This GeoServer 2.19.5 release was produced in conjunction with GeoTools 25.5 and GeoWebCache 1.19.2, this is a maintenance release recommended for production systems.
Thanks to everyone who contributed, and to Ian Turton (Astun Technology) for making this release.
This release includes several security enhancements and is a recommended update for production systems.
This release includes two improvements limiting Server-side request forgery (SSRF) opportunities:
ENTITY_RESOLUTION_ALLOWLISTparameter to further restrict external entity resolution.
See the user guide on external entities resolution for instructions on use. Keep in mind that the application schema plugin requires external entity resolution to local files be available. The global setting required by application schema has been renamed to Unrestricted XML External Entity Resolution.
GEOS-10384 Change GetMap to URIKvpParser.
This improvement is used in conjunction with WMS dynamic styling setting disabling of SLD and SLD_BODY parameters. By handling SLD and SLD_BODY as URI values we can avoid a well-known java side-effect when comparing URL values.
We would like to thank GeoCat for addressing these two issues on behalf of Fisheries and Oceans Canada. If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.
Improvements and Fixes
- GEOS-9785 Invalid argument type=null when trying to use gs:Download WPS identifier
- GEOS-9770 Cascading WMS server sets invalid I and J when using EPSG:3006 on GetFeatureInfo calls
About GeoServer 2.19
Additional information on GeoServer 2.19 series:
- Log4J2 zero day vulnerability assessment
- WMS GetFeatureInfo includes labels from ColorMap
- Promote WMTS multidim to extension
- Promote WPS-Download to extension
- Promote params-extractor to extension
- Promote GWC-S3 to extension
- Promote WPS-JDBC to extension status
- Promote MapML to extension status
- GeoServer repository transition to main branch