GeoServer Blog
GeoServer 2.21.4 Release
GeoServer 2.21.4 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a maintenance release of the GeoServer 2.21.x series, made in conjunction with GeoTools 27.4 and GeoWebCache 1.21.4.
Thanks to Jody Garnett (GeoCat) for making this release.
Security Considerations
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
2024-06-30 Update: The following mitigation has been provided:
-
CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
geoserver-2.21.4-patches.zip (replacing
gt-app-schema,gt-complexandgt-xsd-corejars) has been provided by Andrea (GeoSolutions)
See project security policy for more information on how security vulnerabilities are managed.
Community Modules
The JDBC Config module received several important fixes:
-
GEOS-10814 Update jdbc config to use consistent SQL formatting
-
GEOS-10813 jdbc config cache bug
-
GEOS-10829 JDBC Config missing some nested layer properties
-
GEOS-10842 JDBCConfig: escape user inputs in SQL queries
Release notes
Bug:
-
GEOS-7506 shutdown.bat cannot run without JAVA_HOME set
-
GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11
-
GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat
-
GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute
-
GEOS-10817 Features Templating - XML HTML output doesn’t escape all html and xml symbols
-
GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties
-
GEOS-10846 Enable auto-escaping for REST HTML templates
Improvement:
-
GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates
-
GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI
-
GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart
For complete information see 2.21.4 release notes.
About GeoServer 2.21
Additional information on GeoServer 2.21 series:
Release notes: ( 2.21.4 | 2.21.3 | 2.21.2 | 2.21.1 | 2.21.0 | 2.21-RC )
GeoServer 2.20.7 Released
GeoServer 2.20.7 release is available with downloads (bin, war, windows), along with docs and extensions.
This series has previously reached end-of-life, with a release being issued to address an urdent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.
Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of the GeoNode project.
This release was made in conjunction with GeoTools 26.7.
Security Considerations
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
2024-06-30 Update: The following mitigation has been provided:
-
CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
geoserver-2.20.7-patches.zip (replacing
gt-app-schema,gt-complexandgt-xsd-corejars) has been provided by Andrea (GeoSolutions)
See project security policy for more information on how security vulnerabilities are managed.
Improvements and Fixes
For the full list of fixes and improvements, see 2.20.7 release notes.
About GeoServer 2.20
Additional information on GeoServer 2.20 series:
- Log4J2 zero day vulnerability assessment
- Internationalization of title and abstract
- State of GeoServer 2.20 edition
- Windows Installer
Release notes: ( 2.20.7 | 2.20.6 | 2.20.5 | 2.20.4 | 2.20.3 | 2.20.2 | 2.20.1 | 2.20.0 | 2.20-RC )
GeoServer 2.19.7 Released
GeoServer 2.19.7 release is now available with downloads (bin, war, windows), along with docs and extensions.
This series has previously reached end-of-life, with an extra maintenance release being issued to address an urgent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.
Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of GeoSolutions customers.
This release was made in conjunction with GeoTools 25.7.
Security Considerations
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
Improvements and Fixes
For more information see 2.19.7 release notes.
About GeoServer 2.19
Additional information on GeoServer 2.19 series:
- Jiffle and GeoTools RCE vulnerabilities
- Log4J2 zero day vulnerability assessment
- WMS GetFeatureInfo includes labels from ColorMap
- Promote WMTS multidim to extension
- Promote WPS-Download to extension
- Promote params-extractor to extension
- Promote GWC-S3 to extension
- Promote WPS-JDBC to extension status
- Promote MapML to extension status
- GeoServer repository transition to main branch
Release notes ( 2.19.7 | 2.19.6 | 2.19.5 | 2.19.4 | 2.19.3 | 2.19.2 | 2.19.1 | 2.19.0 | 2.19-RC )
GeoServer 2.18.7 Released
GeoServer 2.18.7 release is now available with downloads (bin, war, windows), along with docs and extensions.
This series has previously reached end-of-life, with an extra maintenance release being issued to address an urgent security vulnerability. Please apply this upgrade as a mitigation measure only. Upgrade to 2.22.x series for community support.
