GeoServer 2.20.7 release is available with downloads (bin, war, windows), along with docs and extensions.

This series has previously reached end-of-life, with a release being issued to address an urdent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.

Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of the GeoNode project.

This release was made in conjunction with GeoTools 26.7.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

• CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
• CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)

For more information see OGC Filter Injection Vulnerability Statement.

• GEOT-7302 Escape user inputs in SQL queries
• GEOS-10842 JDBCConfig: escape user inputs in SQL queries
• GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing

2024-06-30 Update: The following mitigation has been provided:

• CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

  geoserver-2.20.7-patches.zip (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

Improvements and Fixes

For the full list of fixes and improvements, see 2.20.7 release notes.

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

• Log4J2 zero day vulnerability assessment
• Internationalization of title and abstract
• State of GeoServer 2.20 edition
• Windows Installer

Release notes: ( 2.20.7 | 2.20.6 | 2.20.5 | 2.20.4 | 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )

GeoServer 2.19.7 release is now available with downloads (bin, war, windows), along with docs and extensions.

This series has previously reached end-of-life, with an extra maintenance release being issued to address an urgent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.

Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of GeoSolutions customers.

This release was made in conjunction with GeoTools 25.7.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

• CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
• CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)

For more information see OGC Filter Injection Vulnerability Statement.

• GEOT-7302 Escape user inputs in SQL queries
• GEOS-10842 JDBCConfig: escape user inputs in SQL queries
• GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing

Improvements and Fixes

For more information see 2.19.7 release notes.

About GeoServer 2.19

Additional information on GeoServer 2.19 series:

• Jiffle and GeoTools RCE vulnerabilities
• Log4J2 zero day vulnerability assessment
• WMS GetFeatureInfo includes labels from ColorMap
• Promote WMTS multidim to extension
• Promote WPS-Download to extension
• Promote params-extractor to extension
• Promote GWC-S3 to extension
• Promote WPS-JDBC to extension status
• Promote MapML to extension status
• GeoServer repository transition to main branch

Release notes ( 2.19.7 | 2.19.6 | 2.19.5 | 2.19.4 | 2.19.3 | 2.19.2 | 2.19.1 | 2.19.0 | 2.19-RC )

GeoServer 2.18.7 release is now available with downloads (bin, war, windows), along with docs and extensions.

This series has previously reached end-of-life, with an extra maintenance release being issued to address an urgent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.

Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of GeoSolutions customers.

This release was made in conjunction with GeoTools 24.7.

Security Considerations

This release addresses a security vulnerability and is considered an essential upgrade for production systems:

• CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
• CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)

For more information see OGC Filter Injection Vulnerability Statement.

• GEOT-7302 Escape user inputs in SQL queries
• GEOS-10842 JDBCConfig: escape user inputs in SQL queries
• GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing

Improvements and Fixes

For more information see 2.18.7 release notes.

About GeoServer 2.18

Additional information on GeoServer 2.18 series:

• Jiffle and GeoTools RCE vulnerabilities
• Log4J2 zero day vulnerability assessment
• State of GeoServer 2.18 (slides)

• GeoServer Orientation (slides

  video)

Release Notes ( 2.18.7 | 2.18.6 | 2.18.5 | 2.18.4 | 2.18.3 | 2.18.2 | 2.18.1 | 2.18.0 | 2.18-RC )

GeoServer 2.22.1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.1 and GeoWebCache 1.22.0.

Thanks to Ian Turton (Astun Technology) for making this release.

Bugs

• GEOS-10632 Make sure GetLegendGraphics honors the WMS memory service limits
• GEOS-10704 Task Manager Metadata wrong gs-metadata dependency
• GEOS-10753 GeoServer can create GML output that is not valid XML
• GEOS-10757 CITE: WMS
• GEOS-10770 Support list of audiences (aud) when validating Oauth 2.0 Bearer Tokens
• GEOS-10794 Add a new vector data source (Web Feature Server (NG)) Filter compliance level bug
• GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute
• GEOS-10809 Keycloak : add support for usernames with spaces
• GEOS-10813 jdbc config cache bug
• GEOS-10817 Features Templating - XML HTML output doesn’t escape all html and xml symbols
• GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties
• GEOS-10829 JDBC Config missing some nested layer properties

Improvement

• GEOS-10673 Add example of using FlatGeobuf granules to the Vector Mosaic documentation
• GEOS-10746 STAC Sortables should be a subset of the configured queryables
• GEOS-10755 WCS 2.0 module should not use string concatenation to build XML
• GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates
• GEOS-10773 Enable localized MapML responses that use WMS language parameter
• GEOS-10777 Update MapML viewer to latest release
• GEOS-10790 Allow to control map transparency in DownloadMapProcess
• GEOS-10810 Enable internationalized layer label / MapML document title
• GEOS-10814 Update jdbc config to use consistent SQL formatting
• GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates
• GEOS-10827 Document property selection in image mosaic

New Feature

• GEOS-10716 Build schema for simple feature types leveraging column descriptions, when available
• GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections

Task

• GEOS-10775 Update xmlunit to 1.6
• GEOS-10778 Retire GeoStyler community module
• GEOS-10812 Update Jettison to 1.5.3

For complete information see 2.22.1 release notes.

