This series has previously reached end-of-life, with an extra maintenance release being issued to address an urgent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.
Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of GeoSolutions customers.
This release was made in conjunction with GeoTools 25.7.
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
Improvements and Fixes
For more information see 2.19.7 release notes.
About GeoServer 2.19
Additional information on GeoServer 2.19 series:
- Jiffle and GeoTools RCE vulnerabilities
- Log4J2 zero day vulnerability assessment
- WMS GetFeatureInfo includes labels from ColorMap
- Promote WMTS multidim to extension
- Promote WPS-Download to extension
- Promote params-extractor to extension
- Promote GWC-S3 to extension
- Promote WPS-JDBC to extension status
- Promote MapML to extension status
- GeoServer repository transition to main branch