GeoServer Blog

GeoServer 2.9.2 Released

The GeoServer team is pleased to announce the release of GeoServer 2.9.2. Download bundles are provided (binwardmg and exe) along with documentation and extensions.

This is a stable release of GeoServer suitable for production systems. This release is made in conjunction with GeoTools 15.2 and GeoWebCache 1.9.2. We extend our thanks to all contributors for making this release possible.

Highlights of this release include:

  • The macOS DMG is now signed by the Open Source Geospatial Foundation. This work done by Larry Shaffer and the system admin committee improves the Mac install experience. For macOS 10.12 Apple has asked that all applications to be from the App Store (sigh) or signed by identified developers. Using the OSGeo certificate to sign our application geoserver-macos-10-12

  • Style icons can now be referenced by URL in both the global styles folder and workspace styles folders.

  • WMTS improved with both a web admin page and “virtual service” support providing a WMTS for each workspace.

  • The INSPIRE extension now supports WMTS capabilities document. Upon installation of the INSPIRE extension the INSPIRE WMTS grid is now available.

  • Embedded GeoWebCache now supports mbtiles based tile storage.

  • Improvements to image mosaic documentation with more examples.

  • Support for “JPEG or PNG “output format, dynamically choosing the best format based on image transparency

  • Lots of bug fixes (check the release notes for details)

For more information about GeoServer 2.9.2 refer to release notes (2.9.2 2.9.1 2.9.0  RC1  beta2  beta  M0 ).

Security Considerations

This release addresses two security vulnerabilities:

  • The default data directory now includes security restrictions on WFS-T functionality (restricting editing of data to the administrator account). This has the effect of making the service read-only by default, while still advertising we are a compliant WFS-T implementation. If you have an existing GeoServer deployment which you wish to be read-only your can configure security settings as described, or set the WFS service level to “basic”. geoserver-read-only

  • Aaron Waddell reported an XXE vulnerability in the GeoTools library which has been resolved (and is used by GeoServer). We encourage all users to upgrade to GeoServer 2.9.2 at this time. Please note that there are no additional releases of GeoServer 2.8 scheduled - now is the time to upgrade.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.9

Articles, docs, blog posts and presentations:

Read More

GeoServer 2.10-beta released

We are happy to announce the release of GeoServer 2.10-beta. Downloads are available (zip, war, dmg and exe) along with docs and extensions.

This is a beta release of GeoServer made in conjunction with GeoTools 16-beta.

Beta Testing

The GeoServer Team has been hard at work to bring you this beta release.

Here is our priorities for testing:

We one crititcal known issues to keep in mind when testing:

  • GEOS-7750 - The WMS and LegendSample beans used in GeoServerTileLayer may provoke a cyclic dependency when Spring beans are loaded. As a consequence tiled layers may not be loaded and are deleted by GWC integration. Please back up your data and configuration before testing the GeoServer 2.10-beta with data you care about.

Highlights from the release notes:

  • Add CSS nested rule support

  • Add CSS rendering transform support

  • Add WMTS multi dimensional community module

  • Add WCS 2.0 Demo Requests

  • OL3 Preview in tiled mode supports map wrapping

  • Make JDBCStore compatible with HazelCast Clustering

  • Changes to WMS GetFeatureInfo for coverages:

    • Band names now presented in responses as NCNames for all info_formats (spaces and leading digits replaced with underscores)

    • Support for continuous map wrapping for latitude/longitude projections

    • Support for coverages with native latitude/longitude coordinates and longitudes > 180 degrees East

Also, looking at the GeoTools 16-M0 release notes, we have:

  • Support Azimuthal Equidistant projection

  • Implement Vladimir’s Polygon label point algorithim

  • GeoPackage can write to boolean fields

For more information about the what is included in the GeoServer 2.10 release, also refer to the GeoServer 2.10-M0 release anouncement.

##

About GeoServer 2.10

GeoServer 2.10 is scheduled for October release.

Read More

GeoServer 2.10-M0 Released

We are happy to announce the release of GeoServer 2.10-M0. Downloads are available (zip, war, dmg and exe) along with docs and extensions.

This is a milestone release of GeoServer made in conjunction with GeoTools 16-M0.

We have both new features and a number of key “under the hood” changes to GeoServer. This technology preview is made available for your evaluation and feedback and is not intended for production.

