GeoServer 2.22.2 Release
GeoServer 2.22.2 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.2 and GeoWebCache 1.22.1.
This release was scheduled early to address a security vulnerability. Thanks to Jody Garnett for making this release on behalf of GeoCat Live.
Security Considerations
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
2024-06-30 Update: The following mitigation has been provided:
-
CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
geoserver-2.22.2-patches.zip (replacing
gt-app-schema
,gt-complex
andgt-xsd-core
jars) has been provided by Andrea (GeoSolutions)
See project security policy for more information on how security vulnerabilities are managed.
Natural Earth 50m Sample Data
The Natural Earth ne
workspace has been improved with 1:50m sample data offering the following:
- improved detail
- country labels in multiple languages
- disputed regions
The countries.sld
style includes the following:
<sld:TextSymbolizer>
<sld:Label>
<ogc:Function name="Recode">
<ogc:Function name="language"/>
<ogc:Literal/>
<ogc:PropertyName>NAME</ogc:PropertyName>
<ogc:Literal>en</ogc:Literal>
<ogc:PropertyName>NAME</ogc:PropertyName>
<ogc:Literal>it</ogc:Literal>
<ogc:PropertyName>NAME_IT</ogc:PropertyName>
<ogc:Literal>fr</ogc:Literal>
<ogc:PropertyName>NAME_FR</ogc:PropertyName>
</ogc:Function>
</sld:Label>
To try this out in French append &LANGUAGE=fr
to any GetMap request, including Layer Preview.
These styles also now validate. Thanks to Jody Garnett (GeoCat) for this work.
- GEOS-10624 Data directory and documentation update
- GEOS-10836 The demo styles in “ne” workspace do not validate
Welcome Page Performance Improvements
The welcome page loading is now limited to a short amount of time to retrieve the list of workspaces and layers to select from. For large catalogues, with lots of security restrictions, that are unable to respond in this time, a simple text field is provided.
To force the use of a simple text field the property GeoServerHomePage.selectionMode=TEXT
can be used. Use DROPDOWN
to force a selection control to be used, or AUTOMATIC
to determine the behaviour based on catalogue performance as described above.
The default time out GeoServerHomePage.selectionTimeout=5000
for interaction can be adjusted if you would like to provide the catalogue more time to respond.
By default GeoServerHomePage.selectionMaxItems=1000
workspaces or layers can be loaded. This number may be limited further if you find browser performance is affected.
Thanks to Andrea (GeoSolutions) for these performance improvements, and Jody Garnett for a number of smaller fixes.
-
GEOS-10833 GeoServerHomePage unresponsive against large catalogs
-
GEOS-10759 Welcome page unreachable with large / slow catalogue configuration
-
GEOS-10838 Speed up DefaultResourceAccessManager securityFilter implementation
-
GEOS-10834 Catalog.list might require a lot of time due to security filtering
-
GEOS-10847 Selecting a raster layer in home page shows incorrect services
-
GEOS-10861 Welcome blurb i18n not respecting language switch
Community Modules
OGC API updates:
-
GEOS-10860 OGC API should return version including minor and patch in HTTP Response Header
-
GEOS-10828 OGC API - Features - Plugin breaks core `/rest` API with JSON payloads
The JDBC Config module received several important fixes:
-
GEOS-10814 Update jdbc config to use consistent SQL formatting
-
GEOS-10813 jdbc config cache bug
-
GEOS-10829 JDBC Config missing some nested layer properties
-
GEOS-10842 Escape user inputs in SQL queries
Release notes
Improvement:
- GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart
Bug:
-
GEOS-7506 shutdown.bat cannot run without JAVA_HOME set
-
GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat
-
GEOS-10846 Enable auto-escaping for REST HTML templates
Task:
-
GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11
-
GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI
For complete information see 2.22.2 release notes.
About GeoServer 2.22
Additional information on GeoServer 2.22 series:
- Update Instructions
- Metadata extension
- CSW ISO Metadata extension
- State of GeoServer (FOSS4G Presentation)
- GeoServer Beginner Workshop (FOSS4G Workshop)
- Welcome page (User Guide)
Release notes: ( 2.22.2 | 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )
Vulnerability
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release
- GeoServer 2.24.2 Release