GeoServer 2.23.6 Release
GeoServer 2.23.6 release is now available with downloads (bin, war, windows), along with docs and extensions.
This series has previously reached end-of-life, with this release issued to address an urgent bug or security vulnerability (see CVE-2024-36401 below).
This GeoServer 2.23.6 update is provided as a temporary measure. Rather plan to upgrade to a stable GeoServer 2.25.2 or maintenance GeoServer 2.24.4.
GeoServer 2.23.6 is made in conjunction with GeoTools 29.6, and GeoWebCache 1.23.5.
Thanks to Jody Garnett (GeoCat) for making this release on behalf of GeoCat customers.
Security Considerations
This release addresses security vulnerabilities and is considered an essential update for production systems.
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions (Critical)
- CVE-2024-24749 Classpath resource disclosure in GWC Web Resource API on Windows / Tomcat (Moderate)
See project security policy for more information on how security vulnerabilities are managed.
Release notes
Improvement:
- GEOS-11327 Add warning about using embedded data directories
- GEOS-11347 STAC Landing Page links should include root link
Bug:
- GEOS-11331 OAuth2 can throw a “java.lang.RuntimeException: Never should reach this point”
Task:
- GEOS-11316 Update Spring version to 5.3.32
- GEOS-11318 Upgrade postgresql from 42.6.0 to 42.7.2
For the complete list see 2.23.6 release notes.
Community Updates
Community module development:
- GEOS-11348 JMS cluster does not allow to publish style via REST “2 step” approach
- GEOS-11358 Feature-Autopopulate Update operation does not apply the Update Element filter
- GEOS-11381 Error in OIDC plugin in combination with RoleService
- GEOS-11412 Remove reference to JDOM from JMS Cluster (as JDOM is no longer in use)
Community modules are shared as source code to encourage collaboration. If a topic being explored is of interest to you, please contact the module developer to offer assistance.
About GeoServer 2.23 Series
Additional information on GeoServer 2.23 series:
- GeoServer 2.23 User Manual
- Drop Java 8
- GUI CSS Cleanup
- Add the possibility to use fixed values in Capabilities for Dimension metadata
- State of GeoServer 2.23
- GeoServer Feature Frenzy 2023
- GeoServer used in fun and interesting ways
- GeoServer Orientation
Release notes: ( 2.23.6 | 2.23.5 | 2.23.4 | 2.23.3 | 2.23.2 | 2.23.1 | 2.23.0 | 2.23-RC1 )
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release
Atom feed