GeoServer 2.9.3 Released

The GeoServer team is pleased to announce the release of GeoServer 2.9.3. Download bundles are provided (bin, war, dmg and exe) along with documentation and extensions.

This is a maintenance release of GeoServer suitable for production systems. Maintenance releases are focused on bug fixes and stability, rather than new features.

The team has been working hard, resulting in a wide range of bug fixes:

• Windows installer fixed allowing port to set for standalone or service use

• KML Output managed a date-month swap when used in a non-POSIX locale.

• Improved documentation for the demo pages, including the WCS Request builder.

• CSS stroke-offset now supports expressions

• WMS GetCapabilities fix for inadvertently show layer group contents multiple times.

• Style generation fix for raster data layers

• Coverage view improvements include preservation of origional band names, and alpha band if available.

• WFS correctly handles disabled stores

• REST API

  • Correctly represent empty true/false values for html output

  • Representation of an empty styles list in JSON fixed

  • Cascade delete fixed to correctly handle nested layer groups

• JMS Clustering has received a number of fixes: correctly handles virtual service configuration, propagation of workspace and service settings.

• Lots of bug fixes (check the release notes for details)

Community Modules

Community module updates:

• A community module is now available allowing GeoServer to authenticate against the OAuth2 protocol (including Google OAuth2).

Security Considerations

This release addresses three security vulnerabilities:

• Additional restrictions have been placed on the demo request page

• Addressed an XML injection vulnerability identified in an automatic scan.

• GeoServer now changes sessions during login, this addresses a class of vulnerablities known as “session fixation”.

Thanks again to Nick Muerdter for reporting these in a responsible manner (and Andrea and Jody for addressing these during the November bug stomp.)

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.9

Articles, docs, blog posts and presentations:

• Lots of goodies in the original 2.9.0 announcement (GeoServer Blog)

• Results of our Bug Stomp Mini Code Sprint in July (GeoServer blog)

• Internals upgrade to spring-4 for Java 8 compatibility (User Guide)

• GeoServer code sprint success and wicket migration code sprint (GeoServer Blog)

• GeoServer Plugin for QGIS (Boundless)

• QGIS SLD export improvements (GeoSolutions)

• Smart transparency in GeoServer with image/vnd.jpeg-png format (GeoSolutions)

• Simplify complex feature mappings setup with HALE (GeoSolutions)

• REST management of Resources (User Guide)

##