GeoServer Blog
GeoServer Code Sprint 2016
The GeoServer web administration console is built on top of the Wicket 1.4.x series, which is pretty old and unmaintaned. The purpose of the sprint is to update it to Wicket 7.x, the current stable version.
Due to the large distance between the two releases and the number of backwards incompatible changes accumulated by Wicket in the years this will require the concerted effort of a handful of developers over a few days, including the changes to upgrade the code, and the thorough hand testing of the resulting modified interface.
Victoria British Columbia
The code sprint is planned for the week of January 18th **in sunny **Victoria British Columbia. Thanks to Boundless for providing a venue (either the boundless offices or Fort Techtoria depending on numbers).
A note on the timing: We were unable to join the Paris Code Sprint 2016 as it is scheduled too close to the GeoServer 2.9 code freeze. This location was selected to reduce travel costs allowing us to run the event with minimal sponsorship.
Participation and Sponsorship
We have the following sponsorship levels available:
-
Gold: $1000
-
Silver: $500
-
Bronze: $250
We are reaching out to international and local sponsors. Contributions will be put towards travel costs for overseas sprinters who would be otherwise unable to attend. Any surplus at the end of the event will be turned over to OSGeo or used for a future code sprints.
For more details on participation, sponsorship or budget for the event please see the GeoServer Code Sprint 2016 wiki page.
GeoServer 2.8.1 Released
The GeoServer team is pleased to announce the release of GeoServer 2.8.1. Download bundles are provided (bin, war, dmg and exe) along with documentation and extensions.
GeoServer 2.8.1 is the latest stable release of GeoServer and is recommended for production deployment. This release is made in conjunction with GeoTools 14.1. Thanks to all contributors. Fixes and new functionality include:
-
Multidimensional GRIB / NetCDF / NetCDF Output modules promoted to extension
-
Fixed query parameters in SLD external graphic
-
Fixed legend preview with SLD external graphic
-
Fixed multiline labels in PDF WMS request with translation
-
Fixed layer preview GML links for app-schema layers
-
Fixed JMS clustering to use qualified names for layers, layer groups, and styles
-
Avoid catalog linear scans in GWC integration listeners
-
Fixed OpenLayers preview with the authkey module enabled
-
For a full list, see the release notes
Thanks to Ben Caradoc-Davies (Transient) for this release.
About GeoServer 2.8
Articles, blog posts and presentations:
-
State of GeoServer 2015 (FOSS4G)
-
XEE Vunerability (GeoServer)
-
Remote Execution Vulnerability (GeoServer)
-
Z ordering features within and across feature types and layers (User Manual)
-
JAI-Ext, the Open Source replacement for Oracle JAI (GeoSolutions)
-
Customizable arrow in GeoServer (GeoSolutions)
-
PostGIS Curve Support (GeoSolutions)
-
Improved NetCDF/GRIB support in GeoServer (GeoSolutions)
-
Initial GeoServer 2.8.0 release announcement (GeoServer)
GeoServer 2.7.4 released
The GeoServer team is happy to announce the release of GeoServer 2.7.4. Download bundles are provided (zip, war, dmg and exe) along with documentation and extensions.
GeoServer 2.7.3 is a maintenance release of GeoServer recommended for production deployment. Thanks to everyone taking part, submitting fixes and new functionality including:
Bug
-
[GEOS-3228] - Empty filter causes IndexOutOfBoundsException
-
[GEOS-3432] - RESTConfig “styles” list does not get generated if a style is missing its associated sld file
-
[GEOS-4986] - Creating SQL Views via RESTConfig as JSON fails
-
[GEOS-6768] - externalGraphic with relative path and query parameters problem
-
[GEOS-7045] - Layer Security - Catalog Mode
-
[GEOS-7243] - Render (or transform) fails on Multipolygon but not on polygon
-
[GEOS-7256] - Maven Cobertura plugin does not work
-
[GEOS-7259] - JMS based cluster should use qualified names for Layers and Layergroups
-
[GEOS-7267] - JMS Clustering should prefix Styles names with workspace
-
[GEOS-7295] - OpenLayers preview does not work if authkey community module is enabled
-
[GEOS-7302] - Using on the fly meta tiling in WMS request may result in rendered images not being disposed of
-
[GEOS-7312] - RawDataPPIO does not close InputStreams it opens
-
[GEOS-7314] - GeoTiffPPIO can return the source file of a processed coverage
Improvement
-
[GEOS-4762] - WCS should force usage of imageread
-
[GEOS-7150] - Features counted twice for WFS queries with GeoJSON responses
For a full list, see the release notes.
Also, as a heads up for Oracle users, the Oracle store does not ship anymore with the JDBC driver (due to redistribution limitations imposed by Oracle). For details see the updated the oracle installation instructions here.
Thanks to Alessio Fabiani (GeoSolutions) for this release.
This release is made in conjunction with GeoTools 13.4 and GeoNode 2.4.
Remote Execution Vulnerability
GeoServer has encountered an remote execution vulnerability in the REST API (used for remote administration).
This vulnerability GEOS-7124 is addressed in the following scheduled releases:
-
GeoServer 2.8.0 - stable
-
GeoServer 2.7.3 - maintenance
-
GeoServer 2.6.5 - archived
Thanks to Andrea Aime (GeoSolutions) and Kevin Smith (Boundless) for both fixing this issue and back porting to the stable and maintenance series.
Users are encouraged to upgrade, keeping in mind exposure to this issue is limited to scripts using administrator credentials to access the REST API. Accounts making use of gsconfig (Python Library) also make use of these facilities.
About Remote Execution
For more information see redhat security article on remote code execution via serialized data.
Responsible Disclosure
Thanks to Matthias Kaiser for reporting this issue.
If you encounter a security vulnerability in GeoServer (or any other open source software) please take care to report the issue in a responsible fashion:
-
Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)
-
Be prepared to work with Project Steering Committee (PSC) members on a solution
-
Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources
If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.
GeoServer 2.7.3 released
The GeoServer team is happy to announce the release of GeoServer 2.7.3. Download bundles are provided (zip, war, dmg and exe) along with documentation and extensions.
GeoServer 2.7.3 is a maintenance release of GeoServer recommended for production deployment. Thanks to everyone taking part, submitting fixes and new functionality including:
-
Further fixes for the XXE vulnerability, along with a fix for a remote code execution vulnerability in the REST API (requires admin credentials to trigger it)
-
Some WCS 1.1 and 2.0 fixes
-
Some improvements in the management of style specific workspaces when modifying layer groups with the REST API
-
Optimized the size of DBF in the SHAPE-ZIP output format
-
A few improvements in the importer, including speeding up import setup by delaying layer bounds computation, and allowing to harvest granules in an empty mosaic previously setup via the REST API
-
For a full list, see the release notes.
Also, as a heads up for Oracle users, the Oracle store does not ship anymore with the JDBC driver (due to redistribution limitations imposed by Oracle). For details see the updated the oracle installation instructions here.
Thanks to Andrea (GeoSolutions) and Kevin (Boundless) for this release.
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release