Toggle navigation GeoServer <https://geoserver.

org/>

* About <https://geoserver.org/about>
* Blog <https://geoserver.org/blog>
* Download <https://geoserver.org/download>
* Documentation <http://docs.geoserver.org/>
* Community ** <#>
o Community Support <https://geoserver.org/comm>
o Commercial Support <https://geoserver.org/support>
o Issue Tracker <https://geoserver.org/issues>
o Community Development <https://geoserver.org/devel>
o Sponsorship <https://geoserver.org/sponsor>
o Roadmap <https://geoserver.org/roadmap>
o Wiki <https://github.com/geoserver/geoserver/wiki/Home>
o Contributors <https://github.com/geoserver/geoserver/graphs/
contributors>
o Code of Conduct <https://github.com/geoserver/geoserver/blob/
master/CODE_OF_CONDUCT.md>
o License <https://geoserver.org/license>

Fork me on GitHub <https://github.com/geoserver/geoserver>

GeoServer Blog

GeoServer 2.25.4 Release <https://geoserver.org/announcements/

vulnerability/2024/10/29/geoserver-2-25-4-released.html>

Oct 29, 2024 • Jody Garnett

GeoServer 2.25.4 <https://geoserver.org/release/2.25.4/> release is now

available with downloads (bin <https://sourceforge.net/projects/
geoserver/files/GeoServer/2.25.4/geoserver-2.25.4-bin.zip/download>, war
<https://sourceforge.net/projects/geoserver/files/GeoServer/2.25.4/
geoserver-2.25.4-war.zip/download>, windows <https://sourceforge.net/
projects/geoserver/files/GeoServer/2.25.4/GeoServer-2.25.4-winsetup.exe/
download>), along with docs <https://sourceforge.net/projects/geoserver/
files/GeoServer/2.25.4/geoserver-2.25.4-htmldoc.zip/download> and
extensions <https://sourceforge.net/projects/geoserver/files/
GeoServer/2.25.4/extensions/>.

This is a maintenance release of GeoServer providing existing

installations with minor updates and bug fixes. GeoServer 2.25.4 is made
in conjunction with GeoTools 31.4, and GeoWebCache 1.25.3.

Thanks to Jody Garnett for making this release.

Security Considerations

This release addresses security vulnerabilities and is considered an

important upgrade for production systems.

* GEOS-11557 <https://osgeo-org.atlassian.net/browse/GEOS-11557>
CVE-2024-45748 High

See project security policy <https://github.com/geoserver/geoserver/

blob/main/SECURITY.md> for more information on how security
vulnerabilities are managed.

Release notes

New Feature:

* GEOS-11352 <https://osgeo-org.atlassian.net/browse/GEOS-11352> REST

service for URL checks

Improvement:

* GEOS-11399 <https://osgeo-org.atlassian.net/browse/GEOS-11399> Use

Catalog streaming API in LayerGroupPage
* GEOS-11427 <https://osgeo-org.atlassian.net/browse/GEOS-11427>
metadata: “fix all” to support changing config repeatable field
* GEOS-11463 <https://osgeo-org.atlassian.net/browse/GEOS-11463> WMS
vector dimension validation should query only one feature and only
for dimension attribute
* GEOS-11502 <https://osgeo-org.atlassian.net/browse/GEOS-11502>
Permit resize on user/group/role palette textbox to allow for extra
long role names
* GEOS-11503 <https://osgeo-org.atlassian.net/browse/GEOS-11503>
Update mongo schemaless DWITHIN to support non-point geometry
* GEOS-11557 <https://osgeo-org.atlassian.net/browse/GEOS-11557>
CVE-2024-45748 High
* GEOS-11588 <https://osgeo-org.atlassian.net/browse/GEOS-11588> GWC
disk quota, check JDBC connection pool validation query

Bug:

* GEOS-10811 <https://osgeo-org.atlassian.net/browse/GEOS-10811>
GeoServer 2.22.0 WPS error while clipping raster with GeoJSON input
* GEOS-11071 <https://osgeo-org.atlassian.net/browse/GEOS-11071>
GeoJSON PPIO goes NPE while decoding a GeoJSON geometry
* GEOS-11107 <https://osgeo-org.atlassian.net/browse/GEOS-11107> Open
search for EO community module: packaging missing gt-cql-json-xx.x.jar
* GEOS-11453 <https://osgeo-org.atlassian.net/browse/GEOS-11453>
Failure to look-up default value of custom dimensions on vector layers
* GEOS-11484 <https://osgeo-org.atlassian.net/browse/GEOS-11484>
DirectRasterRenderer is not respecting advancedProjectionHandling
and continuosMapWrapping format_options
* GEOS-11493 <https://osgeo-org.atlassian.net/browse/GEOS-11493> Azure
blob store may not get environment parameters from property file
* GEOS-11497 <https://osgeo-org.atlassian.net/browse/GEOS-11497> WPS
execution fails with GeoJSON input
* GEOS-11504 <https://osgeo-org.atlassian.net/browse/GEOS-11504>
ResourceAccessManagerWrapper misses some delegating methods
* GEOS-11505 <https://osgeo-org.atlassian.net/browse/GEOS-11505> OWS
Monitor only handles WFS 1.0 requests
* GEOS-11513 <https://osgeo-org.atlassian.net/browse/GEOS-11513> WMTS/
GetDomainValues - Returned values are not sorted
* GEOS-11514 <https://osgeo-org.atlassian.net/browse/GEOS-11514> Fix
parsing WPS geometry geojson inputs
* GEOS-11524 <https://osgeo-org.atlassian.net/browse/GEOS-11524> csw:
default queryables mapping not generated
* GEOS-11543 <https://osgeo-org.atlassian.net/browse/GEOS-11543>
Unable to use propertyName to filter properties in a GetFeature
request when service is not set
 * GEOS-11553 <https://osgeo-org.atlassian.net/browse/GEOS-11553> SLD
Style: Empty SE Rotationelement throws RuntimeException (QGIS
generated SLD)
* GEOS-11556 <https://osgeo-org.atlassian.net/browse/GEOS-11556>
NullPointerException when GWC disk quota monitoring is disabled
* GEOS-11559 <https://osgeo-org.atlassian.net/browse/GEOS-11559> The
customized attributes editor is prone to setting the wrong attribute
source

Task:

* GEOS-11470 <https://osgeo-org.atlassian.net/browse/GEOS-11470>
Upgrade the version of Mongo driver for schemaless plugin from 4.0.6
to 4.11.2
* GEOS-11506 <https://osgeo-org.atlassian.net/browse/GEOS-11506>
Upgrade Spring version from 5.3.37 to 5.3.39 and Spring security
from 5.8.13 to 5.8.14
* GEOS-11508 <https://osgeo-org.atlassian.net/browse/GEOS-11508>
Update OSHI from 6.4.10 to 6.6.3
* GEOS-11533 <https://osgeo-org.atlassian.net/browse/GEOS-11533>
Update org.apache.commons.vfs2 to 2.9.0
* GEOS-11574 <https://osgeo-org.atlassian.net/browse/GEOS-11574> Bump
org.eclipse.jetty:jetty-server from 9.4.52.v20230823 to
9.4.55.v20240627 in /src
* GEOS-11587 <https://osgeo-org.atlassian.net/browse/GEOS-11587>
Update map fish-print-v2 2.3.2

For the complete list see 2.25.4 <https://github.com/geoserver/

geoserver/releases/tag/2.25.4> release notes.

Community Updates

Community module development:

* GEOS-11517 <https://osgeo-org.atlassian.net/browse/GEOS-11517> Using

various OGC APIs results in service enabled check related WARN logs
* GEOS-11518 <https://osgeo-org.atlassian.net/browse/GEOS-11518> DGGS
JDBC store SQL encoder should not force the timezone to CET
* GEOS-11519 <https://osgeo-org.atlassian.net/browse/GEOS-11519> Make
DGGS rHealPix tests run again
* GEOS-11560 <https://osgeo-org.atlassian.net/browse/GEOS-11560> OGC
API modules lack cql2-json in assembly
* GEOS-11563 <https://osgeo-org.atlassian.net/browse/GEOS-11563> Allow
configuring a DGGS resolution offset on a layer basis
* GEOS-11565 <https://osgeo-org.atlassian.net/browse/GEOS-11565> Allow
configuring the minimum and maximum DGGS resolution for a layer
* GEOS-11579 <https://osgeo-org.atlassian.net/browse/GEOS-11579> DGGS
modules prevent GeoServer startup if JEP is not installed

Community modules are shared as source code to encourage collaboration.

