GeoServer 2.21.5 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.5 and GeoWebCache 1.21.5.

Thanks to Daniele Romagnoli (GeoSolutions) for making this release.

Security Considerations

2024-06-30 Update: The following mitigation has been provided:

• CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

  geoserver-2.21.5-patches.zip (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

Release notes

Bug

• GEOS-3978 Layer configuration allows admin to enter a zero area bounding box

• GEOS-6313 Lifecycle handlers not properly called during shutdown

• GEOS-10006 Seeding GWC doesn’t work for layers with a dot in the name

• GEOS-10500 WFS-T unable to delete more than 30 features in a single transaction when the data source is PostGIS

• GEOS-10517 jms-cluster classes missing from XStream security configuration

• GEOS-10593 Regression: Creating SQL View via REST API and explicit attribute list is no-longer possible

• GEOS-10611 Uploading application/zip to styles endpoint does not clean up temporary files

• GEOS-10828 OGC API - Features - Plugin breaks core `/rest` API with JSON payloads

• GEOS-10837 geopackage output fails when java.io.tmpdir on network share

• GEOS-10869 Jayway JSON Path libraries not included anymore on GeoServer packages

• GEOS-10878 wps-multidimensional and wps-jdbc are not being deployed on maven repo

• GEOS-10896 Missing NULL check in the template backwards mapping

• GEOS-10899 Features template escapes twice HTML produced outputs

• GEOS-10912 jms-cluster fails to clone grid coverage layer on other nodes

• GEOS-10920 Excel output format packaging misses dependencies, cannot produce .xls

• GEOS-10921 Double escaping of HTML with enabled features-templating

• GEOS-10932 csw-iso: should only add ‘xsi:nil = false’ attribute

• GEOS-10946 WMS GetLegendGraphic throws FootprintsTransformation cannot be cast to ProcessFunction Exception

• GEOS-10950 Performance regression in DescribeFeatureType across all feature types

• GEOS-10957 Support ResourceAccessManager implementations returning custom subclasess of AccessLimits

Improvement

• GEOS-10870 Allow importer AttributesToPointGeometryTransform to preserve original geometries, and to configure the name of the target geometry

• GEOS-10940 Update MapML viewer to release 0.11.0

Task

• GEOS-10867 Bump commons-fileupload from 1.4 to 1.5

• GEOS-10873 Upgrade XStream to 1.4.20

• GEOS-10908 Update spring version from 5.2.22 to 5.2.23

• GEOS-10863 Update Oracle JDBC driver to 19.18.0.0

• GEOS-10904 Bump jettison from 1.5.3 to 1.5.4

For complete information see 2.22.5 release notes.

About GeoServer 2.21

Additional information on GeoServer 2.21 series:

• Feature Type Customization
• Add Styles support to LayerGroup
• Log4j1 update or replace activity

Release notes: ( 2.21.5 | 2.21.4 | 2.21.3 | 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )

GeoServer 2.22.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.3 and GeoWebCache 1.22.2.

Thanks to Daniele Romagnoli (GeoSolutions) for making this release.

Feature Type Description

Building on top of the ability to customize FeatureTypes GeoServer can now define a description for each attribute. This information is used in WFS DescribeFeatureType to provide a human readable name or description for the attributes being published.

Thanks to Joseph Miller (GeoSolutions) for this improvement.

• GEOS-10868 Add support for editable description in GeoServer customize feature type table

Release notes

Bug:

• GEOS-3978 Layer configuration allows admin to enter a zero area bounding box

• GEOS-6313 Lifecycle handlers not properly called during shutdown

• GEOS-10006 Seeding GWC doesn’t work for layers with a dot in the name

• GEOS-10500 WFS-T unable to delete more than 30 features in a single transaction when the data source is PostGIS

• GEOS-10517 jms-cluster classes missing from XStream security configuration

• GEOS-10593 Regression: Creating SQL View via REST API and explicit attribute list is no-longer possible

• GEOS-10611 Uploading application/zip to styles endpoint does not clean up temporary files

• GEOS-10837 geopackage output fails when java.io.tmpdir on network share

• GEOS-10865 Backwards incompatible change in the XML representation of user roles

