GeoServer 2.12.5 released
We are happy to announce the release of GeoServer 2.12.5. Downloads are available (zip, war, and exe) along with docs and extensions.
This is the last maintenance release for the 2.12.x series, so we recommend users to plan an upgrade to 2.13.x or to the upcoming 2.14.x series. This release is made in conjunction with GeoTools 18.5.
|Highlights of this release are featured below, for more information please see the release notes (2.12.5, 2.12.4, 2.12.3,2.12.2, 2.12.1||2.12.0||2.12-RC1||2.12-beta).|
ImageMosaic should work when the images have no CRS information
Upgrade Apache POI dependencies
Upgrade jasypt dependency
Upgrade json-lib dependency to 2.4
Upgrade bouncycastle provider to 1.60
NullPointerException during WMS request of layer group when caching is enabled
GeorectifyCoverage fails to handle paths with spaces
CSS translator does not support mark offset/anchors based on expressions (but SLD does)
GeoServerSecuredPage might not redirect to login page in some obscure cases after Wicket upgrade
Please update your production instances of GeoServer to receive the latest security updates and fixes.
This release addresses several security vulnerabilities:
Prevent arbitrary code execution via Freemarker Template injection
XXE vulnerability in GeoTools XML Parser
XXE vulnerability in WPS Request builder
Various library upgrades (see above) from versions with known CVEs
Thanks to Steve Ikeoka, Kevin Smith, Brad Hards and Nuno Oliveira for providing fixes to these issues.
These fixes are also included in the 2.13.2 release.
If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion.
About GeoServer 2.12 Series
Additional information on the 2.12 series:
State of GeoServer 2.12 (SlideShare)
GeoServer Feature Frenzy (SlideShare)
- OGC Filter Injection Vulnerability Statement
- GeoServer 2.22.0 Release
- GeoServer 2.21.2 Release
- Jiffle and GeoTools RCE vulnerabilities
- GeoServer 2.20.4 Released
- Spring4Shell RCE vulnerability
- GeoServer 2.20.3 Released
- GeoServer 2.19.5 Released
- GeoServer 2.19.4 Released
- Log4J2 zero day vulnerability assessment