Thanks to Andrea Aime (GeoSolutions) for making this update available on behalf of GeoSolutions customers.
This release was made in conjunction with GeoTools 24.7.
Security Considerations
This release addresses a security vulnerability and is considered an essential upgrade for production systems:
- CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
- CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)
For more information see OGC Filter Injection Vulnerability Statement.
- GEOT-7302 Escape user inputs in SQL queries
- GEOS-10842 JDBCConfig: escape user inputs in SQL queries
- GEOS-10839 JDBCConfig: add JDBC Configuration parameter to disable SQL comments and pretty-printing
Improvements and Fixes
For more information see 2.18.7 release notes.
About GeoServer 2.18
Additional information on GeoServer 2.18 series:
- Jiffle and GeoTools RCE vulnerabilities
- Log4J2 zero day vulnerability assessment
- State of GeoServer 2.18 (slides)
-
GeoServer Orientation (slides video)
Release Notes ( 2.18.7 | 2.18.6 | 2.18.5 | 2.18.4 | 2.18.3 | 2.18.2 | 2.18.1 | 2.18.0 | 2.18-RC )
GeoServer 2.22.1 Release
GeoServer 2.22.1 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of the GeoServer 2.22.x series, made in conjunction with GeoTools 28.1 and GeoWebCache 1.22.0.
Thanks to Ian Turton (Astun Technology) for making this release.
Bugs
- GEOS-10632 Make sure GetLegendGraphics honors the WMS memory service limits
- GEOS-10704 Task Manager Metadata wrong gs-metadata dependency
- GEOS-10753 GeoServer can create GML output that is not valid XML
- GEOS-10757 CITE: WMS
- GEOS-10770 Support list of audiences (aud) when validating Oauth 2.0 Bearer Tokens
- GEOS-10794 Add a new vector data source (Web Feature Server (NG)) Filter compliance level bug
- GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute
- GEOS-10809 Keycloak : add support for usernames with spaces
- GEOS-10813 jdbc config cache bug
- GEOS-10817 Features Templating - XML HTML output doesn’t escape all html and xml symbols
- GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties
- GEOS-10829 JDBC Config missing some nested layer properties
Improvement
- GEOS-10673 Add example of using FlatGeobuf granules to the Vector Mosaic documentation
- GEOS-10746 STAC Sortables should be a subset of the configured queryables
- GEOS-10755 WCS 2.0 module should not use string concatenation to build XML
- GEOS-10762 Allow enabling auto-escaping for WMS GetFeatureInfo HTML templates
- GEOS-10773 Enable localized MapML responses that use WMS language parameter
- GEOS-10777 Update MapML viewer to latest release
- GEOS-10790 Allow to control map transparency in DownloadMapProcess
- GEOS-10810 Enable internationalized layer label / MapML document title
- GEOS-10814 Update jdbc config to use consistent SQL formatting
- GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates
- GEOS-10827 Document property selection in image mosaic
New Feature
- GEOS-10716 Build schema for simple feature types leveraging column descriptions, when available
- GEOS-10758 OGCAPI - Features - Add storageCrs property for Collections
Task
- GEOS-10775 Update xmlunit to 1.6
- GEOS-10778 Retire GeoStyler community module
- GEOS-10812 Update Jettison to 1.5.3
For complete information see 2.22.1 release notes.
About GeoServer 2.22
Additional information on GeoServer 2.22 series:
- Update Instructions
- Metadata extension
- CSW ISO Metadata extension
- State of GeoServer (FOSS4G Presentation)
- GeoServer Beginner Workshop (FOSS4G Workshop)
- Welcome page (User Guide)
Tutorials
- Powerful SLD Styles & Filters in GeoServer
- Using Logical Operators in GeoServer Filters
- Exploring CQL/ECQL Filtering in GeoServer
- Using Spatial Operators in GeoServer Filters
- Using Value Comparison Operators in GeoServer Filters
- Using Binary Comparison Operators in GeoServer Filters
- Utilizing the Demo Section in Geoserver
- How to Implement Basic Security in Geoserver
- How to create Tile Layers with GeoServer
- How to style layers using GeoServer and QGIS
Atom feed