GeoServer 2.20.3 Released
GeoServer 2.20.3 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.3.
Thanks to everyone who contributed, and to Jody Garnett (GeoCat) for making this release.
Security Considerations
This release includes several security enhancements and is a recommended upgrade for production systems.
This release includes two improvements limiting Server-side request forgery (SSRF) opportunities:
-
GEOS-10389 Introduce
ENTITY_RESOLUTION_ALLOWLIST
parameter to further restrict external entity resolution.See the user guide on external entities resolution for instructions on use. Keep in mind that the application schema plugin requires external entity resolution to local files be available. The global setting required by application schema has been renamed to Unrestricted XML External Entity Resolution.
-
GEOS-10384 Change GetMap to URIKvpParser.
This improvement is used in conjunction with WMS dynamic styling setting disabling of SLD and SLD_BODY parameters. By handling SLD and SLD_BODY as URI values we can avoid a well-known java side-effect when comparing URL values.
We would like to thank GeoCat for addressing these two issues on behalf of Fisheries and Oceans Canada. If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.
Improvements and Fixes
Improvements:
- GEOS-10367 Allow GetTimeSeries to have a maximum times limit separate than WMS max dimensions
Fixes:
-
GEOS-10379 WCS 2.0 requested ScaleSize not being respected when crossing the dateline
-
GEOS-10377 Layers and Layer Groups get default abstract in capabilities document when none set in configuration.
-
GEOS-10373 GetTimeSeries does not work on source data with time ranges
-
GEOS-10362 Username remains in roles.xml after user removal operation
-
GEOS-10316 Regression in 2.20.x: Unable to specify JAVA_OPTS for startup.sh
-
GEOS-10066 CSS ArrayList class cast exception in layer rendering
-
GEOS-9785 Invalid argument type=null when trying to use gs:Download WPS identifier
-
GEOS-9770 Cascading WMS server sets invalid I and J when using EPSG:3006 on GetFeatureInfo calls
For more information see 2.20.3 release notes.
About GeoServer 2.20
Additional information on GeoServer 2.20 series:
- Log4J2 zero day vulnerability assessment
- Internationalization of title and abstract
- State of GeoServer 2.20 edition
- Windows Installer
Release notes: ( 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release