If a topic being explored is of interest to you, please contact the
module developer to offer assistance.

About GeoServer 2.25 Series

Additional information on GeoServer 2.25 series:

 * GeoServer 2.25 User Manual <https://docs.geoserver.org/2.25.x/en/user/>
* GeoServer 2024 Roadmap Plannings <https://geoserver.org/
behind%20the%20scenes/2024/01/03/roadmap.html>
* Raster Attribute Table extension <https://github.com/geoserver/
geoserver/wiki/GSIP-222>
* Individual contributor clarification <https://github.com/geoserver/
geoserver/wiki/GSIP-224>

Release notes: ( 2.25.4 <https://github.com/geoserver/geoserver/

releases/tag/2.25.4> | 2.25.3 <https://github.com/geoserver/geoserver/
releases/tag/2.25.3> | 2.25.2 <https://github.com/geoserver/geoserver/
releases/tag/2.25.2> | 2.25.1 <https://github.com/geoserver/geoserver/
releases/tag/2.25.1> | 2.25.0 <https://github.com/geoserver/geoserver/
releases/tag/2.25.0> | 2.25-RC <https://github.com/geoserver/geoserver/
releases/tag/2.25-RC> )

Read More <https://geoserver.org/announcements/vulnerability/2024/10/29/

geoserver-2-25-4-released.html>

GeoServer 2024 Q4 Developer Update <https://geoserver.org/

behind%20the%20scenes/2024/10/04/developer-update.html>

Oct 4, 2024 • Jody Garnett

The GeoServer team working on sharing our roadmap plans <https://

geoserver.org/behind%20the%20scenes/2024/01/03/roadmap.html> plans and
providing greater transparency on our community participation and
funding goals.

GeoServer Developer Forum

If you have sent email to |geoserver-devel| list this week you have been
met with the following reply:

|This list is now closed, join us on geoserver developer forum:

https://discourse.osgeo.org/invites/7DX66egwux
|

That is right, developer communication has moved to GeoServer Developer

<https://discourse.osgeo.org/c/geoserver/developer/63> on discourse.

* To post join the geoserver-developer <https://discourse.osgeo.org/t/

welcome-to-osgeo/> group.
* About the GeoServer Developer category <https://discourse.osgeo.org/
t/about-the-geoserver-developer-category/85608> has all the details
(even email).
* There are improved instructions <https://discourse.osgeo.org/t/
welcome-to-osgeo/5#p-6-developer-github-login-2> on how to sign up
using github.

How to help:

* Accept the invite <https://discourse.osgeo.org/invites/7DX66egwux> -

it is quick and easy joining the group and navigate to the forum in
one go.
* Update communication details for website <https://github.com/
geoserver/geoserver.github.io/blob/main/devel/index.html> and
 developer guide <https://github.com/geoserver/geoserver/blob/main/
doc/en/developer/source/introduction.rst>.

Discourse Fourm

GeoServer 3 Crowdfunding

The consortium of Camptocamp, GeoSolutions and GeoCat have responded to

our roadmap challenge <https://geoserver.org/
behind%20the%20scenes/2024/01/03/roadmap.html> with a bold GeoServer 3
Call for Crowdfunding <https://geoserver.org/
behind%20the%20scenes/2024/09/10/gs3.html> established as a multi-party
contract.

* The fundraising target has now been set, see updated post <https://
geoserver.org/behind%20the%20scenes/2024/09/10/gs3.html>, and
milestone deliverables <https://docs.google.com/document/
d/1iCqob2R5Zcs9liODq2UGGiOUQhFWQJrjZCJxBVUP5Q4/edit?usp=sharing>
established.
* GSIP-226 - GeoServer 3 <https://github.com/geoserver/geoserver/wiki/
GSIP-226>

How to help:

* Share the call for crowdfunding <https://geoserver.org/

behind%20the%20scenes/2024/09/10/gs3.html> in your region.
* To express your interest or pledge support contact us directly at
gs3-funding@googlegroups.com <mailto:gs3-funding@googlegroups.com>,
or via online form <https://forms.gle/EFML8NSJSCtzjWUY6>.

Crowdfunding Form

Wicket 9 upgrade

GEOS-11275 <https://osgeo-org.atlassian.net/browse/GEOS-11275>: Brad and

David have made considerable progress on Wicket UI updates. After a year
of effort <https://github.com/geoserver/geoserver/pull/7154> the first
results <https://github.com/geoserver/geoserver/pull/7872> towards
Wicket 10 are being merged onto the |main| branch.

Thanks to Brad for doing much of the difficult work starting this
activity, and to David for working hard to stabilize this work for testing.

Peter and Jody started a wicket test plan and evaluated an initial 2.26-
M0 <https://github.com/geoserver/geoserver/releases/tag/2.26-M0>
milestone release.

How to help:

* Test a 2.27.x <https://geoserver.org/release/2.27.x/> nightly build,

clearly noting problems in the Wicket Test Plan <https://
docs.google.com/spreadsheets/
d/1pQmncG4zxpgJnHxeI4myFfOBD17U2CIMcy59II4XAfo/edit?usp=sharing>.
* Urgent: Developer assistance is needed to restore JUnit tests
<https://github.com/geoserver/geoserver/pull/7939> for the Wicket
modules. Many are failing just due to the contents of the page being
slightly altered.
 * Developer assistance is needed to resolve the content-security-
policy warnings reported during testing.
* David has outlined what is needed for a new GSModalDialog <https://
github.com/geoserver/geoserver/pull/7871> to replace the
functionality being removed in Wicket 10.

|docker pull docker.osgeo.org/geoserver:2.27.x

docker run -it -p8081:8080 docker.osgeo.org/geoserver:2.27.x
|

Spring Security 5.8 update

GEOS-11271 <https://osgeo-org.atlassian.net/browse/GEOS-11271>: Andreas

Watermeyer (ITS Digital Solutions) has completed this activity ahead of
the GeoServer 2.26.0 release.

How to help:

* The next step is going through the Preparing for 6.0 <https://
docs.spring.io/spring-security/reference/5.8/migration/index.html>
checklist

Spring Security OAuth2 replacement

GEOS-11272 <https://osgeo-org.atlassian.net/browse/GEOS-11272>: Andreas

Watermeyer (ITS Digital Solutions) set up new community modules to work
on this activity. This is a new implementation as the spring security
internals have changed, and the new spring api allows for a cleaner
implementation.

How to help:

* This work will require extensive testing in different environments.

* Ideas on unit testing and increasing test coverage with test
containers are very welcome.

Support and sponsorship

We would like to welcome a new project sponsor:

Route4Me <https://route4me.com/> - Simplify Last Mile Complexity:

proven route planning and route optimization software.

Route4Me

The GeoServer project steering committee seeks sponsorship to fund

maintenance activities, code sprints, and research and development that
is beyond the reach of an individual contributor or organization.

* We have worked with OSGeo to provide sponsorship guidance <https://

www.osgeo.org/about/how-to-become-a-sponsor/> for individual
consultants, small organisation, companies and public institutions
of different sizes.
* GeoServer has a new sponsorship page <https://geoserver.org/sponsor/
> on our website collecting this information for our project.
* GeoServer now lists sponsors logos on our home page <https://
 geoserver.org/>, alongside core contributors.

We would like to thank everyone who has responded thus far:

* Sponsors: How 2 Map <https://www.how2map.com/>, illustreets

<https://illustreets.com/>, and Route4Me <https://route4me.com/>.
* Individual Donations: Peter Rushforth, Marco Lucarelli, Gabriel
Roldan, Jody Garnett, Manuel Timita, Andrea Aime

Read More <https://geoserver.org/behind%20the%20scenes/2024/10/04/

developer-update.html>

Using Spatial Operators in GeoServer Filters <https://geoserver.org/

tutorials/2024/09/24/geospatial-techno.html>

Sep 24, 2024 • Milad Rafiei

GeoSpatial Techno <https://www.youtube.com/@geospatialtechno> is a

startup focused on geospatial information that is providing e-learning
courses to enhance the knowledge of geospatial information users,
students, and other startups. The main approach of this startup is
providing quality, valid specialized training in the field of geospatial
information.

