyone who helped test the release candidate: Russell Grew, Georg Weickelt, Jukka Rahkonen, David Blasby, Graham Humphries, and everyone too shy to email the public list.

Natural Earth GeoPackage and workspace

The sample data directory now includes a small geopackage generated from Natural Earth data. These layers are good examples with multiple styles, and include complete descriptions from the Natural Earth project.

Thanks to Jody Garnett (GeoCat), David Blasby (GeoCat), and the attendees of the FOSS4G GeoServer Beginner Workshop.

User Manual Getting Started updated

The user manual has been revised. Changes include:

• Getting started has been updated and includes with new sections for GeoPackage, image, layer group and style.

• Tutorials now provides an index of all tutorials across the user manual

Thanks to Jody Garnett (GeoCat) and the attendees of the FOSS4G GeoServer Beginner Workshop.

Welcome Page Updates

Layout

The welcome page description provides a summary of the workspaces and layers available to the current user.

The header includes a welcome message and a link to the organization providing the service.

Each web service is listed using the service title as a heading, followed by the service abstract as a description. The protocols provided by the service are displayed as blocks linking to the web service URL. These are the URLs used to access the service in a desktop or web application.

The services shown are based on the permissions of the current user. As an example when logged in as an Administrator the REST API service is shown with a link to the API endpoint.

For more information on the welcome page and an example of how to use service URLs in QGIS visit the user manual Welcome reference page.

Workspace and Layer Selection

Use the top-right corner of the welcome page to:

• Select workspace to browse workspace web services
• Select layer and layergroup for layer specific web services

You can book mark or share this page (which is great for providing a team or project with its own distinct web services and landing page).

For more information on this functionality see workspace web services and layer web services in the user manual.

Using a workspace virtual web service is great if you are setting up a GIS project, supporting a web application, or providing GIS services for a team. This is especially true as it is straight forward to manage security on a workspace basis.

Using a layer virtual web service is great when registering a layer with a catalogue service such as GeoNetwork. It provides a web service that can only be used to access a single layer.

For the technical background on this feature see Virtual web services in the user manual. This functionality has been present in GeoServer for a long time; but because it required hand editing URLs many users were not aware of capability.

Contact Information and Service Metadata

Contact information now includes a welcome message to be used as introduction on the welcome page for the global services. Editing the contact details for a workspace will override this introduction for visitors viewing the workspace services.

To customize the welcome page header introduction the welcome field is used. To append a welcome page header For more information visit link both organization and online resource are required.

To customize the welcome page footer Contact administrator link contact information for email address is required. If this information is not provided the sentence inviting visitors to contact the administrator will not be shown in the footer.

To customize the service heading and description shown vist a service configuration page. Edit the service title and abstract and the change will be reflected on the welcome page (and in the GetCapabilities document shared with web clients). Disabled services are not available and not listed.

Disabling global services prevents any services from being accessable or listed on the initial welcome page.

All these fields, including the email address, make use of GeoServer internationalization allowing the welcome page to be customized for all your visitors.

For background information visit GSIP-202. Thanks to Jody Garnett and the GeoCat Live product for these improvements.

Startup logging messages

GeoServer performs some initial setup when setting up a data directory for the first time:

• The built-in logging profiles are unpacked into logs/ folder
• The security/ folder is setup

In the past this initialization produced some warnings (when checking for files that were not yet created). These warnings were misleading giving the impression that GeoServer was installed incorrectly.

Please note that startup logs now use the CONFIG log level during startup one level lower thatn INFO. This change allows logging profiles to filter out the startup process while still retaining information messages on service operation and use.

Logging profile date formatting updates

The built-in logging profiles have been updated as the date was being incorrectly logged:

• If you have hand edited any of the built-in logging profiles you can fix the data format manually. Locate appender PatternLayout entries and correct the date formatting to %date{dd MMM HH:mm:ss}.