About GeoServer 2.22

Additional information on GeoServer 2.22 series:

• Update Instructions
• Metadata extension
• CSW ISO Metadata extension
• State of GeoServer (FOSS4G Presentation)
• GeoServer Beginner Workshop (FOSS4G Workshop)
• Welcome page (User Guide)

Release notes: ( 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )

GeoServer 2.21.3 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a maintenance release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.3 and GeoWebCache 1.21.3.

Thanks to Andrea Aime (GeoSolutions) and Jody Garnett (GeoCat) for making this release.

Notables changes

Among the many changes included in this release, we’d like to point out:

• Ability to report PostgreSQL column comments in WFS DescribeFeatureType output (needs a store flag to enable).
• Ability to turn on and off GetFeature output formats, much like the existing WMS controls over GetMap/GetFeatureInfo output formats.
• Fixed concurrent edit of users, roles and data access rules thorough the REST API.
• Fixed database connection leak while editing SQL views in the GUI.

Release notes

Bug:

• GEOS-4727 Editing SQL views seems to be leaking connections

• GEOS-10632 Make sure GetLegendGraphics honors the WMS memory service limits

• GEOS-10667 WFS: inconsistent srsDimension=4 with topp:tasmania_roads layer

• GEOS-10707 GeoFence internal LayerGroup Limit merge inconsistency

• GEOS-10710 Features Templating backward mapping with back xpath (’../my/property/name’) doesn’t work

• GEOS-10714 DefaultGeoServerFacade throws ConcurrentModificationException for workspace settings and services

• GEOS-10729 Concurrent access on data access rules (authorization) can lead to loss of configured catalog mode, and lost rules

• GEOS-10731 GWC variable Parameterization does not work with geoserver-environment.properties due to the bean initialization order

• GEOS-10736 OSEO product creation via REST API fails if the product id starts with a valid ISO date

• GEOS-10737 GeoCSS misses support for labelInFeatureInfo and labelAttributeName vendor options

• GEOS-10741 Remove deprecated YUI usage

• GEOS-10753 GeoServer can create GML output that is not valid XML

• GEOS-10757 CITE: WMS

• GEOS-10809 Keycloak : add support for usernames with spaces

• GEOS-10782 CITE WFS 1.1 - HITS mimetype is incorrect

• GEOS-10783 CITE WFS 1.1 - Check customized feature type to determine if transform wrapper needed

• GEOS-10784 CITE WFS 1.1 - don’t do illegal geometry conversions

• GEOS-10785 CITE WFS 1.1 - Data Dir - allow anonymous users to modify data

Improvement:

• GEOS-10606 Generate html notice and license information for release assemblies

• GEOS-10673 Add example of using FlatGeobuf granules to the Vector Mosaic documentation

• GEOS-10696 Allow configuration of Output Format types allowed in GetFeature

• GEOS-10717 XStreamServiceLoader performance improvement with XstreamPersister caching

• GEOS-10718 [OIDC] the OIDC plugin does not currently take into account the id_token_hint parameter

• GEOS-10735 Obfuscate secret key in S3 Blob Store, avoiding requiring reentry when editing and HTML source visibility

• GEOS-10746 STAC Sortables should be a subset of the configured queryables

• GEOS-10755 WCS 2.0 module should not use string concatenation to build XML

• GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates

• GEOS-10773 Enable localized MapML responses that use WMS language parameter

• GEOS-10777 Update MapML viewer to latest release

• GEOS-10790 Allow to control map transparency in DownloadMapProcess

• GEOS-10810 Enable internationalized layer label / MapML document title

New Feature:

• GEOS-10716 Build schema for simple feature types leveraging column descriptions, when available

• GEOS-10734 SpatialJSON WFS output format community module

• GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections

Task:

• GEOS-10721 Bump jettison from 1.4.1 to 1.5.1

• GEOS-10775 Update xmlunit to 1.6

See also the 2.21.3 release notes.

About GeoServer 2.21

Additional information on GeoServer 2.21 series:

• Feature Type Customization
• Add Styles support to LayerGroup
• Log4j1 update or replace activity

Release notes: ( 2.21.3 | 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )