GeoServer 2.23.0 Release
GeoServer 2.23.0 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of GeoServer suitable for production systems, made in conjunction with GeoTools 29.0 and GeoWebCache 1.23.0.
Thanks to Jody Garnett (GeoCat) for making this release. Additional thanks to those volunteering to test the release candidate, your assistance is seen and appreciated: Peter Rushforth, Mark Prins, Gabriel Roldan, and Juan Luis Rodríguez.
Keeping GeoServer sustainable requires community commitment. If you are unable to contribute time, sponsorship options are available via the Open Source Geospatial Foundation.
This release addresses a security vulnerability and is considered an essential upgrade for production systems.
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement. If you have already updated to a patched release that is excellent. We still advise updating to benefit from the considerable work done updating dependencies for GeoServer 2.23.0.
Java 11 Minimum
With this release GeoServer no longer supports Java 8, and it is time to upgrade to Java 11 at a minimum. Our build system tests GeoServer in with Java 11 and Java 17 which are both long-term-support OpenJDK releases.
If you try starting this version of GeoServer with Java 8 it will produce the following failure:
java.lang.UnsupportedClassVersionError: org/geoserver/GeoserverInitStartupListener has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0
For more information please see our User Manual Installation (User Manual) and Java Considerations (User Manual) pages.
- GSIP-215 - Drop Java 8 Support
- GEOS-10638 Drop Java 8 support
The first big internal change for this release of GeoServer is a cleanup of the theme used for the GeoServer web administration application. Previously the pages had lots of little styling adjustments to try and get components to line up correctly and appear okay.
With this update all of the handmade styling changes have been removed, and everything is managed by the “geoserver.css” theme.
Thanks to Michel Gabriël (GeoCat) who started this work at the Bolsena code-sprint as a labour of love (well frustration).
- GSIP 213 - GUI CSS Cleanup
- GEOS-10556 Cleanup Inconsistent DOM structure and use of hardcoded styles
The second internal change for this release of GeoServer is an upgrade to the Spring Framework used to wire the internals of GeoServer together.
While this should not result in any change to functionality, it has resulted in quite a lot of careful quality assurance and testing to ensure everything is still connected and works as intended.
Thanks to Joseph Miller (GeoSolution) who worked on this activity.
GEOS-10779 Upgrade GeoServer Core Spring to 5.3.23 and Spring Security to 5.7.3
GEOS-10907 Update spring.version from 5.3.25 to 5.3.26
Windows installer Java 11 Update
Windows users are advised to keep the Java 11 minimum requirement in mind when upgrading existing systems.
The installer will correctly detect the OpenJDK Adoptium, users of Oracle JDK may need to use the browse button:
Thanks to Juan Luis Rodríguez (GeoCat) for troubleshooting the windows installer for this release.
- GEOS-10890 Wrong path for the license file in the Windows installer script
Feature Type Description
A welcome new feature, building on top of the ability to customize FeatureTypes is the ability to provide a description for each attribute. This information is used in WFS DescribeFeatureType to provide a human readable name or description for the attributes being published.
Thanks to Joseph Miller (GeoSolutions) for this improvement.
- GEOS-10868 Add support for editable description in GeoServer customize feature type table
OGC CITE Fixes
The traditional OGC Open Web Services have not had automated CITE tests run for a while, but a few fixes have been made to restore CITE compliance:
GEOS-10787 CITE WCS 1.1.1 - Throw exception on bad ‘store’ parameter
GEOS-10788 CITE WCS 1.1.1 - Empty InterpolationMethod should throw exception
GEOS-10757 CITE: WMS <Style> has elements in wrong order (DTD validation)
GEOS-10782 CITE WFS 1.1 - HITS mimetype is incorrect
GEOS-10783 CITE WFS 1.1 - Check customized feature type to determine if transform wrapper needed
GEOS-10784 CITE WFS 1.1 - don’t do illegal geometry conversions
GEOS-10785 CITE WFS 1.1 - Data Dir - allow anonymous users to modify data
Thanks to David Blasby (GeoCat) for this work on behalf of the GeoCat Live Project. David addressed several errors in the CITE testing for these services while addressing the above issues for the GeoServer community.
A number of CITE conformance issues remain open, notably the handling of acceptsVersions with a mix of older protocols (such as WFS 2.0, WFS 1.1 and WFS 1.0). If you are interested in funding or sponsoring this activity please visit our sponsorship page.
Configuration Saving and Loading
A special call out to Dieter Stuken for working on the kind of fixes that just cause frustration - trouble shooting the internal Resource Store component that allows GeoServer configuration to be saved in a disk or database.
These fixes help the GeoServer Admin Console provide better error messages when a file is unavailable. And prevent the accidental creation of “missing” files when attempting to read from locations with no content.
GEOS-10724 SpringResourceAdaptor should throw a FileNotFoundException instead of creating any missing file
GEOS-10743 ResourcePool.readStyle created empty files
GEOS-10723 clean up params-extractor plugin to use Resource
Documentation and Tutorials
A few section of the User manual have been updated:
- The installation, getting started and welcome page are updated with new screen snapshots.
- Running in a production environment now documents welcome page selectors for those working with large catalogues with lots of security rules
Thanks to Jody Garnett (GeoCat) and all those who contributed documentation fixes for this release.
- GEOS-10759 Welcome page unreachable with large / slow catalogue configuration
The following community module has been retired:
GEOS-10778 Retire GeoStyler community module
The plugin is now maintained outside of the GeoServer repository at https://github.com/geostyler .
Security community modules
With the upgrade to Spring Security to 5.7.3 mentioned above, the community security modules have affected.
A reminder that these modules are in need of your support to be recognized as an extension (and be included in our automated testing). Contact the appropriate module maintainer (Alessio or David) to see how you can assist.
OGCAPI community module Updates
The OGCAPI community module remains under active development:
GEOS-10889 OGC API info section should report the spec version, not the server version
GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections
GEOS-10888 OGC API styles OpenAPI document points to dangling remote resources
GEOS-10854 Move the OGC API OpenAPI definitions to the “openapi” resource
GEOS-10855 Update the new OGC APIs so that the major version number is part of the path
GEOS-10881 Add Content-Crs header to OGC API
GEOS-10885 Remove Axis Order from OGC API Header
Andrea (GeoSolutions) has been working towards CITE compliance on behalf of Geonovum.
As a community module GeoServer OGC API is made available to developers for collaboration, and can also be accessed as a nightly build for feedback. If you are in a position to support this activity with time, money or resources please contact Andrea.
Improvements and Fixes
- GEOS-10696 Allow configuration of Output Format types allowed in GetFeature
GEOS-10735 Obfuscate secret key in S3 Blob Store, avoiding requiring reentry when editing and HTML source visibility
GEOS-10739 Contact information user interface feedback for welcome message
GEOS-10740 Service enabled does not respect minimal/custom service names
GEOS-10750 German Translation Overhaul Part 1
GEOS-10755 WCS 2.0 module should not use string concatenation to build XML
GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates
GEOS-10814 Update jdbc config to use consistent SQL formatting
GEOS-10879 Dispatcher should not respond to non standard HTTP methods
GEOS-10006 Seeding GWC doesn’t work for layers with a dot in the name
GEOS-10865 Backwards incompatible change in the XML representation of user roles
GEOS-10905 Default CSW properties do not allow sorting by identifiers
GEOS-10798 Sphinx site http://sphinx.pocoo.org/ is outdate
GEOS-10904 Bump jettison from 1.5.3 to 1.5.4
GEOS-10894 Random control-flow errors on Mac builds
GEOS-10863 Update Oracle JDBC driver to 220.127.116.11
GEOS-10775 Update xmlunit to 1.6
For the complete list see 2.23.0 release notes.
About GeoServer 2.23 Series
- OGC Filter Injection Vulnerability Statement
- GeoServer 2.22.0 Release
- GeoServer 2.21.2 Release
- Jiffle and GeoTools RCE vulnerabilities
- GeoServer 2.20.4 Released
- Spring4Shell RCE vulnerability
- GeoServer 2.20.3 Released
- GeoServer 2.19.5 Released
- GeoServer 2.19.4 Released
- Log4J2 zero day vulnerability assessment