• GEOS-10869 Jayway JSON Path libraries not included anymore on GeoServer packages

• GEOS-10871 about geoserver page reporting @project.version@ for WAR deploy

• GEOS-10878 wps-multidimensional and wps-jdbc are not being deployed on maven repo

• GEOS-10890 Wrong path for the license file in the Windows installer script

• GEOS-10896 Missing NULL check in the template backwards mapping

• GEOS-10899 Features template escapes twice HTML produced outputs

• GEOS-10912 jms-cluster fails to clone grid coverage layer on other nodes

• GEOS-10920 Excel output format packaging misses dependencies, cannot produce .xls

• GEOS-10921 Double escaping of HTML with enabled features-templating

• GEOS-10922 Features templating exception on text/plain format

• GEOS-10934 CSW does not show title/abstract on welcome page

• GEOS-10946 WMS GetLegendGraphic throws FootprintsTransformation cannot be cast to ProcessFunction Exception

• GEOS-10950 Performance regression in DescribeFeatureType across all feature types

• GEOS-10957 Support ResourceAccessManager implementations returning custom subclasess of AccessLimits

Improvement:

• GEOS-10858 jdbc-config turns off isolated workspace support

• GEOS-10870 Allow importer AttributesToPointGeometryTransform to preserve original geometries, and to configure the name of the target geometry

• GEOS-10898 Preserve key order in STAC responses coming from JSONB columns

• GEOS-10923 Use default writing params on GeoTIFFPPIO

Task:

• GEOS-10908 Update spring version from 5.2.22 to 5.2.23

• GEOS-10867 Bump commons-fileupload from 1.4 to 1.5

• GEOS-10873 Upgrade XStream to 1.4.20

• GEOS-10863 Update Oracle JDBC driver to 19.18.0.0

• GEOS-10894 Random control-flow errors on Mac builds

• GEOS-10904 Bump jettison from 1.5.3 to 1.5.4

For complete information see 2.22.3 release notes.

About GeoServer 2.22

Additional information on GeoServer 2.22 series:

• Update Instructions
• Metadata extension
• CSW ISO Metadata extension
• State of GeoServer (FOSS4G Presentation)
• GeoServer Beginner Workshop (FOSS4G Workshop)
• Welcome page (User Guide)

Release notes: ( 2.22.3 | 2.22.2 | 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )

GeoServer 2.23.0 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer suitable for production systems, made in conjunction with GeoTools 29.0 and GeoWebCache 1.23.0.

Thanks to Jody Garnett (GeoCat) for making this release. Additional thanks to those volunteering to test the release candidate, your assistance is seen and appreciated: Peter Rushforth, Mark Prins, Gabriel Roldan, and Juan Luis Rodríguez.

Keeping GeoServer sustainable requires community commitment. If you are unable to contribute time, sponsorship options are available via the Open Source Geospatial Foundation.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems.

• CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
• CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)

For more information see OGC Filter Injection Vulnerability Statement. If you have already updated to a patched release that is excellent. We still advise updating to benefit from the considerable work done updating dependencies for GeoServer 2.23.0.

Java 11 Minimum

With this release GeoServer no longer supports Java 8, and it is time to upgrade to Java 11 at a minimum. Our build system tests GeoServer in with Java 11 and Java 17 which are both long-term-support OpenJDK releases.

If you try starting this version of GeoServer with Java 8 it will produce the following failure:

java.lang.UnsupportedClassVersionError: org/geoserver/GeoserverInitStartupListener
has been compiled by a more recent version of the Java Runtime (class file version 55.0),
this version of the Java Runtime only recognizes class file versions up to 52.0

For more information please see our User Manual Installation (User Manual) and Java Considerations (User Manual) pages.

• GSIP-215 - Drop Java 8 Support
• GEOS-10638 Drop Java 8 support

CSS Cleanup

The first big internal change for this release of GeoServer is a cleanup of the theme used for the GeoServer web administration application. Previously the pages had lots of little styling adjustments to try and get components to line up correctly and appear okay.

With this update all of the handmade styling changes have been removed, and everything is managed by the “geoserver.css” theme.

Thanks to Michel Gabriël (GeoCat) who started this work at the Bolsena code-sprint as a labour of love (well frustration).

• GSIP 213 - GUI CSS Cleanup
• GEOS-10556 Cleanup Inconsistent DOM structure and use of hardcoded styles

Spring Upgrade

The second internal change for this release of GeoServer is an upgrade to the Spring Framework used to wire the internals of GeoServer together.

While this should not result in any change to functionality, it has resulted in quite a lot of careful quality assurance and testing to ensure everything is still connected and works as intended.

Thanks to Joseph Miller (GeoSolution) who worked on this activity.

• GEOS-10779 Upgrade GeoServer Core Spring to 5.3.23 and Spring Security to 5.7.3

• GEOS-10907 Update spring.version from 5.3.25 to 5.3.26

Windows installer Java 11 Update

Windows users are advised to keep the Java 11 minimum requirement in mind when upgrading existing systems.

The installer will correctly detect the OpenJDK Adoptium, users of Oracle JDK may need to use the browse button:

Thanks to Juan Luis Rodríguez (GeoCat) for troubleshooting the windows installer for this release.

• GEOS-10890 Wrong path for the license file in the Windows installer script

Feature Type Description

A welcome new feature, building on top of the ability to customize FeatureTypes is the ability to provide a description for each attribute. This information is used in WFS DescribeFeatureType to provide a human readable name or description for the attributes being published.

Thanks to Joseph Miller (GeoSolutions) for this improvement.

• GEOS-10868 Add support for editable description in GeoServer customize feature type table

OGC CITE Fixes

The traditional OGC Open Web Services have not had automated CITE tests run for a while, but a few fixes have been made to restore CITE compliance:

• GEOS-10787 CITE WCS 1.1.1 - Throw exception on bad ‘store’ parameter

• GEOS-10788 CITE WCS 1.1.1 - Empty InterpolationMethod should throw exception

• GEOS-10757 CITE: WMS <Style> has elements in wrong order (DTD validation)

• GEOS-10782 CITE WFS 1.1 - HITS mimetype is incorrect

• GEOS-10783 CITE WFS 1.1 - Check customized feature type to determine if transform wrapper needed

• GEOS-10784 CITE WFS 1.1 - don’t do illegal geometry conversions

• GEOS-10785 CITE WFS 1.1 - Data Dir - allow anonymous users to modify data

Thanks to David Blasby (GeoCat) for this work on behalf of the GeoCat Live Project. David addressed several errors in the CITE testing for these services while addressing the above issues for the GeoServer community.

A number of CITE conformance issues remain open, notably the handling of acceptsVersions with a mix of older protocols (such as WFS 2.0, WFS 1.1 and WFS 1.0). If you are interested in funding or sponsoring this activity please visit our sponsorship page.

Configuration Saving and Loading

A special call out to Dieter Stuken for working on the kind of fixes that just cause frustration - trouble shooting the internal Resource Store component that allows GeoServer configuration to be saved in a disk or database.

These fixes help the GeoServer Admin Console provide better error messages when a file is unavailable. And prevent the accidental creation of “missing” files when attempting to read from locations with no content.

• GEOS-10724 SpringResourceAdaptor should throw a FileNotFoundException instead of creating any missing file

• GEOS-10743 ResourcePool.readStyle created empty files

• GEOS-10723 clean up params-extractor plugin to use Resource

Documentation and Tutorials

A few section of the User manual have been updated:

• The installation, getting started and welcome page are updated with new screen snapshots.
• Running in a production environment now documents welcome page selectors for those working with large catalogues with lots of security rules

Thanks to Jody Garnett (GeoCat) and all those who contributed documentation fixes for this release.

• GEOS-10759 Welcome page unreachable with large / slow catalogue configuration

Community Updates

The following community module has been retired:

• GEOS-10778 Retire GeoStyler community module

  The plugin is now maintained outside of the GeoServer repository at https://github.com/geostyler .

Security community modules

With the upgrade to Spring Security to 5.7.3 mentioned above, the community security modules have affected.

A reminder that these modules are in need of your support to be recognized as an extension (and be included in our automated testing). Contact the appropriate module maintainer (Alessio or David) to see how you can assist.

OGCAPI community module Updates

The OGCAPI community module remains under active development:

• GEOS-10889 OGC API info section should report the spec version, not the server version

• GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections

• GEOS-10888 OGC API styles OpenAPI document points to dangling remote resources

• GEOS-10854 Move the OGC API OpenAPI definitions to the “openapi” resource

• GEOS-10855 Update the new OGC APIs so that the major version number is part of the path

• GEOS-10881 Add Content-Crs header to OGC API

• GEOS-10885 Remove Axis Order from OGC API Header

Andrea (GeoSolutions) has been working towards CITE compliance on behalf of Geonovum.

As a community module GeoServer OGC API is made available to developers for collaboration, and can also be accessed as a nightly build for feedback. If you are in a position to support this activity with time, money or resources please contact Andrea.

Improvements and Fixes

New Feature:

• GEOS-10696 Allow configuration of Output Format types allowed in GetFeature

Improvement:

• GEOS-10735 Obfuscate secret key in S3 Blob Store, avoiding requiring reentry when editing and HTML source visibility

• GEOS-10739 Contact information user interface feedback for welcome message

• GEOS-10740 Service enabled does not respect minimal/custom service names

• GEOS-10750 German Translation Overhaul Part 1

• GEOS-10755 WCS 2.0 module should not use string concatenation to build XML

• GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates

• GEOS-10814 Update jdbc config to use consistent SQL formatting

• GEOS-10879 Dispatcher should not respond to non standard HTTP methods

Fixes:

• GEOS-10006 Seeding GWC doesn’t work for layers with a dot in the name

• GEOS-10865 Backwards incompatible change in the XML representation of user roles

• GEOS-10905 Default CSW properties do not allow sorting by identifiers

Tasks:

• GEOS-10798 Sphinx site http://sphinx.pocoo.org/ is outdate

• GEOS-10904 Bump jettison from 1.5.3 to 1.5.4

• GEOS-10894 Random control-flow errors on Mac builds

• GEOS-10863 Update Oracle JDBC driver to 19.18.0.0

• GEOS-10775 Update xmlunit to 1.6

For the complete list see 2.23.0 release notes.

About GeoServer 2.23 Series

Release notes: ( 2.23.0 | 2.23-RC1 )

• Drop Java 8
• GUI CSS Cleanup
• Add the possibility to use fixed values in Capabilities for Dimension metadata

GeoServer 2.23-RC1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a release candidate intended for public review and feedback, made in conjunction with GeoTools 29-RC1 and GeoWebCache 1.23-RC1.

Thanks to Gabriel Roldan (Camptocamp), Jody Garnett (GeoCat), and Andrea Aime (Geosolutions) for making this release candidate.

Release candidate public testing and feedback

Testing and providing feedback on releases is part of the open-source social contract. The development team (and their employers and customers) are responsible for sharing this great technology with you.

The collaborative part of open-source happens now - we ask you to test this release candidate in your environment and with your data. Try out the new features, double check if the documentation makes sense, and most importantly let us know!

If you spot something that is incorrect or not working do not assume it is obvious and we will notice. We request and depend on your email and bug reports at this time. If you are working with commercial support your provider is expected to participate on your behalf.

Keeping GeoServer sustainable requires a long term community commitment. If you are unable to contribute time, sponsorship options are available via OSGeo.

Java 11 Minimum

With this release GeoServer no longer supports Java 8, and it is time to upgrade to Java 11 at a minimum. Our build system tests GeoServer in with Java 11 and Java 17 which are both long-term-support OpenJDK releases.

If you try starting this version of GeoServer with Java 8 it will produce the following failure:

java.lang.UnsupportedClassVersionError: org/geoserver/GeoserverInitStartupListener
has been compiled by a more recent version of the Java Runtime (class file version 55.0),
this version of the Java Runtime only recognizes class file versions up to 52.0

For more information please see our User Manual Installation (User Manual) and Java Considerations (User Manual) pages.

• GSIP-215 - Drop Java 8 Support (Proposal)
• GEOS-10638 Drop Java 8 support

CSS Cleanup

The first big internal change for this release of GeoServer is a cleanup of the theme used for the GeoServer web administration application. Previously the pages had lots of little styling adjustments to try and get components to line up correctly and appear okay.

With this update all of the handmade styling changes have been removed, and everything is managed by the “geoserver.css” theme.

Thanks to Michel Gabriël (GeoCat) who started this work at the Bolsena code-sprint as a labour of love (well frustration).

• GUI CSS Cleanup (Proposal)
• GEOS-10556 Cleanup Inconsistent DOM structure and use of hardcoded styles

Spring Upgrade

The second internal change for this release of GeoServer in an upgrade to the Spring Framework used to wire the internals of GeoServer together.

While this should not result in any change to functionality, it has resulted in quite a lot of carefult quality assurance and testing to ensure everything is still connected and works as intended.

Your “it works” feedback during the release-candidate testing cycle is valuable and will make Joseph Miller (GeoSolution) who worked on this activity feel good.

• GEOS-10779 Upgrade GeoServer Core Spring to 5.3.23 and Spring Security to 5.7.3

Windows installer Java 11 Update

We are especially interested in feedback on the Java 11 minium transition for those using the Windows Installer (none of our core development team is in position to test so we are depending on you).

The installer will correctly detect the Adoptium JRE 11:

Early feedback indicates it is unable to detect Oracle JDK 17; but you can use Browse to manually select this JDK:

Thanks to Juan Luis Rodríguez (GeoCat) for troubleshooting the windows installer for this release.

• GEOS-10890 Wrong path for the license file in the Windows installer script

Feature Type Description

A welcome new feature, building on top of the ability to customize FeatureTypes is the ability to provide a description for each attribute. This information is used in WFS DescribeFeatureType to provide a human readable name or description for the attributes being published.

• GEOS-10868 Add support for editable description in GeoServer customize feature type table

OGC CITE Fixes

The traditional OGC Open Web Services have not had automated CITE tests run for a while, but a few fixes have been made to restore CITE compliance:

• GEOS-10787 CITE WCS 1.1.1 - Throw exception on bad ‘store’ parameter

• GEOS-10788 CITE WCS 1.1.1 - Empty InterpolationMethod should throw exception

• GEOS-10757 CITE: WMS <Style> has elements in wrong order (DTD validation)

• GEOS-10782 CITE WFS 1.1 - HITS mimetype is incorrect

• GEOS-10783 CITE WFS 1.1 - Check customized feature type to determine if transform wrapper needed

• GEOS-10784 CITE WFS 1.1 - don’t do illegal geometry conversions

• GEOS-10785 CITE WFS 1.1 - Data Dir - allow anonymous users to modify data

Thanks to David Blasby (GeoCat) for this work on behalf of the GeoCat Live Project. David address several errors in the CITE testing for these services while addressing the above issues for the GeoServer community.

A number of CITE conformance issues remain open, notably the handling of acceptsVersions with a mix of older protocols (such as WFS 2.0, WFS 1.1 and WFS 1.0). If you are interested in funding or sponsoring this activity please visit our sponsorship page.

Community Updates

The following community module has been retired:

• GEOS-10778 Retire GeoStyler community module

  The plugin is now maintained outside of the GeoServer repository at https://github.com/geostyler .

Security community modules

With the upgrade to Spring Security to 5.7.3 mentioned above, now is a good time for any teams working with community security modules to perform integration testing.

A reminder that these modules are in need of your support to be recognized as an extension (and be included in our automated testing). Contact the appropriate module maintainer (Alessio or David) to see how you can assist.

OGCAPI community module Updates

The OGCAPI community module remains under active development:

• GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections

• GEOS-10888 OGC API styles OpenAPI document points to dangling remote resources

• GEOS-10854 Move the OGC API OpenAPI definitions to the “openapi” resource

• GEOS-10855 Update the new OGC APIs so that the major version number is part of the path

• GEOS-10881 Add Content-Crs header to OGC API

• GEOS-10885 Remove Axis Order from OGC API Header

Andrea (GeoSolutions) has been working towards CITE compliance on behalf of Geonovum.

