GeoServer 2.10.3 Released
We are happy to announce the release of GeoServer 2.10.3. Downloads are available (zip, war, dmg and exe) along with docs and extensions.
This is the release of GeoServer of the 2.10 branch is now going into maintenance and is no longer recommended for new production system. This release is made in conjunction with GeoTools 16.3.
This release is made by Ian Turton from the Astun Technology team. We would like to thank these volunteers and everyone who contributed features, fixes and time during the release process.
This release addresses three security vulnerabilities:
Added a configurable delay during login, to mitigate a brute force attack.
Added a configurable parameter to control clickjacking attacks against the GeoServer UI.
Added an additional parameter for locking down password autocomplete in the GeoServer UI
Thanks to Andrea Aime and Devon Tucker for providing fixes to these issues.
These fixes are also included in the 2.11.1 release.
If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.
New Features and Improvements
[GEOS-7684] - Add rest endpoint for geofence admin rules
[GEOS-7763] - Add REST endpoint for a user to change their password
[GEOS-7957] - GeoFence: REST Rule DTO does not handle addressrange
[GEOS-8022] - Allow disabling usage of SLD and SLD_BODY in WMS requests (also for virtual services)
A large number of bugs were fixed for this release including several that affected JMS clustering, WFS with 3D data and using the Style Editor with non-SLD styles. See the release notes for more details of all the fixes.
- OGC Filter Injection Vulnerability Statement
- GeoServer 2.22.0 Release
- GeoServer 2.21.2 Release
- Jiffle and GeoTools RCE vulnerabilities
- GeoServer 2.20.4 Released
- Spring4Shell RCE vulnerability
- GeoServer 2.20.3 Released
- GeoServer 2.19.5 Released
- GeoServer 2.19.4 Released
- Log4J2 zero day vulnerability assessment