GeoServer 2.23.4 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.23.4 is made in conjunction with GeoTools 29.4, and GeoWebCache 1.23.3.

Thanks to Peter Smythe (AfriGIS) for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an essential update for production systems.

  • CVE-2023-51444 Arbitrary file upload vulnerability in REST Coverage Store API (High).
  • CVE-2023-41877 GeoServer log file path traversal vulnerability (High).
  • CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page (Moderate).
  • CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page (Moderate).
  • CVE-2024-23642 Stored Cross-Site Scripting (XSS) vulnerability in Simple SVG Renderer (Moderate).
  • CVE-2023-51445 Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API (Moderate).

See project security policy for more information on how security vulnerabilities are managed.

Release notes

Improvement:

  • GEOS-11152 Improve handling special characters in the Simple SVG Renderer
  • GEOS-11154 Improve handling special characters in the MapML HTML Page
  • GEOS-11176 Add validation to file wrapper resource paths
  • GEOS-11188 Let DownloadProcess handle download requests whose pixel size is larger than integer limits
  • GEOS-11189 Add an option to throw a service exception when nearest match “allowed interval” is exceeded
  • GEOS-11193 Add an option to throw an exception when the time nearest match does not fall within search limits
  • GEOS-11219 Upgrade mail and activation libraries

Bug:

  • GEOS-9757 Return a service exception when client provided WMS dimensions are not a match
  • GEOS-11074 GeoFence may not load property file at boot
  • GEOS-11184 ncwms module has a compile dependency on gs-web-core test jar
  • GEOS-11190 GeoFence: align log4j2 deps
  • GEOS-11196 NPE in VectorDownload if ROI not defined
  • GEOS-11200 GetFeatureInfo can fail on rendering transformations that generate a different raster
  • GEOS-11203 WMS GetFeatureInfo bad WKT exception for label-geometry
  • GEOS-11206 Throw nearest match mismatch exceptions only for WMS
  • GEOS-11223 Layer not visible in preview/capabilities if security closes the workspace, but allows access to the layer
  • GEOS-11224 Platform independent binary doesn’t start properly with default data directory

For the complete list see 2.23.4 release notes.

Community Updates

Community module development:

  • GEOS-11209 Open ID Connect Proof Key of Code Exchange (PKCE)
  • GEOS-11212 OIDC accessToken verification using only JWKs URI

Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you please contact the module developer to offer assistance.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

Release notes: ( 2.23.4 | 2.23.3 | 2.23.2 | 2.23.1 | 2.23.0 | 2.23-RC1 )