• If you have not modified any of the built-in logging profiles a quick way to update is to remove them from your GEOSERVER_DATA_DIRECTORY logs folder.

  The built-in logging profiles will be restored next time you change profiles or when the application starts up.

• If you never plan to customize the built-in loggig profiles use the system property UPDATE_BUILT_IN_LOGGING_PROFILES=true. This setting will cause GeoServer to update the files when changing profiles or on application startup.

  This setting only affects the built-in logging profiles; any new logging profiles that you have made manually are unaffected.

For more information see the user guide on built-in logging profiles.

Style format

The styles list provides a Format column indicating the format used.

Thanks to Mohammad Mohiuddin Ahmed for this change.

CSW ISO and Metadata extension

To support the use of the CSW module the Metadata extension provides a tab for editing metadata as part of layer configuration. It also provides a REST API for bulk metadata activities including importing from GeoNetwork.

The CSW ISO Metadata profile is now available as an extension.

For background information see GSIP-211.

Thanks to Niels for for this work.

Significant improvements in raster rendering performance

Raster rendering performance has increased significantly for two specific use cases:

• GeoTIFF hyperspectral images, with hundreds of bands, and band interleaved structure
• Mosaicking hundreds of small images

Hyperspectral sensors collect information at a very high spectral resolution, producing images with hundreds of bands. The typical pixel interleaved layout, where all the bands of a single pixel are stored together, is particularly inefficient while rendering a false color image, where only three of them are used. A band interleaved, where each band is stored in a separate bank, is more efficient. GeoServer previously loaded band interleaved images in an inefficient way, but that has been handled, improving both memory usage and rendering performance, in proportion to the number of bands found in the GeoTIFF. For the typical hyperspectral image, that implies an improvement of a couple of orders of magnitude.

The second use case involves mosaicking hundreds of images, under the notion that each one has a significant number of overviews. Showing the entire mosaick involves opening all these files, fetching the smallest overview, and mosaicking the result: the process used to be slow and very memory intensive (going with the square of the output image size). The implementation has been improved so that the memory used in now linear with the output image size, and the amount of processing has been reduced as well, providing again a couple of orders or magnitude speed up when mosaicking several hundreds small images.

Thanks to Andrea Aime (GeoSolutions) for these improvements.

Translation updates

Alexandre has successfully experimented with setting up a Transfex GeoServer GitHub Integration synchronization.

Priority has been given to translating the new welcome page functionality, shown here translation into Dutch by Sander.

Carsten Klein started an effort to make the german translation more consistant, settling on terms like Gruppenlayer when updating the user interface.

Thanks to Alexandre Gacon, Carsten Klein, Marc Jansen, Sander Schaminee, and everyone who helped work on translations for the new functionality.

• GEOS-10750 German Translation Overhaul Part 1

YSLD SLD Properties

The YSLD style format is focused on defining a feature type style (generating the sld and named layer wrapper since they are not used when drawing a single layer). This update allows the sld and named layer wrappers to be configured.

sld-title: Civic Information
layer-name: poi
title: Point of Interest
rules:
- title: Locations
  symbolizers:
  - point:
      symbols:
      - mark:
          shape: x
          fill-color: '#0099cc'
          stroke-color: 'black'
          stroke-width: 0.5

In the above example layer-name is used by GeoServer’s dynamic styling to identify the layer to draw.

Thanks to Steve Ikeoka for this improvement.

• GEOT-7210 YSLD styles does not parse/encode layer name

Community modules news

News about community modules improvements, and new community modules you’ll find in the 2.22.x series.

A reminder that GeoServer community modules are still being worked on and are not directly available for download. If you are interested in these topics please support their completion directly by compiling the source code and contributing; or financially by sponsoring or contracting the development team working on the activity.

COG reader support for Azure

The COG reader community module now supports COGs stored in Azure as well. The location of the COG can be provided as a HTTP(s) link, while eventual access credentials should be provided as system properties:

To support this activity contact Daniele (GeoSolutions).