( YouTube <https://www.youtube.com/@geospatialtechno> | LinkedIn

<https://www.linkedin.com/in/geospatialtechno> | Facebook <https://
www.facebook.com/geospatialtechno> | X <https://twitter.com/
geospatialtechn> )

------------------------------------------------------------------------

Spatial Operators in GeoServer Filters

In this session, we want to talk about the *Spatial operators in

GeoServer* in detail. If you want to access the complete tutorial, click
on the link <https://www.youtube.com/watch?
v=mYD0sCNiczE&list=PL_ITaxp1Ob4sjk24Stboa5XbO0LGdEKbL>.

<https://www.youtube.com/watch?
v=mYD0sCNiczE&list=PL_ITaxp1Ob4sjk24Stboa5XbO0LGdEKbL>

Introduction

GeoServer supports various spatial operators that filter geospatial data

based on their location or spatial relationships with other features.
These operators are commonly used with other filter expressions to
create complex queries. These queries are useful for extracting specific
subsets of data from a larger dataset.

The spatial operators are Topological, Distance, and Bounding Box

operators. We’ll explain them in more detail below.

*Note.* This video was recorded on GeoServer 2.22.4, which is not the
most up-to-date version. Currently, versions 2.24.x and 2.25.x are
supported. To ensure you have the latest release, please visit this link
<https://geoserver.org/download/> and avoid using older versions of
GeoServer.

Topological operators

In GeoServer, topological operators are used for spatial analysis and

processing of geographic data. These operators perform geometric
operations that preserve the spatial relationship or topology between
geometric features. Some common topological operators in GeoServer
include: Intersects, Within, Contains, etc.

Intersects

The *Intersects* filter in GeoServer is used to query spatial data based

on the intersection of two geometry objects. For example, you can use
this operator to extract all features that intersect with a specified
Point, Line, or Polygon.

Here are some examples of how you can use this filter in an XML request
to filter the |States| layer by the |State_Name| attribute:

* Navigate to the *Demos* page, then select *Demo requests*.

* From the Request section, select the
*WFS_getFeatureIntersects1.0.xml* request.
* The address will be filled in automatically, in the URL section.
* Now, we will explain some elements:
o The first thirteen lines include explanations in the form of
comments.
o Line 14 describes the XML version and the |getFeatureIntersects|
operation of the WFS service being used.
o Line 15 specifies the default output format for the WFS service
as |GML2|. Additionally, GeoServer supports several other
commonly used formats such as “gml3, shapefile, geojson, and csv.”
o Lines 16 to 22 define the start of the XML request and declare
the namespaces used in the request.
o Line 23 specifies the type name of the feature to be queried. In
this case, it requests features of the |topp:states|.
o Lines 25 to 30 define the filter criteria for the query. On
these lines, we use the *Intersects* filter, to retrieve all
states that intersects with a Point defined by latitude and
longitude.
* Press the *Submit* button.

*Note.* For GeoServer 2.25.2 the Demo Request page has been improved to
show response Headers, and provide the option to pretty print XML output.

Within

This operator is used to retrieve features that are completely within

the specified geometry. For example, you can use this operator to
extract all features that are within a polygon.

Here’s an example of how you can define a |Within| filter in XML. As an

example of using this filter in a WFS getFeature request, use the
following block codes to replace lines 24 to 31:

|<Filter>
 <Within>
<PropertyName>the_geom</PropertyName>
<gml:Polygon xmlns:gml="http://www.opengis.net/gml" srsName="EPSG:4326">
<gml:outerBoundaryIs>
<gml:LinearRing>
<gml:coordinates>-90.73,29.85 -90.73,35.92 -80.76,35.92 -80.76,29.85
-90.73,29.85</gml:coordinates>
</gml:LinearRing>
</gml:outerBoundaryIs>
</gml:Polygon>
</Within>
</Filter>
|

Press the *Submit* button. As you can see, the result includes two
states named |Alabama| and |Georgia|.

Contains

This operator is used to filter data that is completely contained within

a given geometry. For example, you can use this operator to extract all
features that are completely contained within a polygon that represents
a state boundary.

Here’s an example of how you can define a |Contains| operator in XML:

|<Filter>
<Contains>
<PropertyName>the_geom</PropertyName>
<gml:LineString srsName="EPSG:4326">
<gml:coordinates>-89.35,31.46 -89.35,32.11 -89.49,32.23
-90.21,32.23</gml:coordinates>
</gml:LineString>
</Contains>
</Filter>
|

Press the *Submit* button. As you can see, the state that contains the
given geometry is |Mississippi|.

You will need to adjust the filter and shape to match your data and SRS.
Assuming you have a data source with a geometry column named the_geom
that uses the EPSG:4326 coordinate system.

Distance operators

In GeoServer, Distance operators like “DWithin” and “Beyond” filters,

are used to filter and retrieve features based on their spatial
relationship and proximity to a given geometry or location. These
operators can be used in WFS requests and are useful for performing
spatial analysis and finding nearby features.

DWithin

The ‘DWithin’ or ‘Distance Within’ filter, will return records that are
located within a specific distance of a defined point, much like a
buffer. As well as the point geometry, you must specify the value of the
distance from this point and the unit of measure. The units for the
DWithin are: Feet, meters, kilometers and miles.

Here’s an example of how to use the |DWithin| filter in a GeoServer XML

configuration file. To find all the features that are within |10000|
meters of a given point in a layer called “sf:archsites”, the following
WFS request can be used.

|<wfs:GetFeature service="WFS" version="1.0.0"

outputFormat="application/json" xmlns:wfs="http://www.opengis.net/wfs"
xmlns:ogc="http://www.opengis.net/ogc"
xmlns:gml="http://www.opengis.net/gml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.opengis.net/wfs
http://schemas.opengis.net/wfs/1.0.0/WFS-basic.xsd">
<wfs:Query typeName="sf:archsites">
<ogc:Filter>
<ogc:DWithin>
<ogc:PropertyName>the_geom</ogc:PropertyName>
<gml:Point srsName="http://www.opengis.net/gml/srs/epsg.xml#26713">
<gml:coordinates>593250,4923867</gml:coordinates>
</gml:Point>
<ogc:Distance units="meter">10000</ogc:Distance>
</ogc:DWithin>
</ogc:Filter>
</wfs:Query>
</wfs:GetFeature>
|

This will return all the features in “sf:archsites” layer, that are
within 10000 meters of the given point. Remember that, the EPSG code
mentioned in line 11 is very important because it serves as a reference
point for importing coordinates and distance values.

Press the *Submit* button.

Bounding Box operators

The Bounding Box operator is used to filter data based on a specified

bounding box. A bounding box is a rectangular region defined by its
lower left and upper right coordinates: minx, miny, maxx, and maxy. For
example, you can use this operator to extract all features that are
located or partially located inside a box of coordinates.

As an example of using this operator, select the

*WFS_getFeatureBBOX1.0.xml* from the Request section. Now the filters
block code is as follows:

|<Filter>
<BBOX>
<PropertyName>the_geom</PropertyName>
<gml:Box srsName="http://www.opengis.net/gml/srs/epsg.xml#4326">
<gml:coordinates>-75.102613,40.212597 -72.361859,41.512517</gml:coordinates>
</gml:Box>
</BBOX>
</Filter>
|
In this case, we just get the |STATE_NAME| and |PERSONS| attribute.
Using the range specified in the code specifies the features that are
completely or partially located in this area. The result includes four
states named |New York|, |Pennsylvania|, |Connecticut|, and |New Jersey|
as you see on the screen.

------------------------------------------------------------------------

In this session, we took a brief journey through the “Spatial operators

in GeoServer”. If you want to access the complete tutorial, click on the
link <https://www.youtube.com/watch?
v=mYD0sCNiczE&list=PL_ITaxp1Ob4sjk24Stboa5XbO0LGdEKbL>.

Read More <https://geoserver.org/tutorials/2024/09/24/geospatial-

techno.html>

GeoServer 2.26.0 Release <https://geoserver.org/announcements/

vulnerability/2024/09/18/geoserver-2-26-0-released.html>

Sep 18, 2024 • Jody Garnett

GeoServer 2.26.0 <https://geoserver.org/release/2.26.0/> release is now

available with downloads (bin <https://sourceforge.net/projects/
geoserver/files/GeoServer/2.26.0/geoserver-2.26.0-bin.zip/download>, war
<https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.0/
geoserver-2.26.0-war.zip/download>, windows <https://sourceforge.net/
projects/geoserver/files/GeoServer/2.26.0/GeoServer-2.26.0-winsetup.exe/
download>), along with docs <https://sourceforge.net/projects/geoserver/
files/GeoServer/2.26.0/geoserver-2.26.0-htmldoc.zip/download> and
extensions <https://sourceforge.net/projects/geoserver/files/
GeoServer/2.26.0/extensions/>.

