We are happy to announce the release of GeoServer 2.10-M0. Downloads are available (zip, war, dmg and exe) along with docs and extensions.

This is a milestone release of GeoServer made in conjunction with GeoTools 16-M0.

We have both new features and a number of key “under the hood” changes to GeoServer. This technology preview is made available for your evaluation and feedback and is not intended for production.

Highlights from the release notes:

• Resource Browser (ResourceStore GUI)

• LDAP UserGroupService

• Add WMTS web admin page

• Allow WMTS service requests per workspace (virtual service)

• Allow the Wicket UI to show a Server Busy page when updating the configuration instead of locking the server

• Control over execution time separate to total queuing and execution time

• Fix Windows exe installer failure to start GeoServer

• Can’t delete Default Cached Gridsets

• Add support for dynamically choosing jpeg or png compression based on output contents

Also, looking at the GeoTools 16-M0 release notes, we have:

• Upgrade to NetCDF-Java 4.6.6, including support for NetCDF rotated pole projection

• Allows ImagePyramid supporting multiple Coverages

• The old wfs module has now been replaced with the wfs-ng module

Security Considerations

This release includes several security enhancements (which are also included in the recent GeoServer 2.8.5 and 2.9.1 releases

• Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

• Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

• Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Style Page

The GeoServer Style page has been upgraded to include several features from the CSS Styles page (part of the CSS extension). The new GeoServer style page includes:

• Updated Style Page layout

• Style - Layer Association editor

• Layer Preview

• Layer Attribute Preview

About GeoServer 2.10

GeoServer 2.10 is scheduled for October release.

The GeoServer team is pleased to announce the release of GeoServer 2.8.5. Download bundles are provided (bin, war, dmg and exe) along with documentation and extensions.

GeoServer 2.8.5 is the final maintenance release of the 2.8.x series. This release is made by Ben Caradoc-Davies (Transient) in conjunction with GeoTools 14.5 and GeoWebCache 1.8.3. We thank the many contributors who have made this release possible.

The GeoServer 2.8.5 release notes detail the changes in this release. These include:

• Fixes for WFS editing failing for geometries in full 3D CRS

• ColorMap variable substitution now working correctly for multiple layers in a GetMap request

• Fixed a missing JNA jar in the netcdf-out plugin

• KML placemarks now being set correctly when KMSCORE=0

• Support for multivalued xlink:href ClientProperty in app-schema mappings, even without feature chaining

• Support requiring files to exist for GeoServer startup, to protect against insecure fallback when a data directory on a network share is unavailable

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

• Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

• Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

• Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.8

• State of GeoServer 2015 (FOSS4G)

• XEE Vunerability (GeoServer)

• Remote Execution Vulnerability (GeoServer)

• Z ordering features within and across feature types and layers (User Manual)

• JAI-Ext, the Open Source replacement for Oracle JAI (GeoSolutions)

• Customizable arrow in GeoServer (GeoSolutions)

• PostGIS Curve Support (GeoSolutions)

• Improved NetCDF/GRIB support in GeoServer (GeoSolutions)

• Initial GeoServer 2.8.0 release announcement  (GeoServer)

The GeoServer team is pleased to announce the release of GeoServer 2.9.1. Download bundles are provided (bin, war, dmg and exe) along with documentation and extensions.

GeoServer 2.9.1 is the latest stable release of GeoServer and is recommended for production deployment. This release is made in conjunction with GeoTools 15.1 and GeoWebCache 1.9.1. Thanks to all contributors. Fixes and new functionality include:

• Fixes for WFS editing failing for geometries in full 3D CRS

• ColorMap variable substitution now working correctly for multiple layers in a GetMap request

• PDF printing fixed to properly render SLD “shape://horline” symbol, prevent invalid polygon generation, out of memory errors, and large file generation.

• Integrated GeoFence DB path is now set correctly in Windows.

• KML placemarks now being set correctly when KMSCORE=0

• Support for rotated pole projection NetCDF and GRIB2 files, including the native GRIB2 file format used by the NOAA Rapid Refresh (RAPv3) weather forecast model

• Support for multivalued xlink:href ClientProperty in app-schema mappings

• Support requiring files to exist for GeoServer startup, to protect against insecure fallback when a data directory on a network share is unavailable

• And much more, see all the tickets resolved in the release notes

This release has been made by Devon Tucker (Boundless) with help and encouragement from the GeoServer community.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

• Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

• Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

• Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.9

Articles, docs, blog posts and presentations:

• Lots of goodies in the original 2.9.0 announcement (GeoServer Blog)

• Results of our Bug Stomp Mini Code Sprint in July (GeoServer blog)

• Internals upgrade to spring-4 for Java 8 compatibility (User Guide)

• GeoServer code sprint success and wicket migration code sprint (GeoServer Blog)

• GeoServer Plugin for QGIS (Boundless)

• Simplify complex feature mappings setup with HALE (GeoSolutions)

• REST management of Resources (User Guide)

Dear Readers,

A few words to report on the results of the Online GeoServer Bug Stomp that took place on the 22nd of July 2016.

The goal, as indicated, was to look at GeoServer and GeoServer JIRA and clean old, useless reports as well as to fix as many bugs as possible within the day of the sprint. Well, the results are not bad, as the image below shows.

Numbers are as follow:

• Improvements closed **103 **(9 fixed - remainder failed to attract budget/interest after quite some time)

• Bugs closed **35 **(25 fixed - followed by 6 won’t fix, 3 cannot reproduce, 1 not a bug )

• New Feature **14 **(2 fixed - with 12 not a bug)

• Task **9 **(2 fixed - with 7 not a bug)

• Wish **2 **(not a bug)

• Subtask 1

• TOTAL 164

You can check the live report here:

• Thanks to everybody who participated (a list of the participating people can be found in this spreadsheet).

• As noted above many new features/improvements/wishes were quite old and had failed to attract budget/volunteers

• The not-a-bug category is used for ideas or conversations which are best taken to the developers or users list for discussion

• Not shown is the review of incoming issues to see which issues are ready to be worked on, or held back for further clarification before they can be reproduced.

If you did not participate this month don’t worry, we are going to have this event again on August 27-28th as part of the foss4g post-sprint. Remember, we want to make this event a periodic gathering so keep following this blog for news.

Happy GeoServer to everybody!

Dear Readers,

a quick post to spread the word about the Online GeoServer Bug Stomp which will take place this Friday, the 22nd of July 2016.

Developers as well as users from the GeoServer community will gather online to spend up to a full day (in their timezone) on tasks like:

• Reviewing JIRA Reports to make sure they are valid

• Fix bugs as we come across them

• Improved docs

• Test and report new bugs or close existing reports

The rules of engagement as well as a first rough list of participants can be found in this document; the event is an online gathering, people will be working from their place coordinating using the GeoServer Gitter channel with whomever will be online in their timezone.

If you feel like helping don’t be scared, jump onboard, read the rules of engagement say hi on the gitter channel (github login required) and help us make GeoServer even better.

If you cannot, don’t worry, we are going to try and make this event a monthly event.

Happy GeoServer to everybody!