GeoServer 2.22.5 release is now available with downloads ( bin, war, windows) , along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes. GeoServer 2.22.5 is made in conjunction with GeoTools 28.5, and GeoWebCache 1.22.5.

Thanks to Peter Smythe (AfriGIS) for making this release.

2023-09-05 update: GeoServer 2.22.5 has been recompiled and uploaded to SourceForge. The initial upload was accidentally compiled with Java 11 and would not function in a Java 8 environment.

Thanks to Jody Garnett (GeoCat) for this update, and Steve Ikeoka for testing in a Java 8 environment.

Java 8 End-of-life

This GeoServer 2.22.5 maintenance release is final scheduled release of GeoServer 2.22.x series, and thus the last providing Java 8 support.

All future releases will require a minimum of Java 11.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

• CVE-2023-43795 WPS Server Side Request Forgery
• CVE-2023-41339 Unsecured WMS dynamic styling sld=url parameter affords blind unauthenticated SSRF

See project security policy for more information on how security vulnerabilities are managed.

Release notes

Improvement:

• GEOS-10856 geoserver monitor plugin - scaling troubles
• GEOS-11048 Improve URL checking
• GEOS-11081 Add option to disable GetFeatureInfo transforming raster layers
• GEOS-11099 ElasticSearch DataStore Documentation Update for RESPONSE_BUFFER_LIMIT
• GEOS-11100 Add opacity parameter to the layer definitions in WPS-Download download maps

Bug:

• GEOS-10874 Log4J: Windows binary zip release file with log4j-1.2.14.jar
• GEOS-10875 Disk Quota JDBC password shown in plaintext
• GEOS-10901 GetCapabilities lists the same style multiple times when used as both a default and alternate style
• GEOS-10903 WMS filtering with Filter 2.0 fails
• GEOS-10932 csw-iso: should only add ‘xsi:nil = false’ attribute
• GEOS-11025 projection parameter takes no effect on MongoDB Schemaless features WFS requests
• GEOS-11035 Enabling OSEO from Workspace Edit Page Results in an NPE
• GEOS-11054 NullPointerException creating layer with REST, along with attribute list
• GEOS-11055 Multiple layers against the same ES document type conflict with each other
• GEOS-11069 Layer configuration page doesn’t work for broken SQL views

Task:

• GEOS-11062 Upgrade httpclient from 4.5.13 to 4.5.14
• GEOS-11063 Upgrade httpcore from 4.4.10 to 4.4.16
• GEOS-11067 Upgrade wiremock to 2.35.0
• GEOS-11092 acme-ldap.jar is compiled with Java 8

For the complete list see 2.22.5 release notes.

About GeoServer 2.22 Series

Additional information on GeoServer 2.22 series:

• GeoServer 2.22 User Manual
• Update Instructions
• Metadata extension
• CSW ISO Metadata extension
• State of GeoServer (FOSS4G Presentation)
• GeoServer Beginner Workshop (FOSS4G Workshop)
• Welcome page (User Guide)

Release notes: ( 2.22.5 | 2.22.4 | 2.22.3 | 2.22.2 | 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )

GeoServer 2.23.2 release is now available with downloads ( bin, war, windows) , along with docs and extensions.

This is a stable release of GeoServer recommended production use. GeoServer is made in conjunction with GeoTools 29.2, and GeoWebCache 1.23.1.

Thanks to Ian Turton for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

• CVE-2023-43795 WPS Server Side Request Forgery
• CVE-2023-41339 Unsecured WMS dynamic styling sld=url parameter affords blind unauthenticated SSRF
• CVE-2024-23643 Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form (Moderate).

2024-06-30 Update: The following mitigation has been provided:

• CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)

  geoserver-2.23.2-patches.zip (replacing gt-app-schema, gt-complex and gt-xsd-core jars) has been provided by Andrea (GeoSolutions)

See project security policy for more information on how security vulnerabilities are managed.

New Security > URL Checks page

This release adds a new Check URL facility under the Security menu. This allows administrators to manage OGC Service use of external resources.

For information and examples on how to use the URL Check page, visit user guide documentation.

• GEOS-10949 URL checks for remote resources accessed by GeoServer
• GSIP 218 - Control remote HTTP requests sent by GeoTools \ GeoServer

Release notes

New Feature:

• GEOS-10949 Control remote resources accessed by GeoServer
• GEOS-10992 Make GWC UI for disk quota expose HSQLDB, remove H2, automatically update existing installations

Improvement:

• GEOS-10973 DWITHIN delegation to mongoDB
• GEOS-11048 Improve URL checking

Bug:

• GEOS-10874 Log4J: Windows binary zip release file with log4j-1.2.14.jar
• GEOS-10875 Disk Quota JDBC password shown in plaintext
• GEOS-10901 GetCapabilities lists the same style multiple times when used as both a default and alternate style
• GEOS-10903 WMS filtering with Filter 2.0 fails
• GEOS-10906 Authentication not sent if connection pooling activated
• GEOS-10932 csw-iso: should only add ‘xsi:nil = false’ attribute
• GEOS-10936 YSLD and OGC API modules are incompatible
• GEOS-10964 Support virtual services for OSEO/STAC
• GEOS-10980 CSS extension lacks ASM JARs as of 2.23.0, stops rendering layer when style references a file
• GEOS-10981 Slow CSW GetRecords requests with JDBC Configuration
• GEOS-10982 Wicket bug when trying to add new Vector Attribute (build 2.23 on Tomcat/Windows)
• GEOS-10993 Disabled resources can cause incorrect CSW GetRecords response
• GEOS-10994 OOM due to too many dimensions when range requested
• GEOS-10997 GetCapabilities broken when using Data Security Layer groups
• GEOS-10998 LayerGroupContainmentCache is being rebuilt on each ApplicationEvent
• GEOS-11015 geopackage wfs output builds up tmp files over time
• GEOS-11024 metadata: add datetime field type to feature catalog
• GEOS-11025 projection parameter takes no effect on MongoDB Schemaless features WFS requests
• GEOS-11026 ClassNotFoundException: org.h2.driver on shutdown
• GEOS-11033 WCS DescribeCoverage ReferencedEnvelope with null crs
• GEOS-11035 Enabling OSEO from Workspace Edit Page Results in an NPE
• GEOS-11036 The OAuth2/OIDC security filters do not work as expected anymore after the spring-security-core depencency update to 5.7.8
• GEOS-11046 Styles using the custom mark shape://dot don’t draw any fill
• GEOS-11054 NullPointerException creating layer with REST, along with attribute list
• GEOS-11055 Multiple layers against the same ES document type conflict with each other
• GEOS-11060 charts and mssql extension zips are missing the extension
• GEOS-11069 Layer configuration page doesn’t work for broken SQL views

Task:

• GEOS-10987 Bump xalan:xalan and xalan:serializer from 2.7.2 to 2.7.3
• GEOS-10988 Update spring.version from 5.3.26 to 5.3.27 and spring-integration.version from 5.5.17 to 5.5.18
• GEOS-11008 Update sqlite-jdbc from 3.34.0 to 3.41.2.2
• GEOS-11010 Upgrade guava from 30.1 to 32.0.0
• GEOS-11011 Upgrade postgresql from 42.4.3 to 42.6.0
• GEOS-11012 Upgrade commons-collections4 from 4.2 to 4.4
• GEOS-11018 Upgrade commons-lang3 from 3.8.1 to 3.12.0
• GEOS-11020 Add test scope to mockito-core dependency
• GEOS-11062 Upgrade httpclient from 4.5.13 to 4.5.14
• GEOS-11063 Upgrade httpcore from 4.4.10 to 4.4.16
• GEOS-11067 Upgrade wiremock to 2.35.0

For the complete list see 2.23.2 release notes.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

• Running with Java 17 Notes
• GeoServer 2.23 User Manual
• Drop Java 8
• GUI CSS Cleanup
• Add the possibility to use fixed values in Capabilities for Dimension metadata
• State of GeoServer 2.23
• GeoServer Feature Frenzy 2023
• GeoServer used in fun and interesting ways
• GeoServer Orientation

Release notes: ( 2.23.2 | 2.23.1 | 2.23.0 | 2.23-RC1 )

The GeoServer team was pleased to attend FOSS4G 2023 last week (26 June - 2 July 2023) in Prizren, Kosovo!

FOSS4G 2023 was put on this year by the Open Source Geospatial Foundation (OSGeo) and the regional Free Libre Open Source Software Kosova (FLOSSK) organization. The local organizing committee worked very hard to make everyone feel welcome and well cared for. Thank you for hosting everyone, we had a great time.

GeoServer content:

• State of GeoServer 2.23
• GeoServer Feature Frenzy 2023
• GeoServer used in fun and interesting ways
• GeoServer Orientation
• Getting Started with GeoServer (Workshop)

GeoServer community content:

• FOSS4G 2023 (GeoCat Blog)
• GeoSolutions presence at FOSS4G 2023 in Prizren (Kosovo) (GeoSolutions Blog)
• Many additional presentations featured GeoServer and showcased its capabilities.

When videos are provided of the event we will update this post with links.

Prizren (Kosovo)

FOSS4G Code sprint

We also had our first scheduled codesprint on refactoring org.opengis package. The foss4g sprint was a fact-finding mission to establish the scope of work and confirm time frame and budget.

• The activity was successful in that we were able to change from org.opengis to org.geotools.api and write a script to update GeoWebCache and GeoServer projects.
• GeoServer has some difficulties as gs-printing and gs-geofence-server include the work of external projects which will require assistance.

The work is scheduled for the Bolsena Codesprint 2023 ahead of the GeoServer 2.24.0 release cycle.

For more information see OpenGIS Harmonization at OSGeo. If you are in a position to provide sponsorship, or in-kind participation, this activity could use your support.

GeoServer 2.22.4 release is now available with downloads ( bin, war, windows) , along with docs and extensions.

This is a maintenance release of GeoServer providing existing installations with minor updates and bug fixes.

GeoServer 2.22.4 is made in conjunction with GeoTools 28.4.

Thanks to Peter Smythe (AfriGIS) and Jody Garnett (GeoCat) for making this release. This is Peter’s first time making a GeoServer release and we would like to thank him for volunteering.

Security Considerations

This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

• CVE-2023-43795 WPS Server Side Request Forgery
• CVE-2023-41339 Unsecured WMS dynamic styling sld=url parameter affords blind unauthenticated SSRF

See project security policy for more information on how security vulnerabilities are managed.

Release notes

New Feature:

• GEOS-10949 Control remote resources accessed by GeoServer

Improvement:

• GEOS-10973 DWITHIN delegation to mongoDB

Bug:

• GEOS-8162 CSV Data store does not support relative store paths
• GEOS-10906 Authentication not sent if connection pooling activated
• GEOS-10936 YSLD and OGC API modules are incompatible
• GEOS-10969 Empty CQL_FILTER-parameter should be ignored
• GEOS-10975 JMS clustering reports error about ReferencedEnvelope type not being whitelisted in XStream
• GEOS-10980 CSS extension lacks ASM JARs as of 2.23.0, stops rendering layer when style references a file
• GEOS-10981 Slow CSW GetRecords requests with JDBC Configuration
• GEOS-10993 Disabled resources can cause incorrect CSW GetRecords response
• GEOS-10994 OOM due to too many dimensions when range requested
• GEOS-10998 LayerGroupContainmentCache is being rebuilt on each ApplicationEvent
• GEOS-11015 geopackage wfs output builds up tmp files over time
• GEOS-11024 metadata: add datetime field type to feature catalog

Task:

• GEOS-10987 Bump xalan:xalan and xalan:serializer from 2.7.2 to 2.7.3
• GEOS-11008) Update sqlite-jdbc from 3.34.0 to 3.41.2.2
• GEOS-11010 Upgrade guava from 30.1 to 32.0.0
• GEOS-11011 Upgrade postgresql from 42.4.3 to 42.6.0
• GEOS-11012 Upgrade commons-collections4 from 4.2 to 4.4
• GEOS-11018 Upgrade commons-lang3 from 3.8.1 to 3.12.0
• GEOS-11020 Add test scope to mockito-core dependency

Sub-task:

• GEOS-10989 Update spring.version from 5.2.23.RELEASE to 5.2.24.RELEASE

For the complete list see 2.22.4 release notes.

About GeoServer 2.22 Series

Additional information on GeoServer 2.22 series:

• GeoServer 2.22 User Manual
• Update Instructions
• Metadata extension
• CSW ISO Metadata extension
• State of GeoServer (FOSS4G Presentation)
• GeoServer Beginner Workshop (FOSS4G Workshop)
• Welcome page (User Guide)

Release notes: ( 2.22.4 | 2.22.3 | 2.22.2 | 2.22.1 | 2.22.0 | 2.22-RC | 2.22-M0 )

GeoServer 2.23.1 release is now available with downloads (bin, war, windows), along with docs and extensions.

This is a stable release of GeoServer suitable for production systems, made in conjunction with GeoTools 29.1 and GeoWebCache 1.23.0.

We are grateful to Ian Turton (Astun Technology Ltd) for making this release.

Release notes

Improvement:

• GEOS-10858 jdbc-config turns off isolated workspace support

• GEOS-10898 Preserve key order in STAC responses coming from JSONB columns

• GEOS-10923 Use default writing params on GeoTIFFPPIO

• GEOS-10940 Update MapML viewer to release 0.11.0

Bug:

• GEOS-8162 CSV Data store does not support relative store paths

• GEOS-10837 geopackage output fails when java.io.tmpdir on network share

• GEOS-10912 jms-cluster fails to clone grid coverage layer on other nodes

• GEOS-10920 Excel output format packaging misses dependencies, cannot produce .xls

• GEOS-10921 Double escaping of HTML with enabled features-templating

• GEOS-10922 Features templating exception on text/plain format

• GEOS-10932 csw-iso: should only add 'xsi:nil = false' attribute

• GEOS-10934 CSW does not show title/abstract on welcome page

• GEOS-10946 WMS GetLegendGraphic throws FootprintsTransformation cannot be cast to ProcessFunctionException

• GEOS-10950 Performance regression in DescribeFeatureType across all feature types

• GEOS-10955 STAC templates are initialised in the wrong location

• GEOS-10957 Support ResourceAccessManager implementations returning custom subclasess of AccessLimits

• GEOS-10969 Empty CQL_FILTER parameter should be ignored

• GEOS-10975 JMS clustering reports error about ReferencedEnvelope type not being whitelisted in XStream

• GEOS-10985 B/R of GeoServer catalog is broken with GeoServer 2.23.0

Task:

• GEOS-10859 OGC API: swagger-api 4.15.5 upgrade

For the complete list see 2.23.1 release notes.

About GeoServer 2.23 Series

Additional information on GeoServer 2.23 series:

• Drop Java 8
• GUI CSS Cleanup
• Add the possibility to use fixed values in Capabilities for Dimension metadata

Release notes: ( 2.23.1 | 2.23.0 | 2.23-RC1 )