The GeoServer team are happy to announce GeoServer 2.19.4 release is available for download (zip and war) along with docs and extensions.

This GeoServer 2.19.4 release was produced in conjunction with GeoTools 25.4 and GeoWebCache 1.19.2, this is a maintenance release recommended for production systems.

Thanks to everyone who contributed, and to Andrea Aime (GeoSolutions) for making this release.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

• GeoServer uses the earlier log4j1 library and is not subject to the Log4j2 remote code execution vulnerabilities reported worldwide. For a detailed discussion please read GeoServer Log4J2 zero day vulnerability assessment.

  The release of GeoServer includes a patched version of log4j1 which does not include any remote loggers or socket communication.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Improvements and Fixes

Bug

• GEOS-10337 Harden importer against failed imports, make failures more evident

• GEOS-10322 JDBCConfig community module does not deal with stale connections to the database

• GEOS-10300 The map preview logs errors when using AUTO codes

• GEOS-10299 The reprojection console does not work with AUTO codes

• GEOS-10292 Changing worker pool size in raster access is not actually applied (silent error)

• GEOS-10289 GeoServer busy for 1 hour on reloading a 50000 shapefiles Directory datastore

• GEOS-10281 GeoServer log level not picked up with Catalog reload

• GEOS-10249 GWC produce NPE when it comes to race condition

Improvement

• GEOS-10328 Expire completed and stale importer contexts

• GEOS-10321 WCS 2.0 might fail to return coverages whose native BBOX goes slighly outside of the dateline

• GEOS-10315 Features Templating - Allow injecting JSON-LD output in HTML

• GEOS-10314 Features Templating - allow specifying root @type in the JSON-LD output and a different name for features array

GEOS-9904 GeoFence backend DBMS dependencies

Task

• GEOS-10335 Update GeoServer to a log4j version that does not support RCEs

• GEOS-10269 Overriding JSON Object while Merging Feature Templates

• GEOS-10268 Null Support in Features Templating

About GeoServer 2.19

Additional information on GeoServer 2.19 series:

• Log4J2 zero day vulnerability assessment
• WMS GetFeatureInfo includes labels from ColorMap
• Promote WMTS multidim to extension
• Promote WPS-Download to extension
• Promote params-extractor to extension
• Promote GWC-S3 to extension
• Promote WPS-JDBC to extension status
• Promote MapML to extension status
• GeoServer repository transition to main branch

Release notes ( 2.19.3 | 2.19.2| 2.19.1 | 2.19.0 | 2.19-RC )

The Java world has been taken by storm, last week, by the Log4J2 Log4Shell vulnerability, code CVE-2021-44228, which allows remote code execution by simply making API calls to the vulnerable servers. The understanding of the vulnerability is still evolving and the reports are being updated, we are monitoring them closely and adapting as needed. The following information is based on our current understanding of the vulnerability and will be updated as new information is released.

Let us state this clearly: GeoServer, following our own investigation, as well as our understanding of the reported vulnerability, is not vulnerable to CVE-2021-44228 since it does not use Log4J2!

In more detail, GeoServer uses Log4J 1.2.17 and it is crucial to understand that Log4J and Log4J2 are not the same library: the 2 is in the name, it is not just a version number, Log4J2 is a full rewrite of Log4J. As a consequence GeoServer is not vulnerable in the same way reported in CVE-2021-44228: our current understanding is that it cannot be made to perform a remote code execution by simply crafting an appropriate HTTP request.

However, Log4J 1.2 has smaller vulnerabilities, which may trigger when loading the configuration files. It happens if the attacker manages to:

• Get write access to the GeoServer log configuration files.
• Set up in them a new JMSAppender configuration, in which the TopicConnectionFactoryBindingName or TopicBindingName point to a remote server providing malicious classes.
• Force GeoServer to reload the logging configuration.

Log4J 1.2.17 is also vulnerable to CVE-2019-17571. This is even narrower than the issue above, as the SocketServer class needs to be run from the command line explicitly.