This is a stable release of GeoServer recommended for production use.

GeoServer 2.26.0 is made in conjunction with GeoTools 32.0, GeoWebCache
1.26.0, ImageIO-EXT 1.4.13, and JAI-EXT 1.1.27.

Thanks to Peter Smythe (AfriGIS) and Jody Garnett (GeoCat) for making
this release and everyone who has helped out during this release cycle.
Special thanks Andrea for helping with release announcement, and Torben
for troubleshooting the build server and docker environment for this
release.

DOI <https://doi.org/10.5281/zenodo.13827176>

Nightly build testing

This release cycle we asked our new user forum to test a nightly build,
as we did not have capacity to make a release candidate.

Thanks to Daniel Calliess for responding during our public testing

cycle. Daniel noted that he had to add |/geoserver/webresources| to his
proxy for the OpenLayers preview to function. This change is due to an
ongoing effort to move all CSS and JS to external resources allowing
Content Security Policy <https://content-security-policy.com/> headers
to be introduced.
 Security Considerations

This release addresses security vulnerabilities and is a recommended

upgrade for production systems.

* CVE-2024-34711 <https://github.com/geoserver/geoserver/security/
advisories/GHSA-mc43-4fqr-c965> Improper ENTITY_RESOLUTION_ALLOWLIST
URI validation in XML Processing (SSRF) (High 7.3)
* CVE-2024-35230 <https://github.com/geoserver/geoserver/security/
advisories/GHSA-6pfc-w86r-54q6>: Welcome and About GeoServer pages
communicate version and revision information (Moderate 5.3)

See project security policy <https://github.com/geoserver/geoserver/

blob/main/SECURITY.md> for more information on how security
vulnerabilities are managed.

* GEOS-11400 <https://osgeo-org.atlassian.net/browse/GEOS-11400> About

Page Layout and display of build information

Java 17 Support

The binary distribution and the Windows installer now work with Java 17.

When using the war distribution with Tomcat and Java 17 double check the
*Server status* page. If the *Java Rendering Engine* is listed as
“Unknown”, double check the Running in Java 17 <https://
docs.geoserver.org/latest/en/user/production/java.html#running-on-
java-17> production considerations.

Thanks to Andrea Aime and everyone who worked on testing this in

different environments.

* GEOS-11467 <https://osgeo-org.atlassian.net/browse/GEOS-11467>
Update Marlin, make the bin package compatible with Java 17

Docker Updates

The base image |tomcat:9.0.95-jdk17-temurin-jammy| is now used -

providing the latest Tomcat 9 and Java 17. The docker crew changed from
using |ubuntu:22.04| with our own Tomcat install script earlier in the year.

To try out GeoServer 2.26.0 with docker:

|docker pull docker.osgeo.org/geoserver:2.26.0

docker run -it -p8080:8080 docker.osgeo.org/geoserver:2.26.0
|

Thanks to Nils Bühner (terrestris) and everyone who has contributed to

the Docker build.

Search improvement

A small but fun change for the layer preview - it is now easier to find
just the layer you are looking for using quotes to isolate an individual
word.
Thanks to Alessandro Ricchiuti for this work.

* GEOS-11351 <https://osgeo-org.atlassian.net/browse/GEOS-11351> Exact

term search in the pages’ filters

Extensive MapML Improvements

Thanks to Natural Resources Canada for sponsoring an extensive set

improvements for the MapML extension <https://docs.geoserver.org/latest/
en/user/extensions/mapml/index.html>.

This update was carried out by a group of GeoSolutions devs, Andrea

Aime, Daniele Romagnoli and Joseph Miller.

* GEOS-11322 <https://osgeo-org.atlassian.net/browse/GEOS-11322> MapML

WMS Vector Representation include query filter
* GEOS-11324 <https://osgeo-org.atlassian.net/browse/GEOS-11324> MapML
WMS Vector Representation Style Classes
* GEOS-11337 <https://osgeo-org.atlassian.net/browse/GEOS-11337>
Support feature tiles in MapML
* GEOS-11349 <https://osgeo-org.atlassian.net/browse/GEOS-11349> MapML
Use WMS Resource Consumption Limit to specify max image size
* GEOS-11461 <https://osgeo-org.atlassian.net/browse/GEOS-11461>
Enable MapML Viewer output for WFS getFeature.
* GEOS-11486 <https://osgeo-org.atlassian.net/browse/GEOS-11486>
Adding custom dimensions to MapML
* GEOS-11528 <https://osgeo-org.atlassian.net/browse/GEOS-11528>
Update MapML viewer to latest release 0.14.0
* GEOS-11471 <https://osgeo-org.atlassian.net/browse/GEOS-11471>
Remove Sharding configuration support from MapML

Demo Requests page rewritten

The Demo Request page has been rewritten to use JavaScript to issue POST
examples. This provides a much better user experience:

* *Show Result* lists the response headers to be viewed along side the
returned result (with an option for XML pretty printing).
* *Show Result in a New Page* is available to allow your browser to
display the result.

The *WCS Request Builder* and *WPS Request Builder* demos now have the
option to show their results in Demo Requests page. Combined these
changes replace the previous practice of using an iframe popup, and have
allowed the *TestWfsPost* servlet to be removed.

For more information please see the Demo requests <https://

docs.geoserver.org/latest/en/user/configuration/demos/index.html#demos-
demorequests> in the User Guide.

Thanks to David Blasby (GeoCat) for these improvements, made on behalf

of the GeoCat Live project.

* GEOS-11390 <https://osgeo-org.atlassian.net/browse/GEOS-11390>
Replace TestWfsPost with Javascript Demo Page
 JTS 1.20.0 Update

We are overjoyed to update to the latest JTS 1.20.0 release <https://

projects.eclipse.org/projects/locationtech.jts/releases/1.20.0> which
includes a new implementation of spatial relationships.

Use |-Djts.relate=ng| to try out the new implementation (replacing |

RelateOp| with the|ReleateNG| next generation implementation). Let us
know how it goes, a future update will make this setting the default and
expand the approach to “prepaired geometry” bulk operations used for WFS
Queries.

Thanks to Martin Davis (CrunchyDB) for the JTS improvements, and Jody
Garnett (GeoCat) for the release and GeoServer update.

* GEOS-11532 <https://osgeo-org.atlassian.net/browse/GEOS-11532>
Update to JTS 1.20.0

Raster Attribute Table Extension

A new extension is available that takes advantage of the GDAL Raster

Attribute Table (RAT). This data structure provides a way to associate
attribute information for individual pixel values within the raster.
This provides a table that links each cell value in the raster to one or
more attributes on the fly.

Thanks to Andrea Aime (GeoSolutions) for the development and NOAA for
sponsoring this new capability. Please see the user guide Raster
Attribute Table support <https://docs.geoserver.org/latest/en/user/
extensions/rat/index.html> for more information.

* GEOS-11376 <https://osgeo-org.atlassian.net/browse/GEOS-11376>
Graduate Raster Attribute Table to extension

GeoCSS improvements

GeoCSS can now perform scale dependent rendering by the zoom level,
assuming web mercator by default, but allowing the configuration of a
different gridset as well. It’s also possible to create multi-layer
styles and use them as style groups.

|@mode 'Flat';
@TileMatrixSet 'WorldCRS84Quad'

tiger:poly_landmarks {

/* @title parks and green spaces */

[CFCC in ('D82', 'D32', 'D84', 'D85')] {
fill: #B4DFB4;
stroke: #88B588;
};
…
}

tiger:tiger_roads [@z > 12] {

stroke: #666666, #FFFFFF;
 stroke-width: 6, 4;
z-index: 1, 2;
…
}

…
|

Thanks to Andrea Aime (GeoSolutions) for this work, performed in

preparation for the FOSS4G-NA 2024 vector tiles workshop.

* GEOS-11495 <https://osgeo-org.atlassian.net/browse/GEOS-11495>
Support multi-layer output in CSS
* GEOS-11515 <https://osgeo-org.atlassian.net/browse/GEOS-11515> Add
support for zoom level rule filtering in CSS
* GEOS-11414 <https://osgeo-org.atlassian.net/browse/GEOS-11414>
Adding css-uniqueRoleName

Geostationary satellite AUTO code

|AUTO:97004| has been introduced as a new vendor extension to WMS AUTO

codes. It implements the geostastionary satellite project and allows to
change the central meridian as part of the GetMap request.

Thanks to Andrea Aime (GeoSolutions) for this work, and Eumetsat for
sponsoring it.

labelPoint function improved

The |labelPoint| function has been improved with more precise

calculation of the polygon label points, and not requiring to specify a
tolerance any longer. This helps get better maps, especially with tiling
enabled (fixed labelling point no matter which tile is requested):

| <sld:TextSymbolizer>
<sld:Geometry>
<ogc:Function name="labelPoint">
<ogc:PropertyName>the_geom</ogc:PropertyName>
</ogc:Function>
</sld:Geometry>
</sld:TextSymbolizer>
|

Thanks to Andrea Aime (GeoSolutions) for this work, performed in

preparation for the FOSS4G-NA 2024 vector tiles workshop.

Improved vector tiles generation

A few new vendor options have been added in GeoServer, that control how
vector tiles are built, with the objective of producing smaller, faster,
more useful vector tiles.

* |vt-attributes|: comma separated list of attributes included in the

vector tile
* |vt-labels|: when true, generates a sidecar |-label| layer for
polygons, with the label point of the polygon (vector tile clients
 generally cannot produce a good label placement otherewise)
* |vt-label-attributes|:: attributes included in the label point layer
* |vt-coalesce|: if true, takes all features in the tile sharing the
same attribute values, and coalesces their geometries into a single
multi-geometry.

Here is an example style using the above vendor options, in GeoCSS:

|@mode "Flat";

tiger:poly_landmarks {
fill: gray;
vt-attributes: 'CFCC,LANAME';
vt-labels: true;
}

tiger:tiger_roads [@z > 11] {

stroke: black;
vt-attributes: 'NAME';
vt-coalesce: true;
}

tiger:poi [@z > 12] {

mark: symbol(square);
}
|

The GWC layer preview has also been improved to show the vector tile
feature attributes on hover:

Thanks to Andrea Aime (GeoSolutions) for this work, performed in

preparation for the FOSS4G-NA 2024 vector tiles workshop.

GeoPackage QGIS Compatibility Improvements

A number of issues affecting interoperability with QGIS have been addressed:

GeoPackage extension output could contain field types that are not
supported by GDAL. It turns out the GeoPackage export was picking up
some of the file type information intended for PostGIS resulting output
that could not be read by other programs such as QGIS.

We were also able to fix up the TIMESTAMP information representation as

DATETIME, making the file format timezone agnostic as intended.

Thanks to David Blasby (GeoCat) for these fixes made on behalf of

Zeeland and South Holland.

* GEOS-11416 <https://osgeo-org.atlassian.net/browse/GEOS-11416>
GeoPackage output contains invalid field types when exporting
content from PostGIS

New image mosaic merge behaviors, MIN and MAX

These two new image mosaic merge modes activate when multiple images
overlap with each other, choosing respectively the minimum and maximum
value amongst the super-imposed pixels.
Thanks to Andrea Aime for the work, and the US National Research
Laboratory for sponsoring it.

Release notes

New Feature:

* GEOS-11322 <https://osgeo-org.atlassian.net/browse/GEOS-11322> MapML

WMS Vector Representation include query filter
* GEOS-11324 <https://osgeo-org.atlassian.net/browse/GEOS-11324> MapML
WMS Vector Representation Style Classes
* GEOS-11352 <https://osgeo-org.atlassian.net/browse/GEOS-11352> REST
service for URL checks
* GEOS-11376 <https://osgeo-org.atlassian.net/browse/GEOS-11376>
Graduate Raster Attribute Table to extension
* GEOS-11390 <https://osgeo-org.atlassian.net/browse/GEOS-11390>
Replace TestWfsPost with Javascript Demo Page
* GEOS-11414 <https://osgeo-org.atlassian.net/browse/GEOS-11414>
Adding css-uniqueRoleName

Improvement:

* GEOS-11271 <https://osgeo-org.atlassian.net/browse/GEOS-11271>
Upgrade spring-security to 5.8
* GEOS-11325 <https://osgeo-org.atlassian.net/browse/GEOS-11325> Add
properties to set additional security headers
* GEOS-11337 <https://osgeo-org.atlassian.net/browse/GEOS-11337>
Support feature tiles in MapML
* GEOS-11338 <https://osgeo-org.atlassian.net/browse/GEOS-11338>
CapabilityUtil SearchMinMaxScaleDenominator should include support
for multiple NamedLayers
* GEOS-11349 <https://osgeo-org.atlassian.net/browse/GEOS-11349> MapML
Use WMS Resource Consumption Limit to specify max image size
* GEOS-11351 <https://osgeo-org.atlassian.net/browse/GEOS-11351> Exact
term search in the pages’ filters
*
GEOS-11369 <https://osgeo-org.atlassian.net/browse/GEOS-11369>
Additional authentication options for cascaded WMS WMTS data stores

* GEOS-11370 <https://osgeo-org.atlassian.net/browse/GEOS-11370>
Refactor inline JavaScript in the TestWfsPost Page
* GEOS-11371 <https://osgeo-org.atlassian.net/browse/GEOS-11371>
Refactor inline JavaScript in the GetMap OpenLayers format
* GEOS-11379 <https://osgeo-org.atlassian.net/browse/GEOS-11379>
Refactor inline JavaScript in the OGC API modules
* GEOS-11400 <https://osgeo-org.atlassian.net/browse/GEOS-11400> About
Page Layout and display of build information
* GEOS-11401 <https://osgeo-org.atlassian.net/browse/GEOS-11401>
Introduce environmental variables for Module Status page
* GEOS-11427 <https://osgeo-org.atlassian.net/browse/GEOS-11427>
metadata: “fix all” to support changing config repeatable field
* GEOS-11443 <https://osgeo-org.atlassian.net/browse/GEOS-11443> REST
API does not take effect immediately due to 10 minute authentication
cache
* GEOS-11461 <https://osgeo-org.atlassian.net/browse/GEOS-11461>
Enable MapML Viewer output for WFS getFeature.
* GEOS-11467 <https://osgeo-org.atlassian.net/browse/GEOS-11467>
 Update Marlin, make the bin package compatible with Java 17
* GEOS-11477 <https://osgeo-org.atlassian.net/browse/GEOS-11477> Add a
max and a min merge mode for image mosaics
* GEOS-11486 <https://osgeo-org.atlassian.net/browse/GEOS-11486>
Adding custom dimensions to MapML
* GEOS-11488 <https://osgeo-org.atlassian.net/browse/GEOS-11488>
Double-Click-to-Copy featurecaption variable reference
* GEOS-11495 <https://osgeo-org.atlassian.net/browse/GEOS-11495>
Support multi-layer output in CSS
* GEOS-11502 <https://osgeo-org.atlassian.net/browse/GEOS-11502>
Permit resize on user/group/role palette textbox to allow for extra
long role names
* GEOS-11503 <https://osgeo-org.atlassian.net/browse/GEOS-11503>
Update mongo schemaless DWITHIN to support non-point geometry
* GEOS-11515 <https://osgeo-org.atlassian.net/browse/GEOS-11515> Add
support for zoom level rule filtering in CSS
* GEOS-11526 <https://osgeo-org.atlassian.net/browse/GEOS-11526>
GeoFence: slow GeoServer response when there are many roles and
layergroups
* GEOS-11527 <https://osgeo-org.atlassian.net/browse/GEOS-11527> Add
new vector tiles generation options in style body: vt-attributes,
vt-coalesce, vt-labels, vt-label-attributes
* GEOS-11528 <https://osgeo-org.atlassian.net/browse/GEOS-11528>
Update MapML viewer to latest release 0.14.0
* GEOS-11531 <https://osgeo-org.atlassian.net/browse/GEOS-11531> When
coalescing linestrings in vector tiles output, fuse them to create a
single long line

Bug:

* GEOS-7183 <https://osgeo-org.atlassian.net/browse/GEOS-7183> Demo

request/wcs/wps pages incompatible with HTTPS/PKI
* GEOS-11202 <https://osgeo-org.atlassian.net/browse/GEOS-11202> CAS
extension doesn’t use global “proxy base URL” setting for service ticket
* GEOS-11266 <https://osgeo-org.atlassian.net/browse/GEOS-11266> csw-
iso: missing fields in summary response
* GEOS-11314 <https://osgeo-org.atlassian.net/browse/GEOS-11314> Error
in IconService when style has multiple FeatureTypeStyle
* GEOS-11385 <https://osgeo-org.atlassian.net/browse/GEOS-11385> Demo
Requests functionality does not honour ENV variable PROXY_BASE_URL
* GEOS-11416 <https://osgeo-org.atlassian.net/browse/GEOS-11416>
GeoPackage output contains invalid field types when exporting
content from PostGIS
* GEOS-11422 <https://osgeo-org.atlassian.net/browse/GEOS-11422> MapML
License Metadata Stored With Incorrect Keys
* GEOS-11430 <https://osgeo-org.atlassian.net/browse/GEOS-11430>
CiteComplianceHack not correctly parsing the context
* GEOS-11446 <https://osgeo-org.atlassian.net/browse/GEOS-11446>
[INSPIRE] Incorrect behavior for unsupported languages
* GEOS-11462 <https://osgeo-org.atlassian.net/browse/GEOS-11462> 500
error thrown when double adding a user to a group via REST with JDBC
user/group services
* GEOS-11484 <https://osgeo-org.atlassian.net/browse/GEOS-11484>
DirectRasterRenderer is not respecting advancedProjectionHandling
and continuosMapWrapping format_options
* GEOS-11530 <https://osgeo-org.atlassian.net/browse/GEOS-11530>
Adding or removing a grid subset in the layer caching tab, causes
the grid dropdown to get duplicated
Task:

* GEOS-11341 <https://osgeo-org.atlassian.net/browse/GEOS-11341>
Upgrade NetCDF to 5.3.3
* GEOS-11360 <https://osgeo-org.atlassian.net/browse/GEOS-11360>
Upgrade Apache POI from 4.1.1 to 5.2.5
* GEOS-11362 <https://osgeo-org.atlassian.net/browse/GEOS-11362>
Upgrade Spring libs from 5.3.32 to 5.3.33
* GEOS-11374 <https://osgeo-org.atlassian.net/browse/GEOS-11374>
Upgrade Spring version from 5.3.33 to 5.3.34
* GEOS-11375 <https://osgeo-org.atlassian.net/browse/GEOS-11375> GSIP
224 - Individual contributor clarification
* GEOS-11393 <https://osgeo-org.atlassian.net/browse/GEOS-11393>
Upgrade commons-io from 2.12.0 to 2.16.1
* GEOS-11395 <https://osgeo-org.atlassian.net/browse/GEOS-11395>
Upgrade guava from 32.0.0 to 33.2.0
* GEOS-11397 <https://osgeo-org.atlassian.net/browse/GEOS-11397> App-
Schema Includes fix Integration Tests
* GEOS-11402 <https://osgeo-org.atlassian.net/browse/GEOS-11402>
Upgrade PostgreSQL driver from 42.7.2 to 42.7.3
* GEOS-11403 <https://osgeo-org.atlassian.net/browse/GEOS-11403>
Upgrade commons-text from 1.10.0 to 1.12.0
* GEOS-11404 <https://osgeo-org.atlassian.net/browse/GEOS-11404>
Upgrade commons-codec from 1.15 to 1.17.0
* GEOS-11407 <https://osgeo-org.atlassian.net/browse/GEOS-11407>
Upgrade jackson from 2.15.2 to 2.17.1
* GEOS-11464 <https://osgeo-org.atlassian.net/browse/GEOS-11464>
Update Jackson 2 libs from 2.17.1 to 2.17.2
* GEOS-11470 <https://osgeo-org.atlassian.net/browse/GEOS-11470>
Upgrade the version of Mongo driver for schemaless plugin from 4.0.6
to 4.11.2
* GEOS-11471 <https://osgeo-org.atlassian.net/browse/GEOS-11471>
Remove Sharding configuration support from MapML
* GEOS-11472 <https://osgeo-org.atlassian.net/browse/GEOS-11472>
Upgrade freemarker from 2.3.31 to 2.3.33
* GEOS-11473 <https://osgeo-org.atlassian.net/browse/GEOS-11473>
Upgrade guava from 33.2.0 to 33.2.1
* GEOS-11475 <https://osgeo-org.atlassian.net/browse/GEOS-11475>
Upgrade commons-codec from 1.17.0 to 1.17.1
* GEOS-11478 <https://osgeo-org.atlassian.net/browse/GEOS-11478>
Upgrade commons-lang3 from 3.14.0 to 3.15.0
* GEOS-11479 <https://osgeo-org.atlassian.net/browse/GEOS-11479>
Upgrade junit from 4.13.1 to 4.13.2
* GEOS-11480 <https://osgeo-org.atlassian.net/browse/GEOS-11480>
Update map fish-print-lib 2.3.1
* GEOS-11506 <https://osgeo-org.atlassian.net/browse/GEOS-11506>
Upgrade Spring version from 5.3.37 to 5.3.39 and Spring security
from 5.8.13 to 5.8.14
* GEOS-11508 <https://osgeo-org.atlassian.net/browse/GEOS-11508>
Update OSHI from 6.4.10 to 6.6.3
* GEOS-11512 <https://osgeo-org.atlassian.net/browse/GEOS-11512>
Upgrade jasypt from 1.9.2 to 1.9.3
* GEOS-11532 <https://osgeo-org.atlassian.net/browse/GEOS-11532>
Update to JTS 1.20.0
* GEOS-11533 <https://osgeo-org.atlassian.net/browse/GEOS-11533>
Update org.apache.commons.vfs2 to 2.9.0
* GEOS-11544 <https://osgeo-org.atlassian.net/browse/GEOS-11544>
Upgrade to ImageIO-EXT 1.4.13
* GEOS-11545 <https://osgeo-org.atlassian.net/browse/GEOS-11545>
 Update to JAI-EXT 1.1.27

For the complete list see 2.26.0 <https://github.com/geoserver/

geoserver/releases/tag/2.26.0> release notes.

Community Updates

Community modules are shared as source code to encourage collaboration.

If a topic being explored is of interest to you, please contact the
module developer to offer assistance.

Community module development:

* GEOS-10690 <https://osgeo-org.atlassian.net/browse/GEOS-10690> Task

manager plugin is missing dependencies
* GEOS-10824 <https://osgeo-org.atlassian.net/browse/GEOS-10824> gs-
flatgeobuf extension can clash with “directory of shapefiles” datastores
* GEOS-11331 <https://osgeo-org.atlassian.net/browse/GEOS-11331>
OAuth2 can throw a “ java.lang.RuntimeException: Never should reach
this point”
* GEOS-11358 <https://osgeo-org.atlassian.net/browse/GEOS-11358>
Feature-Autopopulate Update operation does not apply the Update
Element filter
* GEOS-11381 <https://osgeo-org.atlassian.net/browse/GEOS-11381> Error
in OIDC plugin in combination with RoleService
* GEOS-11412 <https://osgeo-org.atlassian.net/browse/GEOS-11412>
Remove reference to JDOM from JMS Cluster (as JDOM is no longer in use)
* GEOS-11466 <https://osgeo-org.atlassian.net/browse/GEOS-11466> move
reusable elements of the graticule plugin to GeoTools
* GEOS-11469 <https://osgeo-org.atlassian.net/browse/GEOS-11469>
Datadir catalog loader does not decrypt HTTPStoreInfo passwords
* GEOS-11518 <https://osgeo-org.atlassian.net/browse/GEOS-11518> DGGS
JDBC store SQL encoder should not force the timezone to CET
* GEOS-11519 <https://osgeo-org.atlassian.net/browse/GEOS-11519> Make
DGGS rHealPix tests run again
* GEOS-11521 <https://osgeo-org.atlassian.net/browse/GEOS-11521>
Expose a JNDI variant of the DGGS Clickhouse datastore
* GEOS-11541 <https://osgeo-org.atlassian.net/browse/GEOS-11541> STAC
search endpoint sortby query not working with POST

OGC APIs feeling “at home”

OGC API modules now nicely slot into the home page in the corresponding
functional section, e.g., since both provide raw vector data, both OGC
API Features and WFS show up in the same area:

Thanks to David Blasby (GeoCat) for this work.

