GeoServer 2.21.4 Release
GeoServer 2.21.4 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a maintenance release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.4 and GeoWebCache 1.21.4.
Thanks to Jody Garnett (GeoCat) for making this release.
Security Considerations
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
2024-06-30 Update: The following mitigation has been provided:
-
CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
geoserver-2.21.4-patches.zip (replacing
gt-app-schema
,gt-complex
andgt-xsd-core
jars) has been provided by Andrea (GeoSolutions)
See project security policy for more information on how security vulnerabilities are managed.
Community Modules
The JDBC Config module received several important fixes:
-
GEOS-10814 Update jdbc config to use consistent SQL formatting
-
GEOS-10813 jdbc config cache bug
-
GEOS-10829 JDBC Config missing some nested layer properties
-
GEOS-10842 JDBCConfig: escape user inputs in SQL queries
Release notes
Bug:
-
GEOS-7506 shutdown.bat cannot run without JAVA_HOME set
-
GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11
-
GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat
-
GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute
-
GEOS-10817 Features Templating - XML HTML output doesn’t escape all html and xml symbols
-
GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties
-
GEOS-10846 Enable auto-escaping for REST HTML templates
Improvement:
-
GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates
-
GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI
-
GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart
For complete information see 2.21.4 release notes.
About GeoServer 2.21
Additional information on GeoServer 2.21 series:
Release notes: ( 2.21.4 | 2.21.3 | 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release