This is an extra maintenance release of the 2.18.x series recommended for production systems that have not yet upgraded to 2.19. This release was made in conjunction with GeoTools 24.6.
Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.
This release includes security enhancements and is a recommended upgrade for production systems.
This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:
This release also includes:
GEOS-10445 Upgrade Spring Framework from 5.1.20.RELEASE to 5.2.20.RELEASE
Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.
Improvements and Fixes
GEOS-10437 Breaking SLD 1.1 style by REST upload
GEOS-10249 GWC produce NPE when it comes to race condition
GEOS-10215 Layers nested inside a group maintain their prefix even in workspace specific services
GEOS-10213 WMS requests fail on LayerGroup default style names, when used in GetMap/GetFeatureInfo/GetLegendGraphics
GEOS-10200 GetLegendGraphic can fail if SCALE removes all rules
GEOS-10321 WCS 2.0 might fail to return coverages whose native BBOX goes slighly outside of the dateline
GEOS-10194 Improve importer LOGGING
GEOS-10335 Update GeoServer to a log4j version that does not support RCEs
For more information see 2.18.6 release notes.
About GeoServer 2.18
Additional information on GeoServer 2.18 series:
- Jiffle and GeoTools RCE vulnerabilities
- Log4J2 zero day vulnerability assessment
- State of GeoServer 2.18 (slides)
GeoServer Orientation (slides video)