STAC datastore and mosaicking

A new community module, STAC datastore, supports connecting to a STAC catalog implementing the STAC API, and serve collections as vector layers, and items as features in said layers, with full filtering and time dimension support, if the server implements a CQL2 search.

The store can also be used as an index for an image mosaic, if the STAC API assets points to accessible Cloud Optimized GeoTIFFs.

To support this activity contact Andrea (GeoSolutions).

Vector mosaicking datastore

The vector mosaic datastore allows indexing many smaller vector stores (e.g., shapefiles, FlatGeoBuf) and serving them as a single, seamless data source.

An index table is used to organize them, know their location on the file system (or blob storage) and their footprint, along with eventual variables that can be used for quick filtering (e.g., time, collecting organization, and so on).

This can have some advantages compared to the typical database storage:

• Cheaper, when dealing with very large amounts of data in the cloud, as blob storage costs a fraction of an equivalent database.
• Faster for specific use cases, e.g, when extracting a single file and rendering it fully is the typical use case (e.g. tractor tracks in a precision farming application). This happens because the file splitting de-facto imposes and efficient data partitioning, and shapefile access excels at returning the whole set of features (as opposed to a subset).

To support this activity contact Andrea (GeoSolutions).

Improvements and Fixes

Improvement

• GEOS-10717 XStreamServiceLoader performance improvement with XstreamPersister caching

• GEOS-10718 [OIDC] the OIDC plugin does not currently take into account the id_token_hint parameter

• GEOS-10735 Obfuscate secret key in S3 Blob Store, avoiding requiring reentry when editing and HTML source visibility

• GEOS-10739 Contact information user interface feedback for welcome message

• GEOS-10740 Service enabled does not respect minimal/custom service names

New Feature

• GEOS-10734 SpatialJSON WFS output format community module

Task

• GEOS-10721 Bump jettison from 1.4.1 to 1.5.1

Bug

• GEOS-4727 Editing SQL views seems to be leaking connections

• GEOS-10667 WFS: inconsistent srsDimension=4 with topp:tasmania_roads layer

• GEOS-10707 GeoFence internal LayerGroup Limit merge inconsistency

• GEOS-10709 Schemaless Features - Simplified property access might return values for wrong property names

• GEOS-10710 Features Templating backward mapping with back xpath (’../my/property/name’) doesn’t work

• GEOS-10714 DefaultGeoServerFacade throws ConcurrentModificationException for workspace settings and services

• GEOS-10729 Concurrent access on data access rules (authorization) can lead to loss of configured catalog mode, and lost rules

• GEOS-10731 GWC variable Parameterization does not work with geoserver-environment.properties due to the bean initialization order

• GEOS-10736 OSEO product creation via REST API fails if the product id starts with a valid ISO date

• GEOS-10737 GeoCSS misses support for labelInFeatureInfo and labelAttributeName vendor options

• GEOS-10741 Remove deprecated YUI usage

For complete information see 2.22.0 release notes.

About GeoServer 2.22

Additional information on GeoServer 2.22 series:

• Update Instructions
• Metadata extension
• CSW ISO Metadata extension
• State of GeoServer (FOSS4G Presentation)
• GeoServer Beginner Workshop (FOSS4G Workshop)
• Welcome page (User Guide)

Release notes: ( 2.22.0 | 2.22-RC | 2.22-M0 )

GeoServer 2.21.2 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.2 and GeoWebCache 1.21.2.

Thanks to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release includes a security enhancement and is a recommended upgrade for production systems.

• GEOS-10458 XSS vulnerability in the email address field
• Upgrade to org.apache.commons:commons-text 1.10.0 to avoid any risk from CVE-2022-42889. Although automated tools flagged this dependency GeoServer uses the library for capitalization and is not exposed to variable interpretation risk described.

REST API Cache Reset

For everyone who enjoys automating GeoServer a really useful feature. For the longest time GeoServer has had a REST API endpoint for resetting and reloading the Catalogue.

This change allows a reset of the information cached for:

• [POST] /workspaces/<ws>/datastores/<cs>/reset

• [POST] /workspaces/<ws>/datastores/<ds>/featuretypes/<ft>/reset

  Resetting a featuretype will not overwrite any attribute selection / renaming / type conversion as this has been supplied by hand and not generated (That kind of information can be updated via REST API explicit PUT on the feature type resource.)

• [POST] /workspaces/<ws>/coveragestores/<cs>/reset
• [POST] /workspaces/<ws>/coveragestores/<cs>/coverages/<c>/reset

Consult the REST API reference for coveragestores / coverages, and datastores / featuretypes for detailed usage information.

Thanks to Andrea (GeoSolutions) for proposing and implementing this improvement. See proposal GSIP-214 - Selective reset of ResourcePool caches for background information.

• GEOS-10610 Selective cache reset on stores and resources, via REST API

Logging profile date formatting updates

The built-in logging profiles have been updated as the date was being incorrectly logged:

• If you have hand edited any of the built-in logging profiles you can fix the data format manually. Locate appender PatternLayout entries and correct the date formatting to %date{dd MMM HH:mm:ss}.

• If you have not modified any of the built-in logging profiles a quick way to update is to remove them from your GEOSERVER_DATA_DIRECTORY logs folder.

  The built-in logging profiles will be restored next time you change profiles or when the application starts up.

• If you never plan to customize the built-in logging profiles use the system property UPDATE_BUILT_IN_LOGGING_PROFILES=true. This setting will cause GeoServer to update the files when changing profiles or on application startup.

  This setting only affects the built-in logging profiles; any new logging profiles that you have made manually are unaffected.

For more information see the user guide on built-in logging profiles.

• GEOS-10701 Logging profiles timestamp reports minutes where it should report months

• GEOS-10700 Impossible to customize built-in logging profiles: GeoServer will rewrite them on startup

Improvements and Fixes

Improvements:

• GEOS-10677 Improve cleanup of multi part form upload to the dispatcher

• GEOS-10676 Support uploading .bmp and .gif images as SLD Package icons through restconfig

• GEOS-10644 Keycloak - Improvements to Role Service

• GEOS-10639 Keycloak Filter - Allow to use a button to reach keycloak login page

• GEOS-10637 Keycloak filter configurability improvements

• GEOS-10625 GeoFence: improve filtering by role

• GEOS-10620 Update oshi to 6.2.2 to support Apple M2 CPU

• GEOS-10606 Generate html notice and license information for release assemblies

Fixes:

• GEOS-10711 ConcurrentModificationException can happen while modifying data access rules with concurrent WMS traffic

• GEOS-10699 WCS 2.0 latitude subsetting may fail if the source data has longitudes spanning both datelines

• GEOS-10671 Parallel REST API calls failures (users)

• GEOS-10649 Concurrent modification to GWC style parameter filter can lead to OOM

• GEOS-10636 Proxied Login is broken after upgrade to 2.22-M0 and 2.21.1

• GEOS-10635 GeoFence: area reprojection tests are failing

• GEOS-10631 AccessManager will not be looked up if multiple beans are of type DefaultResourceAccessManager

• GEOS-10628 GWC Environment parameterization does not work on geoserver startup

• GEOS-10607 Links disappearing for the Admin user

• GEOS-10547 Integrated WMS caching without the tiled parameter might result in deep recursion

• GEOS-10507 GeoFence Internal - Support Batch operations for Rules and AdminRules

For complete information see 2.21.2 release notes.

About GeoServer 2.21

Additional information on GeoServer 2.21 series:

• Feature Type Customization
• Add Styles support to LayerGroup
• Log4j1 update or replace activity

Release notes: ( 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )