This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.2 and GeoWebCache 1.22.1.
This release was scheduled early to address a security vulnerability. Thanks to Jody Garnett for making this release on behalf of GeoCat Live.
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
Natural Earth 50m Sample Data
The Natural Earth
ne workspace has been improved with 1:50m sample data offering the following:
- improved detail
- country labels in multiple languages
- disputed regions
countries.sld style includes the following:
<sld:TextSymbolizer> <sld:Label> <ogc:Function name="Recode"> <ogc:Function name="language"/> <ogc:Literal/> <ogc:PropertyName>NAME</ogc:PropertyName> <ogc:Literal>en</ogc:Literal> <ogc:PropertyName>NAME</ogc:PropertyName> <ogc:Literal>it</ogc:Literal> <ogc:PropertyName>NAME_IT</ogc:PropertyName> <ogc:Literal>fr</ogc:Literal> <ogc:PropertyName>NAME_FR</ogc:PropertyName> </ogc:Function> </sld:Label>
To try this out in French append
&LANGUAGE=fr to any GetMap request, including Layer Preview.
These styles also now validate. Thanks to Jody Garnett (GeoCat) for this work.
- GEOS-10624 Data directory and documentation update
- GEOS-10836 The demo styles in “ne” workspace do not validate
Welcome Page Performance Improvements
The welcome page loading is now limited to a short amount of time to retrieve the list of workspaces and layers to select from. For large catalogues, with lots of security restrictions, that are unable to respond in this time, a simple text field is provided.
To force the use of a simple text field the property
GeoServerHomePage.selectionMode=TEXT can be used. Use
DROPDOWN to force a selection control to be used, or
AUTOMATIC to determine the behaviour based on catalogue performance as described above.
The default time out
GeoServerHomePage.selectionTimeout=5000 for interaction can be adjusted if you would like to provide the catalogue more time to respond.
GeoServerHomePage.selectionMaxItems=1000 workspaces or layers can be loaded. This number may be limited further if you find browser performance is affected.
Thanks to Andrea (GeoSolutions) for these performance improvements, and Jody Garnett for a number of smaller fixes.
GEOS-10833 GeoServerHomePage unresponsive against large catalogs
GEOS-10759 Welcome page unreachable with large / slow catalogue configuration
GEOS-10838 Speed up DefaultResourceAccessManager securityFilter implementation
GEOS-10834 Catalog.list might require a lot of time due to security filtering
GEOS-10847 Selecting a raster layer in home page shows incorrect services
GEOS-10861 Welcome blurb i18n not respecting language switch
OGC API updates:
GEOS-10860 OGC API should return version including minor and patch in HTTP Response Header
GEOS-10828 OGC API - Features - Plugin breaks core `/rest` API with JSON payloads
The JDBC Config module received several important fixes:
GEOS-10814 Update jdbc config to use consistent SQL formatting
GEOS-10813 jdbc config cache bug
GEOS-10829 JDBC Config missing some nested layer properties
GEOS-10842 Escape user inputs in SQL queries
- GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart
GEOS-7506 shutdown.bat cannot run without JAVA_HOME set
GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat
GEOS-10846 Enable auto-escaping for REST HTML templates
GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11
GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI
For complete information see 2.22.2 release notes.
About GeoServer 2.22
Additional information on GeoServer 2.22 series:
- Update Instructions
- Metadata extension
- CSW ISO Metadata extension
- State of GeoServer (FOSS4G Presentation)
- GeoServer Beginner Workshop (FOSS4G Workshop)
- Welcome page (User Guide)
- OGC Filter Injection Vulnerability Statement
- GeoServer 2.22.0 Release
- GeoServer 2.21.2 Release
- Jiffle and GeoTools RCE vulnerabilities
- GeoServer 2.20.4 Released
- Spring4Shell RCE vulnerability
- GeoServer 2.20.3 Released
- GeoServer 2.19.5 Released
- GeoServer 2.19.4 Released
- Log4J2 zero day vulnerability assessment