GeoServer 2.20.4 Released
GeoServer 2.20.4 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.4.
Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.
Security Considerations
This release includes several security enhancements and is a recommended upgrade for production systems.
This release includes two improvements addressing Jiffle and GeoTools RCE vulnerabilities:
-
GEOS-10458 Upgrade to JAI-EXT 1.1.22
-
GEOT-7115 Streamline JNDI lookups
This release also includes:
-
GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE
Although GeoServer assessment did not identify any issue we have now updated the the spring framework library.
2024-06-30 Update: The following mitigation has been provided:
-
CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
geoserver-2.20.4-patches (replacing
gt-app-schema
,gt-complex
andgt-xsd-core
jars) has been provided by Andrea (GeoSolutions)
See project security policy for more information on how security vulnerabilities are managed.
Add Styles support to LayerGroup
Allows layer group (layer mode SINGLE
or OPAQUE
) list alternate styles in addition to the default one. Each alternate style is
defined by a named configuration of layers and styles providing a unique visual representation.
- GEOS-10252 Add Styles support to LayerGroup
- GEOS-10274 Geofence follow up LayerGroup Style addition
For more information see GSIP-205 Add Styles support to LayerGroup proposa.
Improvements and Fixes
Improvements:
-
GEOS-10434 Externalized GeoServer environment properties
-
GEOS-10427 Improve access check in ImportProcess
-
GEOS-10409 Improve deletion of WPS Execute input temp files
Fixes:
-
GEOS-10437 Breaking SLD 1.1 style by REST upload
-
GEOS-10419 NullPointerException from GeoServerOAuthAuthenticationFilter
-
GEOS-10418 Bad request sent to GeoFence when matching roles only
-
GEOS-10401 WPS GetExecutionResult doesn’t validate the mimetype parameter
-
GEOS-10400 Disabling WMS dynamic styling does not affect GetLegendGraphic requests
-
GEOS-10393 WFS-T deletes the wrong features (and further BatchManager issues)
-
GEOS-9978 WMS vendor parameter CLIP - ignores TIME/CQL_FILTER and other parameters when using with ImageMosaic
Tasks:
-
GEOS-10445 Upgrade springframework from 5.1.20.RELEASE to 5.2.20.RELEASE
-
GEOS-10303 Upgrade to jackson 2.13.2
For more information see 2.20.4 release notes.
About GeoServer 2.20
Additional information on GeoServer 2.20 series:
- Jiffle and GeoTools RCE vulnerabilities
- Spring RCE Spring4Shell CVE-2022-22965 assessment
- Log4J2 zero day vulnerability assessment
- Internationalization of title and abstract
- State of GeoServer 2.20 edition
- Windows Installer
Release notes: ( 2.20.4 | 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )
Tutorials
- Using Spatial Operators in GeoServer Filters
- Using Value Comparison Operators in GeoServer Filters
- Using Binary Comparison Operators in GeoServer Filters
- Utilizing the Demo Section in Geoserver
- How to Implement Basic Security in Geoserver
- How to create Tile Layers with GeoServer
- How to style layers using GeoServer and QGIS
- How to Publish a GeoTIFF file in GeoServer
- A Comprehensive Guide to Publishing a Shapefile in GeoServer
- GeoServer About & Status - A Practical Guide