Highlights from the release notes:

  • Resource Browser (ResourceStore GUI)

  • LDAP UserGroupService

  • Add WMTS web admin page

  • Allow WMTS service requests per workspace (virtual service)

  • Allow the Wicket UI to show a Server Busy page when updating the configuration instead of locking the server

  • Control over execution time separate to total queuing and execution time

  • Fix Windows exe installer failure to start GeoServer

  • Can’t delete Default Cached Gridsets

  • Add support for dynamically choosing jpeg or png compression based on output contents

Also, looking at the GeoTools 16-M0 release notes, we have:

  • Upgrade to NetCDF-Java 4.6.6, including support for NetCDF rotated pole projection

  • Allows ImagePyramid supporting multiple Coverages

  • The old wfs module has now been replaced with the wfs-ng module

Security Considerations

This release includes several security enhancements (which are also included in the recent GeoServer 2.8.5 and 2.9.1 releases

  • Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

  • Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

  • Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

Style Page

The GeoServer Style page has been upgraded to include several features from the CSS Styles page (part of the CSS extension). The new GeoServer style page includes:

  • Updated Style Page layout

  • Style - Layer Association editor

  • Layer Preview

  • Layer Attribute Preview

About GeoServer 2.10

GeoServer 2.10 is scheduled for October release.

Read More

GeoServer 2.8.5 Released

The GeoServer team is pleased to announce the release of GeoServer 2.8.5. Download bundles are provided (binwardmg and exe) along with documentation and extensions.

GeoServer 2.8.5 is the final maintenance release of the 2.8.x series. This release is made by Ben Caradoc-Davies (Transient) in conjunction with GeoTools 14.5 and GeoWebCache 1.8.3. We thank the many contributors who have made this release possible.

The GeoServer 2.8.5 release notes detail the changes in this release. These include:

  • Fixes for WFS editing failing for geometries in full 3D CRS

  • ColorMap variable substitution now working correctly for multiple layers in a GetMap request

  • Fixed a missing JNA jar in the netcdf-out plugin

  • KML placemarks now being set correctly when KMSCORE=0

  • Support for multivalued xlink:href ClientProperty in app-schema mappings, even without feature chaining

  • Support requiring files to exist for GeoServer startup, to protect against insecure fallback when a data directory on a network share is unavailable

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

  • Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

  • Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

  • Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.8

Read More

GeoServer 2.9.1 Released

The GeoServer team is pleased to announce the release of GeoServer 2.9.1. Download bundles are provided (binwardmg and exe) along with documentation and extensions.

GeoServer 2.9.1 is the latest stable release of GeoServer and is recommended for production deployment. This release is made in conjunction with GeoTools 15.1 and GeoWebCache 1.9.1. Thanks to all contributors. Fixes and new functionality include:

  • Fixes for WFS editing failing for geometries in full 3D CRS

  • ColorMap variable substitution now working correctly for multiple layers in a GetMap request

  • PDF printing fixed to properly render SLD “shape://horline” symbol, prevent invalid polygon generation, out of memory errors, and large file generation.

  • Integrated GeoFence DB path is now set correctly in Windows.

  • KML placemarks now being set correctly when KMSCORE=0

  • Support for rotated pole projection NetCDF and GRIB2 files, including the native GRIB2 file format used by the NOAA Rapid Refresh (RAPv3) weather forecast model

  • Support for multivalued xlink:href ClientProperty in app-schema mappings

  • Support requiring files to exist for GeoServer startup, to protect against insecure fallback when a data directory on a network share is unavailable

  • And much more, see all the tickets resolved in the release notes

This release has been made by Devon Tucker (Boundless) with help and encouragement from the GeoServer community.

Security Considerations

This release includes several security enhancements and is a recommended upgrade for production systems:

  • Although we have not been able to reproduce from GeoServer, a remote execution vulnerability has been reported against both the Restlet  and the Apache Commons BeanUtils libraries we use. We have patched our use of these libraries as a preventative measure. We would like to thank Kevin Smith for doing the bulk of the work, and Andrea Aime for providing a patched BeanUtils library addressing these vulnerabilities.

  • Layer security restrictions in CHALLENGE mode were not being correctly applied by embedded GeoWebCache. Thanks to Nick Muerdter for his responsible report of this vulnerability and for submitting a fix (that included a unit test!)

  • Carl Schroedl reported a vulnerability at application startup when working with a data directory on a network file system, a new configuration option has been provided to check that the directory exists.  Thanks to Carl for following our responsible disclosure procedure, and to Ben Caradoc-Davies for implementing the new parameter.

If you wish to report a security vulnerability, please visit our website for instructions on responsible reporting.

About GeoServer 2.9

Articles, docs, blog posts and presentations:

Read More