GeoServer 2.21.4 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.4 and GeoWebCache 1.21.4.

Thanks to Jody Garnett (GeoCat) for making this release.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

For more information see OGC Filter Injection Vulnerability Statement.

2024-06-30 Update: The following mitigation has been provided:

  • CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

    geoserver-2.21.4-patches.zip (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

Community Modules

The JDBC Config module received several important fixes:

  • GEOS-10814 Update jdbc config to use consistent SQL formatting

  • GEOS-10813 jdbc config cache bug

  • GEOS-10829 JDBC Config missing some nested layer properties

  • GEOS-10842 JDBCConfig: escape user inputs in SQL queries

Release notes

Bug:

  • GEOS-7506 shutdown.bat cannot run without JAVA_HOME set

  • GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11

  • GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat

  • GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute

  • GEOS-10817 Features Templating - XML HTML output doesn’t escape all html and xml symbols

  • GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties

  • GEOS-10846 Enable auto-escaping for REST HTML templates

Improvement:

  • GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates

  • GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI

  • GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart

For complete information see 2.21.4 release notes.

About GeoServer 2.21

Additional information on GeoServer 2.21 series:

Release notes: ( 2.21.4 | 2.21.3 | 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )