GeoServer Blog

GeoServer 2.6.5 Released

The GeoServer team is pleased to announce the release of GeoServer 2.6.5. Download bundles are provided (binwardmg and exe) along with documentation and extensions.

GeoServer 2.6.5 is a maintenance release of GeoServer recommended for production deployment.

This is the last release of the GeoServer 2.6 series. Migrate to GeoServer 2.7 series for the latest stable release.

Thanks to everyone who took part by contributing fixes, new functionality, and documentation. Notable changes:

  • Update the 2.6.4 XXE Security fix to allow OWS POST in JBOSS

  • Can now seed layers with styles assigned to workspaces

  • Raster to vector transformation with re-projection using NetCDF as data store

  • Improvements to the GeoServer GDAL documentation for Windows

  • Fix LDAP Example in the documentation

  • Check the release notes for more details

  • This release is made in conjunction with GeoTools 12.5 and GeoWebCache 1.6.3

Thanks to Torben Barsballe (Boundless) or this release. Thanks also to Kevin Smith (Boundless) for releasing GeoWebCache 1.6.3 and to Dave Kelsey (Boundless) for fixing the GeoServer OS X build.

About GeoServer 2.6

Articles and resources for GeoServer 2.6 series:

Read More

GeoServer 2.8-beta released

We are happy to announce the release of GeoServer 2.8-beta. Downloads are available (zipwardmg and exe) along with docs and extensions.

GeoServer 2.8 has a wide range of new features, behind the scenes changes, and a several of important security updates. This is beta release of GeoServer made in conjunction with GeoTools 14-beta.

This beta release is made available for collaboration with our user list (and is not intended for production). The beta release marks the of a feature freeze, we appreciate any and all testing during this period as we prepare for a September release.

New capabilities:

Fixes and improvements:

  • Significant increase in GML 3.X encoding speed

  • Pretty print option for style REST API

  • Allow environment variables to be used in freemarker template files

  • GeoWebCache parameter filters can now be set via GUI

  • INSPIRE metadata entry is now more forgiving and can be entered on a layer by layer basis

  • Fix for XXE security vulnerability has been revised and now functions in a JBoss environment

  • Faster startup for installations with large number of Oracle layers

  • The CSV output format can now handle WFS GetFeature join results (will transparently flatten the joined features)

Internal changes:

  • JAI-Ext integration for geospatial specific image processing operations, adding direct support for NODATA in raster sources. Disabled by default, needs to be enabled using a system variable.

  • Replacement of vecmath with EJML matrix library

  • Due to license restrictions the oracle extension no longer includes an Oracle JDBC driver, see the user guide for manual install instructions.

Community update:

  • We would like to welcome Stefano Costa (GeoSolutions) as a new committer!

  • Developers guide refresh covering release cycle, updating PSC members, and fixing tutorials

  • Responsible disclosure expectations covered on the website and user guide

See release notes for more information.

Thanks to Jody (Boundless) for publishing this beta, and the entire GeoServer team for an enormous effort bringing this release together.

About GeoServer 2.8

GeoServer 2.8 is scheduled for September release. For more information:

For additional details see the 2.8-beta and 2.8-M0 release notes.

New Community Modules

In addition to the formal GeoServer 2.8 release our code base has a community area for ideas an experimentation:

  • WCS and WPS output formats based on gdal_translate to provide a greater range of output formats

  • Embedded GeoFence server, REST API and GUI is the result of a productive collaboration between GeoSolutions and Boundless offering greater rule-based control of GeoServer security

  • MongoDB DataStore enabling GeoServer to publish from this popular JSON based document database (no zip packaging, needs volunteer)

Community modules should be considered a work-in-progress and are subject to quality assurance, documentation IP checks and a maintainer before being considered ready for release.

Read More

GeoServer 2.7.2 released

The GeoServer team is happy to announce the release of GeoServer 2.7.2. Download bundles are provided (zipwardmg and exe)  along with documentation and extensions.

GeoServer 2.7.2 is a stable release of GeoServer recommended for production deployment. Thanks to everyone taking part, submitting fixes and new functionality including:

  • Importer raster improvements, added support for GDAL based file optimization when importing rasters, also, it is now possible to add add granules to a mosaic (and optimize them with GDAL in the process)

  • Importer vector improvements, now one can import data into non JDBC data stores too

  • Some improvements in the documentation on using GDAL based data sources in Windows

  • More tweaks on the XXE vulnerability fixes (we left it open just enough not to break OGC compliance)

  • Properly rendering GeoTiff files with flipped Y axis

  • Making sure WPS really stops answering requests when not enabled

  • Improvements in NetCDF handling of reprojected requests

  • For a full list, see the release notes.

Also, as a heads up for Oracle users, the Oracle store does not ship anymore with the JDBC driver (due to redistribution limitations imposed by Oracle). For details see the updated the oracle installation instructions here.

Thanks to Andrea (GeoSolutions) and Kevin (Boundless) for this release.

Read More

GeoServer XEE Vulnerability

GeoServer has encountered an XML External Entity (XEE) vulnerability permitting an unauthenticated read access to server files.

This vulnerability GEOS-7032 is addressed in the following releases and we strongly encourage all users to upgrade:

Thanks to Ben Caradoc-Davies (Transient Software) for the maintenance release along with Jody Garnett (Boundless) and Andrea Aime (GeoSolutions) for the unscheduled patch releases provided above.

If you are running an earlier version of GeoServer and would like to generate a patch release please contact one of our commercial support providers, or join us on geoserver-devel to volunteer.

About XEE

For more information on XEE see owasp articles on XML External Entity Processing and XML External Entity Attack provided to geoserver-devel by Johannes Kröger.

Responsible Disclosure

If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:

  • Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)

  • Be prepared to work with Project Steering Committee (PSC) members on a solution

  • Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources

If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.

We will be revising the GeoServer Developers Guide to clarify in the coming days.

Read More

GeoServer 2.6.4 Released

The GeoServer team is pleased to announce the release of GeoServer 2.6.4. Download bundles are provided (binwardmg and exe) along with documentation and extensions.

GeoServer 2.6.4 is a maintenance release of GeoServer recommended for production deployment. This release contains IMPORTANT SECURITY FIXES so please upgrade.

Thanks to everyone who took part by contributing fixes, new functionality, and documentation. Notable changes:

Thanks to Ben Caradoc-Davies (Transient Software Limited) for this release. Thanks also to Kevin Smith (Boundless) for releasing GeoWebCache 1.6.2 and to Jody Garnett (Boundless) for building the GeoServer 2.6.4 DMG.

About GeoServer 2.6

Articles and resources for GeoServer 2.6 series:

Read More