As a community module GeoServer OGC API is made available to developers for collaboration, and can also be accessed as a nightly build for feedback. If you are in a position to support this activity with time, money or resources please contact Andrea.

Improvements and Fixes

New Feature:

• GEOS-10696 Allow configuration of Output Format types allowed in GetFeature

Improvement:

• GEOS-10735 Obfuscate secret key in S3 Blob Store, avoiding requiring reentry when editing and HTML source visibility

• GEOS-10739 Contact information user interface feedback for welcome message

• GEOS-10740 Service enabled does not respect minimal/custom service names

• GEOS-10750 German Translation Overhaul Part 1

• GEOS-10755 WCS 2.0 module should not use string concatenation to build XML

• GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates

• GEOS-10814 Update jdbc config to use consistent SQL formatting

• GEOS-10879 Dispatcher should not respond to non standard HTTP methods

Tasks:

• GEOS-10798 Sphinx site http://sphinx.pocoo.org/ is outdate

For the complete list see 2.23-RC1 release notes.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

• Drop Java 8
• GUI CSS Cleanup
• Add the possibility to use fixed values in Capabilities for Dimension metadata

Release notes: ( 2.23-RC1 )

A vulnerability has located in the GeoTools Library that allows SQL Injection using OGC Filter and Function expressions.

• CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
• CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)

If you wish to report a security vulnerability, see instructions on responsible reporting. We also welcome your direct financial support.

Assessment

SQL Injection Vulnerabilities have been found with:

• PropertyIsLike filter, when used with a String field and any relational database based Store, or with a PostGIS DataStore with encode functions enabled, or with any image mosaic with an index stored in a relational database.
• strEndsWith function, when used with a PostGIS DataStore with encode functions enabled
• strStartsWith function, when used with a PostGIS DataStore with encode functions enabled
• FeatureId filter, when used with any database table having a String primary key column and when prepared statements are disabled
• jsonArrayContains function, when used with a String or JSON field and with a PostGIS or Oracle DataStore (GeoServer 2.22.0+ only)
• DWithin filter, when used with an Oracle DataStore

Mitigation

We recommend upgrading. The following list of mitigations is addressing some of the issues (e.g., the PropertyIsLike issue has no mitigation for tables with a string field):

1. Disabling the PostGIS Datastore encode functions setting to mitigate strEndsWith, strStartsWith (will cause severe slowdowns in parts of the WMTS multidimensional plugin functionality, if in use).
2. Enabling the PostGIS DataStore preparedStatements setting to mitigate the FeatureId vulnerability.
3. No mitigation is available for PropertyIsLike filter, you may choose to disable database DataStores until you are able to upgrade.
4. No mitigation is available for DWithin with Oracle DataStore, you may choose to disable Oracle DataStores until you are able to upgrade.
5. As a good practice to limit the attack surface, it’s important to give the database account used for connection pools the minimum required level of privileges (e.g., read-only unless WFS-T/importer/REST granule harvesting are used, access limited only to the schemas and tables needed for production usage)

Resolution

Issues:

• GEOT-7302 Escape user inputs in SQL queries
• GEOS-10842 Escape user inputs in SQL queries

• GEOS-10839 Add JDBC Configuration parameter to disable SQL comments and pretty-printing

  A related issue with the community jdbc-config module.

Patched releases:

• GeoServer 2.23.0 scheduled release
• GeoServer 2.22.2 stable release
• GeoServer 2.21.4 maintenance
• GeoServer 2.20.7
• GeoServer 2.19.7
• GeoServer 2.18.7

If you wish to volunteer to backport these fixes to other GeoServer series and make a release co-ordinate on the developers list. If you are not in a position to collaborate reach out to a commercial support provider to act on your behalf.

Thanks to Steve Ikeoka for responsibly reporting and fixing these issues. Thanks to Jody Garnett (GeoCat) for the stable and maintenance releases. Thanks to Andrea Aime (GeoSolutions) for back porting this fix to versions of GeoTools and GeoServer that are otherwise no longer receiving releases.