That said, It is important to note that GeoServer default configuration is not vulnerable to these and the attacker would need to go and modify the logging configuration files in order to trigger it.

Checking for vulnerabilities

How to check if your server is vulnerable:

• Check the log configuration files, make sure there is no JMSAppender.
• Make sure that no one outside of your organization can get write access to the logging configuration files, e.g.:
  • No one outside your organization has admin access to GeoServer. The REST API allows writing in the data directory using the resource endpoint, and if the web resource extension is installed, admins will also be allowed to edit the files via the GUI.
  • No one outside your organization has console access to the server (e.g, SSH, terminal services), and if they do, they don’t have write permission to the GeoServer configuration files.

Threat elimination

The GeoServer project has released a sanitized version of the Log4J 1.2.17 library, which simply does not include the classes involved in vulnerabilities CVE-2021-44228 and CVE-2019-17571. This library is also usable with older versions of GeoServer.

The file is available in our Nexus repository. Simply remove the existing log4j-1.2.17.jar and drop in the new log4j-1.2.17.norce.jar in the geoserver/webapps/WEB-INF/lib folder, and then restart tomcat.

We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are actively looking for funding to perform an upgrade to more recent versions of them. All new logging libraries have a different API and a different configuration file layout, with potential backwards compatibility issues, so this will be likely done on newer versions of GeoServer (2.21.x).

We are happy to announce GeoServer 2.20.1 release is available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of the 2.20.x series recommended for production systems. This release was made in conjunction with GeoTools 26.1.

Windows installer

We are pleased to announce the return of the GeoServer windows installer.

Windows installer in action

Thanks to Sander and the GeoCat team for completing this work on behalf of the GeoServer PSC, everyone on the user list who helped test, and Stefan Overkamp for supplying screen snaps for the documentation.

Reference:

• Windows Installer (User Guide)

Improvements and Fixes

New Feature

• GEOS-10228 Wrap the category text values of a legend

Improvements:

• GEOS-10298 OpenSearch REST management API: allow creation of products via PUT
• GEOS-10265 WFS-T Bulk Transaction optimization
• GEOS-10268 Null Support in Features Templating

Fixes:

• GEOS-10299 Reprojection console can now work with AUTO codes
• GEOS-10292 Fixed issue changing worker pool size in raster access
• GEOS-10289 Improve Shapefile Directory performance when working with a huge number of files
• GEOS-10282 GeoServer translations files incorrectly decoded assuming UTF-8 causing translation files like GeoServerApplication_de.properties leading characters represented as question marks
• GEOS-10281 GeoServer log level was not being picked up with during Catalog reload
• GEOS-10277 Add a special keyword for semi-colon as a CSV Separator in WFS request
• GEOS-10273 GeofenceAccesManager index out of bound issue when requesting nested layerGroups

Community Updates

For developers building from source, our community modules are a great place to collaborate on functionality and improvements.

• GEOS-10301 The ogc-api community module resolved conflicting woodstax parser preventing editing of SLD styles

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

• Internationalization of title and abstract
• State of GeoServer 2.20 edition
• Windows Installer
• Release notes: 2.20.1, 2.20.0, 2.20-RC

GeoServer 2.19.3 Released

The GeoServer team are happy to announce GeoServer 2.19.3 release is available for download (zip and war) along with docs and extensions.

This GeoServer 2.19.3 release was produced in conjunction with GeoTools 25.3, this is a maintenance release recommended for production systems.

Thanks to everyone who contributed, and to Ian Turton (Astun Technology) for making this release.

Improvements and Fixes

Bug

• [GEOS-9937] - Name of styles with colons are incorrect in REST API
• [GEOS-10072] - WMS dimension default values and nearest match can pollute caches (in GWC and beyond)
• [GEOS-10132] - Deadlock at org.geotools.xsd.XSD.getSchema
• [GEOS-10133] - Connecting to WMS Service via Http Proxy
• [GEOS-10158] - POST request -> j_spring_security_check is in http plain even if proxy base url is in https
• [GEOS-10161] - Smart data loader missing PostgreSQL type in DomainModelBuilder
• [GEOS-10162] - GeoServerOAuthAuthenticationFilter creates Anonymous authentication when preAuthenticated principal is not present
• [GEOS-10173] - CoverageViewReader’s format not being secured with Geofence-Geoserver
• [GEOS-10188] - Features templating when deleting a templateInfo all the template contents will be deleted
• [GEOS-10193] - Indirect imports will drop the target table if there is any failure during the import process
• [GEOS-10198] - Features Templating - TemplateRuleService save rule bug
• [GEOS-10200] - GetLegendGraphic can fail if SCALE removes all rules
• [GEOS-10208] - Broken link in DDS/BIL community plugin documentation
• [GEOS-10213] - WMS requests fail on LayerGroup default style names, when used in GetMap/GetFeatureInfo/GetLegendGraphics
• [GEOS-10215] - Layers nested inside a group maintain their prefix even in workspace specific services
• [GEOS-10227] - Features Templating - Included templates are not reloaded on file modifications
• [GEOS-10266] - Features Templating makes getfeatureinfo fail for raster data
• [GEOS-10273] - GeofenceAccesManager throws index out of bound when requesting nested layerGroups

New Feature

• [GEOS-10063] - Add XML templating support to features-templating community plug-in
• [GEOS-10118] - Features templating add include directive in xml templates
• [GEOS-10153] - Features templating UI
• [GEOS-10154] - Feature templating - Add HTML template support
• [GEOS-10165] - Features templating add Rest API
• [GEOS-10166] - Features templating - Add CQL profile field in template rule UI
• [GEOS-10217] - Features templating add GetFeatureInfo support

Improvement

• [GEOS-10080] - Features-templating allows the possibility to reference domain attribute in templates
• [GEOS-10081] - Features-templating allow the encoding of xml attribute in nodes encoded from a Static or Dynamic builder
• [GEOS-10119] - Features templating add managed support and allow simplified templates structure
• [GEOS-10172] - Add support for GeoPackage output in WPS download
• [GEOS-10194] - Improve importer LOGGING
• [GEOS-10265] - WFS-T Bulk Transaction optimization

For details check the 2.19.3 release notes.

About GeoServer 2.19

Additional information on GeoServer 2.19 series:

• WMS GetFeatureInfo includes labels from ColorMap
• Promote WMTS multidim to extension
• Promote WPS-Download to extension
• Promote params-extractor to extension
• Promote GWC-S3 to extension
• Promote WPS-JDBC to extension status
• Promote MapML to extension status
• GeoServer repository transition to main branch

Release notes ( 2.19.3 | 2.19.2| 2.19.1 | 2.19.0 | 2.19-RC )

We are happy to announce GeoServer 2.20.0 is available for download (bin, war, windows) along with docs and extensions.

This the first stable release of the 2.20.x series and recommended for production systems. This release is made in made in conjunction with GeoTools 26.0 and GeoWebCache 1.20.0.

Internationalization

The leading feature for this release is the internationalization of Title, Abstract and Contact details for:

• WMS 1.1 and 1.3
• WFS 2.0
• WCS 2.0

See documentation for internationalization support and GSIP-203 proposal for details.

