GeoServer 2.25.0 Release
GeoServer 2.25.0 release is now available with downloads (bin, war, windows), along with docs and extensions.
This is a stable release of GeoServer recommended for production use. GeoServer 2.25.0 is made in conjunction with GeoTools 31.0, and GeoWebCache 1.25.0.
Thanks to Peter Smythe for making this release. Thanks to Levy Steve, Peter Smythe, Jody Garnett, and Mark Prins for testing the 2.25.0 release.
Security Considerations
This release addresses several security vulnerabilities, all of which require admin access.
- If you have updated to GeoServer 2.24.2 Release or GeoServer 2.23.5 Release you are already patched.
- If you are working with a commercial support provider that volunteers with the geoserver-security email list they are already informed.
Vulnerabilities:
- CVE-2023-51444 Arbitrary file upload vulnerability in REST Coverage Store API (High).
- CVE-2023-41877 GeoServer log file path traversal vulnerability (High).
- CVE-2024-23634 Arbitrary file renaming vulnerability in REST Coverage/Data Store API (Moderate).
- CVE-2024-23643 Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form (Moderate).
- CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page (Moderate).
- CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page (Moderate).
- CVE-2024-23818 Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format (Moderate).
- CVE-2024-23642 Stored Cross-Site Scripting (XSS) vulnerability in Simple SVG Renderer (Moderate).
- CVE-2024-23640 Stored Cross-Site Scripting (XSS) vulnerability in Style Publisher (Moderate).
- CVE-2023-51445 Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API (Moderate).
- CVE-2024-34711 Improper ENTITY_RESOLUTION_ALLOWLIST URI validation in XML Processing (SSRF) (High 7.3)
We would like to thank everyone who contributed to reporting, verifying and fixing the above vulnerabilities (see each CVE for appropriate credits). A special thank you to Steve Ikeoka for reporting most of the issues and doing the majority of the actual fixes.
The use of the CVE system allows the GeoServer team to reach a wider audience than blog posts. See the project security policy for more information on how security vulnerabilities are managed.
Upgrade Notes
We have a number of configuration changes when updating an existing system:
-
The longstanding
ENTITY_RESOLUTION_ALLOWLIST
setting has been recommended as a way to control the locations available for external entity resolution when parsing XML documents and requests.The default has changed from
*
(allowing any location) to allowing the recommendedwww.w3.org
,schemas.opengis.net
,www.opengis.net
locations used for OGC Web Services, along with theinspire.ec.europa.eu/schemas
location used by our friends in Europe. -
The FreeMarker Template HTML Auto-escaping is now enabled by default.
-
The spring security firewall is now enabled by default.
-
A new configuration setting is available to limit content served from the
geoserver/www
folder.If you have not met the
www
folder before it is used to share content, and there is a tutorial serving static files. -
We do add recommendations to production considerations over time, if you have not checked that page in a while please review.
Thanks to Steve Ikeoka and Jody Garnett for these improvements.
JTS fast polygon intersection enabled by default
The JTS Next Generation polygon intersection algorithm has been enabled by default, which will improve performance of a number of operations, including WPS processes and the vector tiles generation.
We deem the functionality well tested enough that it should be opened to the majority of users, even if it’s still possible to turn it off by adding the -Djts.overlay=old
.
MapML Extension
The MapML extension is receiving a number of updates and improvements, with more to come in the following months. It’s now possible to declare “Tiled CRS” as the CRS for a layer, with the implication not just of the CRS, but also of the gridset that will be used by the MapML viewer:
This portion builds on top of the work done months ago to support astronomical CRSs, which allows GeoServer to support multiple CRS authorities.
The MapML preview links are now using the new MapML output format, while the old dedicated REST controller has been removed. This allows for better integration of the MapML format in the GeoServer ecosystem. The MapML viewer has also been updated to the latest version:
Thanks to Joseph Miller and Andrea Aime (GeoSolutions) for this work, and Natural Resources Canada for sponsoring it.
Community Module Updates
Much of the new activity in GeoServer starts as a community module. We’d like to remind you that these modules are not yet supported, and invite you to join the effort by participating in their development, as well as testing them and providing feedback.
Raster Attribute Table community module
Developed as part of GEOS-11175, the Raster Attribute Table community module uses the GDAL Raster Attribute Table (RAT) to provide a way to associate attribute information for individual pixel values within the raster, to create styles as well as to provide a richer GetFeatureInfo output.
For more information see the user guide.
We’d like to thank Andrea Aime (GeoSolutions) for the development and NOAA for sponsoring.
Graticules for WMS maps
The graticules community module, developed as part of GEOS-11216, provides a datastore generating graticules for WMS maps, along with a rendering transformation that can be used to label them. The module can be used to draw a graticule in WMS maps, as well as to download them as part of WFS (or in combination with the WPS download module).
We’d like to thank Ian Turton for development and GeoSolutions for sponsoring the work.
GeoServer monitor Kafka storage
The monitoring Kafka storage module, developed as part of GEOS-11150, allows storing the requests captured by the monitoring extension into a Kafka topic.
We’d like to thank Simon Hofer for sharing his work with the community. To learn more about the module, how to install and use it, see the user-guide.
JWT Headers
The JWT headers module has been developed as part of GEOS-11317.
The module is a new authentication filter that can read JWT Headers, as well as general JSON payloads and simple strings, to identify a user, as well as to extract their roles. The combination of Apache mod_auth_openidc with geoserver-jwt-headers-plugin provides an alternative to using the geoserver-sec-oauth2-openid-connect-plugin plugin.
We’d like to thank David Blasby (GeoCat) for this work on this module.
Developer Updates
ResourceStore / Paths API Change
Developers should keep in mind some important maintenance work performed by Niels Charlier on the use absolute and relative paths in the ResourceStore
. See the Developers Guide for more information.
This does not affect end users.
Experimental Java 21 support
GeoServer, along with GeoTools and GeoWebCache, are now tested to build and pass tests with Java 21.
This is not yet an endorsement to run GeoServer in production with Java 21. We are looking ahead at the 2024 roadmap, and are making sure the basics are covered for the newer Java releases.
Full Release notes
New Feature:
- GEOS-11225 [AuthKey] AuthKey synchronize the user/group automatically
MapML:
- GEOS-10438 ENTITY_RESOLUTION_ALLOWLIST property not parsing empty setting
- GEOS-11207 Refactor MapML MVC controller as GetMap-based operation with standard parameter format
- GEOS-11221 mkdocs preflight rst fixes
- GEOS-11289 Enable Spring Security StrictHttpFirewall by default
- GEOS-11297 Escape WMS GetFeatureInfo HTML output by default
- GEOS-11300 Centralize access to static web files
Improvement:
- GEOS-11306 Java 17 does not support GetFeature lazy JDBC count(*)
- GEOS-11130 Sort parent role dropdown in Add a new role
- GEOS-11142 Add mime type mapping for yaml files
- GEOS-11148 Update response headers for the Resources REST API
- GEOS-11149 Update response headers for the Style Publisher
- GEOS-11152 Improve handling special characters in the Simple SVG Renderer
- GEOS-11153 Improve handling special characters in the WMS OpenLayers Format
- GEOS-11155 Add the X-Content-Type-Options header
- GEOS-11173 Default to using HttpOnly session cookies
- GEOS-11176 Add validation to file wrapper resource paths
- GEOS-11213 Improve REST external upload method unzipping
- GEOS-11222 Include Conformance Class for “Search” from OGC API - Features Part 5 proposal
- GEOS-11226 Enable JTS OverlayNG by default
- GEOS-11246 Schemaless plugin performance for WFS
- GEOS-11247 Avoid HTML annotations special status in APIBodyProcessor
- GEOS-11248 Move version header handling from APIBodyMethodProcessor to APIDispatcher
- GEOS-11260 JNDI tutorial uses outdated syntax
- GEOS-11288 Improve input validation in ClasspathPublisher
- GEOS-11289 Enable Spring Security StrictHttpFirewall by default
- GEOS-11298 When a Raster Attribute Table is available, expose its attributes in GetFeatureInfo
- GEOS-11327 Add warning about using embedded data directories
- GEOS-11334 Update MapML viewer to release 0.13.1
Bug:
- GEOS-11050 jdbc-store broken by changes to Paths.names
- GEOS-11051 Env parametrization does not save correctly in AuthKey extension
- GEOS-11145 The GUI “wait spinner” is not visible any longer
- GEOS-11182 Avoid legends with duplicated entries
- GEOS-11187 Configuring a raster with NaN as NODATA results in two NaN in the nodata band description
- GEOS-11190 GeoFence: align log4j2 deps
- GEOS-11203 WMS GetFeatureInfo bad WKT exception for label-geometry
- GEOS-11224 Platform independent binary doesn’t start properly with default data directory
- GEOS-11250 WFS GeoJSON encoder fails with an exception if an infinity number is used in the geometry
- GEOS-11278 metadata: only selected tab is submitted
- GEOS-11312 Used memory calculation fix on legend WMS request
- GEOS-11266 csw-iso: missing fields in summary response
- GEOS-11312 Inconsistent Memory Units in Legend Image Creation
- GEOS-11335 A layer in an authority other than EPSG may fail to reload after restart
Task:
- GEOS-11242 Remove the Xalan library
- GEOS-11315 Revert to CORS commented out
- GEOS-11318 Update postgresql to 42.7.2
- GEOS-11134 Feedback on download bundles: README, RUNNING, GPL html files
- GEOS-11141 production consideration for logging configuration hardening
- GEOS-11159 Update mapfish-print-lib 2.3.0
- GEOS-11180 Update ImageIO-EXT to 1.4.9
- GEOS-11181 Update jai-ext to 1.1.25
- GEOS-11186 Fix maven enforcer failFast
- GEOS-11220 Upgrade Hazelcast from 5.3.1 to 5.3.6
- GEOS-11245 Update OSHI from 6.2.2 to 6.4.10
- GEOS-11316 Update Spring version to 5.3.32
For the complete list see 2.25.0 release notes.
Community Updates
Community module development:
- GEOS-11305 Add layer information in the models backing STAC
- GEOS-11146 Fix MBTiles output format test
- GEOS-11184 ncwms module has a compile dependency on gs-web-core test jar
- GEOS-11209 Open ID Connect Proof Key of Code Exchange (PKCE)
- GEOS-11212 OIDC accessToken verification using only JWKs URI
- GEOS-11219 Upgraded mail and activation libraries for SMTP compatibility
- GEOS-11293 Improve performance of wps-lontigudinal-profile
- GEOS-11216 Create a datastore to produce graticules for WMS maps.
Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.
About GeoServer 2.25 Series
Additional information on GeoServer 2.25 series: