GeoServer 2.10.4 Released

We are pleased to announce the release of GeoServer 2.10.4. Downloads are available (zip, war, dmg and exe) along with documentation and extensions.

This is a maintenance release of GeoServer suitable for production systems. Maintenance releases are focused on bug fixes and stability, rather than new features. This release is made in conjunction with GeoTools 16.4 and GeoWebCache 1.10.3.

This release is made by Torben Barsballe and Kevin Smith from the Boundless team. Special thanks to Nick Stires from Boundless and the Frank Warmerdam from OSGeo for their help setting up the new build.geoserver.org server used for this release. We would like to thank these volunteers and everyone who contributed features, fixes and time during the release process.

Security Considerations

The 2.10.3 release addressed three security vulnerabilities. Details of these vulnerabilities were not included in the 2.10.3 blog post to provide time for the fixes to be included in 2.11.1, and have been replicated here:

• Added a configurable delay during login, to mitigate a brute force attack.

• Added a configurable parameter to control clickjacking attacks against the GeoServer UI.

• Added an additional parameter for locking down password autocomplete in the GeoServer UI

Thanks to Andrea Aime and Devon Tucker for providing fixes to these issues.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

New Features and Improvements

• Add rest endpoint for geofence admin rules

• Add REST endpoint for a user to change their password

• Allow disabling usage of SLD and SLD_BODY in WMS requests (also for virtual services)

Bug Fixes

• Native JAI installation instructions report incorrect information about the installers

• Downloading zip file using /rest/workspaces//datastores//file.shp doesn't work after GeoServer reload

• Virtual services do not play nice with GML 3 encoding

• Namespace filtering on capabilties returns all layer groups (including the ones in other workspaces)

• Cascaded WMS does not encrypt configuration password

• Reloading GeoServer re-enables all disabled WMTS services

• Slow WFS GetFeature when using a 3D bbox POST request

• WMS cascading fails with NPE when advanced projection handling gets disabled

• Style Editor Preview Legend Fails on non-SLD Styles

• Exception when saving a layer group in GeoServer UI

• JMS fails to handle styles workspaces changes

• WFS-T Insert FeatureIds being returned in incorrect order

• CSW get capabilities ingore virtual services settings and always use the global service ones

• Integrated GWC does not work with layer and layer group specific services

About GeoServer 2.10

Articles, docs, blog posts and presentations:

• The YSLD extension added, with extensive documentation (user guide)

• State of GeoServer 2016 (slideshare)

• The style editor has been refreshed with the best ideas from the css extension (user guide)

• The styling workshop has been updated for foss4g 2016 and now includes both CSS and YSLD examples (user guide)

• Smart transparency in GeoServer with image/vnd.jpeg-png format (GeoSolutions)

• QGIS SLD export improvements (GeoSolutions)

Community modules

• A new community module to backup/restore and restore GeoServer configuration

• A resource browser is available allowing remote management of styles, icons and fonts (needs building from sources).

• A new WMTS multidimensional domain discovery community module for discovering patches of data in scattered data sets