GeoServer has encountered an XML External Entity (XEE) vulnerability permitting an unauthenticated read access to server files.

This vulnerability GEOS-7032 is addressed in the following releases and we strongly encourage all users to upgrade:

• GeoServer 2.7.1.1 (bin, war, dmg and exe) - stable release

• GeoServer 2.6.4 (bin, war, dmg and exe) - maintenance release

• GeoServer 2.5.5.1 (bin, war, and exe)

Thanks to Ben Caradoc-Davies (Transient Software) for the maintenance release along with Jody Garnett (Boundless) and Andrea Aime (GeoSolutions) for the unscheduled patch releases provided above.

If you are running an earlier version of GeoServer and would like to generate a patch release please contact one of our commercial support providers, or join us on geoserver-devel to volunteer.

About XEE

For more information on XEE see owasp articles on XML External Entity Processing and XML External Entity Attack provided to geoserver-devel by Johannes Kröger.

Responsible Disclosure

If you encounter a security vulnerability in GeoServer, or any other open source software, please take care to report the issue in a responsible fashion:

• Keep exploit details out of issue report (send to developer/PSC privately - just like you would do for sensitive sample data)

• Be prepared to work with Project Steering Committee (PSC) members on a solution

• Keep in mind PSC members are volunteers and an extensive fix may require fundraising / resources

If you are not in position to communicate in public (or make use of the issue tracker) please consider commercial support, contacting a PSC member privately or contacting us via the Open Source Geospatial Foundation at info@osgeo.org.

We will be revising the GeoServer Developers Guide to clarify in the coming days.

The GeoServer team is pleased to announce the release of GeoServer 2.6.4. Download bundles are provided (bin, war, dmg and exe) along with documentation and extensions.

GeoServer 2.6.4 is a maintenance release of GeoServer recommended for production deployment. This release contains IMPORTANT SECURITY FIXES so please upgrade.

Thanks to everyone who took part by contributing fixes, new functionality, and documentation. Notable changes:

• SECURITY: Fixed a serious vulnerability that allowed arbitrary files on the server to be read by crafting a malicious WFS request

• SECURITY: Fixed a defect that permitted WPS service to continue to respond even when disabled

• Oracle JDBC driver (ojdbc14.jar) is no longer included with the Oracle plugin; ojdbc6.jar or ojdbc7.jar must be obtained from Oracle

• Vendor parameter to specify WMS GetMap interpolation method

• Dynamic raster styling with CQL expression support for color map entries

• User-defined variables in Freemarker templates

• Check the release notes for more details

• This release is made in conjunction with GeoTools 12.4 and GeoWebCache 1.6.2

Thanks to Ben Caradoc-Davies (Transient Software Limited) for this release. Thanks also to Kevin Smith (Boundless) for releasing GeoWebCache 1.6.2 and to Jody Garnett (Boundless) for building the GeoServer 2.6.4 DMG.

About GeoServer 2.6

Articles and resources for GeoServer 2.6 series:

• GeoServer at FOSS4G

  • State of GeoServer and GeoTools 2014 (slides)

• Raster Views in GeoServer via the CoverageView concept (GeoSolutions)

• Advanced Raster Projection in GeoServer (GeoSolutions)

• Supporting Wind Barbs In GeoServer and GeoTools (GeoSolutions)

• GeoServer now supports Vector Footprints for ImageMosaic (GeoSolutions)

• 2.6.3 announcement and change log

• 2.6.2 announcement

• 2.6.1 announcement

• 2.6.0 announcement

• 2.6-RC1 announcement

• 2.6-beta announcement

We are happy to announce the release of GeoServer 2.8-M0. Downloads are available (zip, war, dmg and exe) along with docs and extensions.

This is milestone release of GeoServer made in conjunction with GeoTools 14-M0.

We have both new features and a number of key “under the hood” changes to GeoServer. This technology preview is made available for your evaluation and feedback and is not intended for production.

Highlights from the release notes:

• JAI-Ext integration for geospatial specific image processing operations  (github), adding direct support for NODATA in raster sources

• Replacement of vecmath with EJML matrix library

• Importer improvements, dalwarp/gdal_translate/gdaladdo transformations and ability to add a granule to a mosaic

• Read/write PostGIS curve support

• GetMap support for by layer interpolation methods

• Stop shipping old Oracle JDBC driver

• Pretty print option for style REST API

• Allow environment variables to be used in freemarker template files

Also, looking at the GeoTools 14-M0 release notes, we have:

• Significant increase in GML 3.X encoding speed

• New projections supported: sinusoidal, gnomonic

• New extshape://arrow with parameters controlling its proportions

Thanks to Jody (Boundless) for pulling this release together.

About GeoServer 2.8

GeoServer 2.8 is scheduled for September release. For more information:

• JAI-Ext, the Open Source replacement for Oracle JAI (GeoSolutions)

We will add additional blog posts to this section as news is made available.

The GeoServer team is happy to announce the release of GeoServer 2.7.1. Download bundles are provided (zip, war, dmg and exe)  along with documentation and extensions.

GeoServer 2.7.1 is a stable release of GeoServer recommended for production deployment. Thanks to everyone taking part, submitting fixes and new functionality including:

• Add WMS GetMap support for by layer interpolation methods

• Allow usage of environment variables from various sources in ftl files

• Allow cql expressions in ColorMapEntry for GetLegendGraphic

• This release is made in conjunction with GeoTools 13.1 and GeoWebCache 1.7.1

• For a full list, see the release notes.

Thanks to Kevin (Boundless) and  Torben (Boundless) for this release

The Windows executable installer should now be available.  Sorry about the broken link.

The GeoServer team is happy to announce the release of GeoServer 2.6.3. Download bundles are provided (zip, war, dmg and exe)  along with documentation and extensions.

GeoServer 2.6.3 is a maintenance release of GeoServer recommended for production deployment. Thanks to everyone taking part, submitting fixes and new functionality:

• The WPS download community module is now available on the 2.6.x branch too

• Some WPS fixes related to requests not including the response form

• Fixed layer naming regression that prevented non XML valid names to be used for coverages (care on naming is still advised, different protocols have different requirements, check the ones you are using)

• Some WFS 2.0 join related fixes

• Speed up generation of JSON files when the native CRS is EPSG:900913

• Avoid leaks of commons-httpclient pools (which in turn can lead to a native thread leak)

• Check the release notes for more details

• This release is made in conjunction with GeoTools 12.3

Thanks to Andrea (GeoSolutions), Jody (Boundless) for this release

About GeoServer 2.6

Articles and resources for GeoServer 2.6 series:

• GeoServer at FOSS4G

  • State of GeoServer and GeoTools 2014 (slides)

• Raster Views in GeoServer via the CoverageView concept (GeoSolutions)

• Advanced Raster Projection in GeoServer (GeoSolutions)

• Supporting Wind Barbs In GeoServer and GeoTools (GeoSolutions)

• GeoServer now supports Vector Footprints for ImageMosaic (GeoSolutions)

• 2.6.2 announcement and change log

• 2.6.1 announcement and change log

• 2.6.0 announcement and change log

• 2.6-RC1 announcement and change log

• 2.6-beta announcement and change log