GeoServer 2.24.1 Release
GeoServer 2.24.1 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of GeoServer recommended for production use. GeoServer 2.24.1 is made in conjunction with GeoTools 30.1, and GeoWebCache 1.24.1.
Thanks to Jody Garnett (GeoCat) for making this release.
Security Considerations
This release addresses security vulnerabilities and is considered an essential upgrade for production systems.
- CVE-2023-51444 Arbitrary file upload vulnerability in REST Coverage Store API (High).
- CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page (Moderate).
- CVE-2024-23640 Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format (Moderate).
- CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page (Moderate).
- CVE-2024-23643 Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form (Moderate).
- CVE-2024-23642 Stored Cross-Site Scripting (XSS) vulnerability in Simple SVG Renderer (Moderate).
See project security policy for more information on how security vulnerabilities are managed.
Release notes
Improvement:
- GEOS-11152 Improve handling special characters in the Simple SVG Renderer
- GEOS-11153 Improve handling special characters in the WMS OpenLayers Format
- GEOS-11154 Improve handling special characters in the MapML HTML Page
- GEOS-11155 Add the X-Content-Type-Options header
- GEOS-11173 Default to using HttpOnly session cookies
- GEOS-11176 Add validation to file wrapper resource paths
- GEOS-11188 Let DownloadProcess handle download requests whose pixel size is larger than integer limits
- GEOS-11189 Add an option to throw a service exception when nearest match “allowed interval” is exceeded
- GEOS-11193 Add an option to throw an exception when the time nearest match does not fall within search limits
Bug:
- GEOS-11074 GeoFence may not load property file at boot
- GEOS-11166 OGC API Maps HTML representation fail without datetime parameter
- GEOS-11184 ncwms module has a compile dependency on gs-web-core test jar
- GEOS-11190 GeoFence: align log4j2 deps
- GEOS-11196 NPE in VectorDownload if ROI not defined
- GEOS-11200 GetFeatureInfo can fail on rendering transformations that generate a different raster
- GEOS-11203 WMS GetFeatureInfo bad WKT exception for label-geometry
- GEOS-11206 Throw nearest match mismatch exceptions only for WMS
For the complete list see 2.24.1 release notes.
Community Module Updates
OAuth2 OpenID-Connect improvements
Two improvements have been made to the community module for OAuth2 OpenID-Connect authentication:
- GEOS-11209 Open ID Connect Proof Key of Code Exchange (PKCE)
- GEOS-11212 OIDC accessToken verification using only JWKs URI
In addition the module includes an OIDC_LOGGING
profile and updated documentation covering new settings and troubleshooting guidance.
Thanks Jody Garnett for these improvements on behalf of GeoBeyond.
note: Over the course of 2024 the OAuth2 plugins will need to be rewritten for spring-framework 6. Interested parties are encouraged to reach out to geoserver-devel email list; ideally we would like to see this functionality implemented and included as part of GeoServer.
About GeoServer 2.24 Series
Additional information on GeoServer 2.24 series:
- GeoServer 2.24 User Manual
- State of GeoServer 2.24 (foss4g-na presentation)
- Control remote HTTP requests sent by GeoTools/GeoServer
- Multiple CRS authority support, planetary CRS
- Extensive GeoServer Printing improvements
- Upgraded security policy
Release notes: ( 2.24.1 | 2.24.0 | 2.24-RC )
GeoServer is an Open Source Geospatial Foundation project supported by a mix of volunteer and service provider activity. We reply on sponsorship to fund activities beyond the reach of individual contributors.
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release