New feature:

• GEOS-10123 Internationalization for title and abstract
• GEOS-10207 Allow creation of internationalized raster legends
• GEOS-10190 i18n support for Contact Information
• GEOS-10185 LayerGroup legend internationalization styles returns multiple values
• GEOS-10177 Allow Default Translation
• GEOS-10129 Add language function for multilingual support in sld

Improvements and fixes:

• GEOS-10205 Layer with i18n title might appear twice in the capabilities, while being contained in a named tree
• GEOS-10204 Default locale is not being used while producing internationalized outputs in Capabilities document
• GEOS-10160 Requested Language in GetCapabilities

Modules Status Information for Extensions

Thanks to Ian for completing a [long outstanding request][https://osgeo-org.atlassian.net/browse/GEOS-10067] to provide listing everything you have installed:

• The Server Status page now provides a complete list of the loaded modules and extensions
• This extension list can also be checked via REST API (allowing scripts to check if the functionality they require has been installed)

New Feature:

• GEOS-10067 Implement module status in extensions (GISP-143)

Improvements and fixes:

• GEOS-9967 Add Module Status implementation for CSW Extension

Updates and quality assurance

GeoServer continues to be build with the latest open source technologies:

• GeoTools 26-RC
• GeoWebCache 1.20-RC
• JAI-EXT 1.1.20
• ImageIO-EXT 1.3.10
• JTS 1.18.2
• GeoFence 3.5.0
• Flatgeobuf to 3.10.1

The team continues to work with automated code checks, gradually improving the codebase and introducing checks to ensure issues are not re-introduced over time:

• Check system.out.println and printStackTrace statements are not accidentally committed, which can add to logs
• Cognitive complexity checks, start cleaning up methods that are too complex
• Use StandardCharsets when possible, rather than String
• Avoid unnecessary object wrapper creation
• Use short arrays initializers
• Work towards consistent style with checks to avoid C style array declarations, add missing @Override annotations, and check java generics are used

This dedication helps provide confidence in the technology we publish.

WMS

Fixes and improvements:

• GEOS-4939 Coordinate system ISSUE - S-JTSK Krovak East North (EPSG: 5514) - cannot be set up
• GEOS-10032 Group Layer in Catalog Mode Hide not in capabilities when unauthenticated
• GEOS-10013 Mark invalid error while validating or saving a Style
• GEOS-9907 Enable usage of labelPoint function in GetFeatureInfo requests
• GEOS-9759 Set Response Cache Headers in LayerGroups

The following functionality has been removed:

• GEOS-10001 Remove animator and animated GIF support from WMS

  Use of WPS Animation process is provided as an alternative

WFS

Fixes and improvements:

• GEOS-10222 WFS CSV OutputFormat delimiter

WPS

Fixes and improvements:

• GEOS-9990 Add GUI and REST API to configure the wps-download module
• GEOS-10073 WPS animation download process should report about eventual time mis-matches

WMTS

Improvements and fixes:

• GEOS-10008 Have GeoServerTileLayer implementing TileJSONProvider
• GEOS-9971 GeoWebCache S3 plugin require AWS creds

INSPIRE Extension

New feature:

• GEOS-10124 Add Language support to INSPIRE extension

Improvements and fixes:

• GEOS-10211 Unable to pass INSPIRE validation: Version is mandatory (WMS)
• GEOS-10192 Inspire extension consistent outputResponse element
• GEOS-10141 Inspire extension better error message on language not found
• GEOS-10163 Incorrect INSPIRE namespace URI

And more!

Fixes and Improvements:

• GEOS-10092 Fix the page description of remote WMS/WMTS connection
• GEOS-10189 I18n improvement using the UTF-8 charset for Chinese translations
• GEOS-10033 Geoserver startup and shutdown shell scripts don’t handle path with spaces
• GEOS-9381 Conversion from boolean true/false in geoserver to SQL Server bit 0/1, is broken
• GEOS-9970 MapML GetFeature bug fix for CRS authority
• GEOS-10201 Geoserver fails to start on Windows 11 beta
• GEOS-10264 Address startup warning File option not set for appender [geoserverlogfile]
• GEOS-9950 MapPreviewPage logs unable to find property: format.wfs.text/csv continuously
• GEOS-10265 WFS-T Bulk Transaction optimization

About GeoServer 2.20

Additional information on GeoServer 2.20 series:

• Internationalization of title and abstract
• State of GeoServer 2.20 edition
• Release notes: 2.20.0, 2.20-RC