* GEOS-11445 <https://osgeo-org.atlassian.net/browse/GEOS-11445>
OGCAPI ServiceDescriptors

Data directory loader

The “Data Directory loader”, by Gabriel Roldan (Camptocamp), is a

replacement data directory loader, reading the XML configuration files
at startup. It has been optimized to achieve better parallelism and be
more efficient over network file systems.

It can be found amongst the nightly builds <https://build.geoserver.org/

geoserver/2.26.x/community-latest/geoserver-2.26-SNAPSHOT-datadir-
catalog-loader-plugin.zip>, it’s a simple drop in replacement, just
unzip the plugin in |WEB-INF/lib| and restart. Let us know how it works
for you.

WFS HTML Freemarker output

The WFS HTML Freemaker output format <https://docs.geoserver.org/latest/

en/user/community/wfs-freemarker/index.html> is a community module
generating HTML in response to GetFeature, using the GetFeatureInfo
Freemarker templates.

Thanks to Alessio Fabiani (GeoSolutions) for starting this activity.

Graticule module

The graticules module <https://docs.geoserver.org/latest/en/user/

community/graticules/index.html> is the combination of a data store and
a rendering transformation allowing to generate graticules at multiple
resolutions, and optionally placing the graticule labels at the map borders.

Thanks to Ian Turton for working on this activity. Ian needs a few more
people to try this out before it can be included in our GeoServer roadmap.

Developer Updates

GeoServer team has identified quite the challenges for GeoServer 2024
Roadmap Plannings <https://geoserver.org/
behind%20the%20scenes/2024/01/03/roadmap.html>.

Wicket Progress

After initial testing of 2.26-M0 <https://github.com/geoserver/

geoserver/releases/tag/2.26-M0> milestone release we held off including
Wicket 9 until after the 2.26.0 release. Thanks to Peter Smythe and Jody
Garnett for testing.

Thanks to Brad Hards who started this work in November 2023, and David
Blasby who helped bring this up to a state it could be tested ahead of
the 2.26.0 release.

Spring Security 5.8

Thanks to Andreas Watermeyer (ITS Digital Solutions) completed this

important update.

This is the last stopping place before Spring Security 6, and the last
chance to work with the OAuth2 community modules.

* GEOS-11271 <https://osgeo-org.atlassian.net/browse/GEOS-11271>
Upgrade spring-security to 5.8
 About GeoServer 2.26 Series

Additional information on GeoServer 2.26 series:

* GeoServer 2.26 User Manual <https://docs.geoserver.org/2.26.x/en/user/>

* State of GeoServer 2.26 <https://docs.google.com/presentation/
d/1i8QIXI3NR6R4zYSeLrxYo2bTK7VJzX4k4tVruTmZRMo/edit#slide=id.p>
* GeoServer 2024 Q3 Developer Update <https://geoserver.org/
behind%20the%20scenes/2024/07/22/developer-update.html>
* Raster Attribute Table extension <https://github.com/geoserver/
geoserver/wiki/GSIP-222>
* Community module graduation, amending generality rule <https://
github.com/geoserver/geoserver/wiki/GSIP-223>
* Individual contributor clarification <https://github.com/geoserver/
geoserver/wiki/GSIP-224>
* Migrate geoserver-users from SourceForge to discourse <https://
github.com/geoserver/geoserver/wiki/GSIP-225>

Release notes: ( 2.26.0 <https://github.com/geoserver/geoserver/

releases/tag/2.26.0> | 2.26-M0 <https://github.com/geoserver/geoserver/
releases/tag/2.26-M0> )

Read More <https://geoserver.org/announcements/vulnerability/2024/09/18/

geoserver-2-26-0-released.html>

CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating

property name expressions <https://geoserver.org/
vulnerability/2024/09/12/cve-2024-36401.html>

Sep 12, 2024 • Jody Garnett

The GeoServer community has been under considerable strain responding to

CVE-2024-36401 <https://github.com/geoserver/geoserver/security/
advisories/GHSA-6jj6-gm7p-fcvv>. This vulnerability stems from GeoTools
library CVE-2024-36404 <https://github.com/geotools/geotools/security/
advisories/GHSA-w3pj-wh35-fq8w>.

This vulnerability, in the handling of XPath expressions, affords a

“remote code execution” attack that is under active exploit. A remote
code execution (RCE) attack allows an attacker to run malicious code on
your computer or network.

For more information:

* GeoServer 2.25.2 Release <https://geoserver.org/announcements/

vulnerability/2024/06/18/geoserver-2-25-2-released.html> (Jun 18, 2024)
* GeoServer 2.24.4 Release <https://geoserver.org/announcements/
vulnerability/2024/06/18/geoserver-2-24-4-released.html> (Jun 18, 2024)
* CVE-2024-36401 <https://github.com/geoserver/geoserver/security/
advisories/GHSA-6jj6-gm7p-fcvv> (July 1, 2024)
* CISA Warns of Actively Exploited RCE Flaw in GeoServer GeoTools
Software <https://thehackernews.com/2024/07/cisa-warns-of-actively-
exploited-rce.html> (The Hacker News, July 18, 2024)
* GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and
Botnet Malware <https://thehackernews.com/2024/09/geoserver-
vulnerability-targeted-by.html> (The Hacker News, September 6, 2024)
 Q: Why have I been directed to this post?

You are responsible for running a GeoServer instance that has not been
updated.

1.

CVE-2024-36401 <https://github.com/geoserver/geoserver/security/
advisories/GHSA-6jj6-gm7p-fcvv> provides mitigation instructions
which you should perform immediately.

Please stop reading and do this now.

2.

Update your instance: Upgrading existing versions <https://

docs.geoserver.org/latest/en/user/installation/upgrade.html> (User
Guide)

The instructions include notes on upgrading specific versions.

Please read carefully to see if any manual changes are required.

Q: Do I have to update or is a patch available?

With such a serious issue several service providers have stepped forward
to make fixes available for prior releases.

Full release:

* GeoServer 2.23.6 Release <https://geoserver.org/announcements/

vulnerability/2024/06/13/geoserver-2-23-6-released.html> (GeoCat)

Patch provided with CVE-2024-36401 <https://github.com/geoserver/

geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv> report:

* GeoServer 2.25.1 (GeoSolutions)

* GeoServer 2.24.3 (GeoSolutions)
* GeoServer 2.24.2 (GeoSolutions)
* GeoServer 2.23.2 (GeoSolutions)
* GeoServer 2.22.2 (GeoSolutions)
* GeoServer 2.21.5 (GeoSolutions)
* GeoServer 2.21.4 (GeoSolutions)
* GeoServer 2.20.7 (GeoSolutions)
* GeoServer 2.20.4 (GeoSolutions)
* GeoServer 2.19.2 (GeoSolutions)
* GeoServer 2.18.0 (GeoSolutions)

Free software is a participation sport - to create a patch for a prior

release volunteer with community development <https://geoserver.org/devel/>.

Q: How often should I upgrade GeoServer?

GeoServer operates with a time boxed release cycle, maintaining “stable”

and “maintenance” releases, over the course of a year.
 *

Upgrade GeoServer twice a year as new stable releases are made.

Once the release you are using has entered “maintenance” it is a

good idea to upgrade (before the release is no longer supported).

GeoServer security policy <https://github.com/geoserver/geoserver/

blob/main/SECURITY.md> provides one year of support. You may also
contact our service providers <https://geoserver.org/support/> for
extended support beyond this timeframe.

Q: Notification of security vulnerabilities?

Stay up to date:

1.

Please monitor release announcements for the heading “Security

Considerations”.

*Security Considerations*

This release addresses security vulnerabilities and is

considered an essential upgrade for production systems.

* CVE-2024-36401 Critical

You can review the release announcement, and in this case with a
“Critical” vulnerability decide to update.

2.

When everyone has had an opportunity to update the details of the

vulnerability are announced.

*Security Considerations*

This release addresses security vulnerabilities and is

considered an essential upgrade for production systems.

* CVE-2024-36401 Remote Code Execution (RCE) vulnerability in

evaluating property name expression (Critical)

3.

As GeoServer has now adopted use CVEs for publication you may also
have success with vulnerability scanning tools.

CVE Scan Results

These tools function when the vulnerability is published, and do not

provide any advance notice.
 Q: Notification of security reports?

As security reports contain sensitive information they are only shared

with representatives of the geoserver-security email list.

Participation in geoserver-security, like commit access, is volunteer

based and reflects trust.

Please review GeoServer Security Policy <https://docs.geoserver.org/

latest/en/developer/policies/security.html> if you are in a position to
help out.

Read More <https://geoserver.org/vulnerability/2024/09/12/

cve-2024-36401.html>
« Prev 1 / 96 Next » <https://geoserver.org/blog/page2/> Ge/o/o
<https://geoserver.org/blog/page2/>o <https://geoserver.org/blog/page3/
>o <https://geoserver.org/blog/page4/>o <https://geoserver.org/blog/
page5/>o <https://geoserver.org/blog/page6/>o <https://geoserver.org/
blog/page7/>o <https://geoserver.org/blog/page8/>o <https://
geoserver.org/blog/page9/>o <https://geoserver.org/blog/page10/>o
<https://geoserver.org/blog/page11/>o <https://geoserver.org/blog/
page12/>o <https://geoserver.org/blog/page13/>o <https://geoserver.org/
blog/page14/>o <https://geoserver.org/blog/page15/>o <https://
geoserver.org/blog/page16/>o <https://geoserver.org/blog/page17/>o
<https://geoserver.org/blog/page18/>o <https://geoserver.org/blog/
page19/>o <https://geoserver.org/blog/page20/>o <https://geoserver.org/
blog/page21/>o <https://geoserver.org/blog/page22/>o <https://
geoserver.org/blog/page23/>o <https://geoserver.org/blog/page24/>o
<https://geoserver.org/blog/page25/>o <https://geoserver.org/blog/
page26/>o <https://geoserver.org/blog/page27/>o <https://geoserver.org/
blog/page28/>o <https://geoserver.org/blog/page29/>o <https://
geoserver.org/blog/page30/>o <https://geoserver.org/blog/page31/>o
<https://geoserver.org/blog/page32/>o <https://geoserver.org/blog/
page33/>o <https://geoserver.org/blog/page34/>o <https://geoserver.org/
blog/page35/>o <https://geoserver.org/blog/page36/>o <https://
geoserver.org/blog/page37/>o <https://geoserver.org/blog/page38/>o
<https://geoserver.org/blog/page39/>o <https://geoserver.org/blog/
page40/>o <https://geoserver.org/blog/page41/>o <https://geoserver.org/
blog/page42/>o <https://geoserver.org/blog/page43/>o <https://
geoserver.org/blog/page44/>o <https://geoserver.org/blog/page45/>o
<https://geoserver.org/blog/page46/>o <https://geoserver.org/blog/
page47/>o <https://geoserver.org/blog/page48/>o <https://geoserver.org/
blog/page49/>o <https://geoserver.org/blog/page50/>o <https://
geoserver.org/blog/page51/>o <https://geoserver.org/blog/page52/>o
<https://geoserver.org/blog/page53/>o <https://geoserver.org/blog/
page54/>o <https://geoserver.org/blog/page55/>o <https://geoserver.org/
blog/page56/>o <https://geoserver.org/blog/page57/>o <https://
geoserver.org/blog/page58/>o <https://geoserver.org/blog/page59/>o
<https://geoserver.org/blog/page60/>o <https://geoserver.org/blog/
page61/>o <https://geoserver.org/blog/page62/>o <https://geoserver.org/
blog/page63/>o <https://geoserver.org/blog/page64/>o <https://
geoserver.org/blog/page65/>o <https://geoserver.org/blog/page66/>o
<https://geoserver.org/blog/page67/>o <https://geoserver.org/blog/
page68/>o <https://geoserver.org/blog/page69/>o <https://geoserver.org/
blog/page70/>o <https://geoserver.org/blog/page71/>o <https://
geoserver.org/blog/page72/>o <https://geoserver.org/blog/page73/>o
<https://geoserver.org/blog/page74/>o <https://geoserver.org/blog/
page75/>o <https://geoserver.org/blog/page76/>o <https://geoserver.org/
blog/page77/>o <https://geoserver.org/blog/page78/>o <https://
geoserver.org/blog/page79/>o <https://geoserver.org/blog/page80/>o
<https://geoserver.org/blog/page81/>o <https://geoserver.org/blog/
page82/>o <https://geoserver.org/blog/page83/>o <https://geoserver.org/
blog/page84/>o <https://geoserver.org/blog/page85/>o <https://
geoserver.org/blog/page86/>o <https://geoserver.org/blog/page87/>o
<https://geoserver.org/blog/page88/>o <https://geoserver.org/blog/
page89/>o <https://geoserver.org/blog/page90/>o <https://geoserver.org/
blog/page91/>o <https://geoserver.org/blog/page92/>o <https://
geoserver.org/blog/page93/>o <https://geoserver.org/blog/page94/>o
<https://geoserver.org/blog/page95/>o <https://geoserver.org/blog/
page96/>Server

Announcements

* GeoServer 2.25.4 Release <https://geoserver.org/announcements/

vulnerability/2024/10/29/geoserver-2-25-4-released.html>
* GeoServer 2.26.0 Release <https://geoserver.org/announcements/
vulnerability/2024/09/18/geoserver-2-26-0-released.html>
* GeoServer 2.24.5 Release <https://geoserver.org/
announcements/2024/08/18/geoserver-2-24-5-released.html>
* GeoServer User Forum replaces mailing list <https://geoserver.org/
announcements/2024/08/01/geoserver-user-forum.html>
* GeoServer 2.25.3 Release <https://geoserver.org/
announcements/2024/07/18/geoserver-2-25-3-released.html>
* GeoServer 2.25.2 Release <https://geoserver.org/announcements/
vulnerability/2024/06/18/geoserver-2-25-2-released.html>
* GeoServer 2.24.4 Release <https://geoserver.org/announcements/
vulnerability/2024/06/18/geoserver-2-24-4-released.html>
* GeoServer 2.23.6 Release <https://geoserver.org/announcements/
vulnerability/2024/06/13/geoserver-2-23-6-released.html>
* GeoServer 2.25.1 Release <https://geoserver.org/announcements/
vulnerability/2024/05/23/geoserver-2-25-1-released.html>
* GeoServer 2.24.3 Release <https://geoserver.org/
announcements/2024/04/18/geoserver-2-24-3-released.html>

Vulnerability

* GeoServer 2.25.4 Release <https://geoserver.org/announcements/

vulnerability/2024/10/29/geoserver-2-25-4-released.html>
* GeoServer 2.26.0 Release <https://geoserver.org/announcements/
vulnerability/2024/09/18/geoserver-2-26-0-released.html>
* CVE-2024-36401 Remote Code Execution (RCE) vulnerability in
evaluating property name expressions <https://geoserver.org/
vulnerability/2024/09/12/cve-2024-36401.html>
* GeoServer 2.25.2 Release <https://geoserver.org/announcements/
vulnerability/2024/06/18/geoserver-2-25-2-released.html>
* GeoServer 2.24.4 Release <https://geoserver.org/announcements/
vulnerability/2024/06/18/geoserver-2-24-4-released.html>
* GeoServer 2.23.6 Release <https://geoserver.org/announcements/
vulnerability/2024/06/13/geoserver-2-23-6-released.html>
* GeoServer 2.25.1 Release <https://geoserver.org/announcements/
vulnerability/2024/05/23/geoserver-2-25-1-released.html>
* GeoServer 2.25.0 Release <https://geoserver.org/announcements/
vulnerability/2024/03/19/geoserver-2-25-0-released.html>
* GeoServer 2.23.5 Release <https://geoserver.org/announcements/
vulnerability/2024/02/18/geoserver-2-23-5-released.html>
 * GeoServer 2.24.2 Release <https://geoserver.org/announcements/
vulnerability/2024/01/24/geoserver-2-24-2-released.html>

Behind The Scenes

* GeoServer 2024 Q4 Developer Update <https://geoserver.org/

behind%20the%20scenes/2024/10/04/developer-update.html>
* GeoServer 3 Call for Crowdfunding <https://geoserver.org/
behind%20the%20scenes/2024/09/10/gs3.html>
* GeoServer 2024 Q3 Developer Update <https://geoserver.org/
behind%20the%20scenes/2024/07/22/developer-update.html>
* GeoServer 2024 Roadmap Planning <https://geoserver.org/
behind%20the%20scenes/2024/01/03/roadmap.html>
* Log4j1 update or replace activity <https://geoserver.org/
behind%20the%20scenes/2022/01/20/log4j-upgrade.html>

Tutorials

* Using Spatial Operators in GeoServer Filters <https://geoserver.org/

tutorials/2024/09/24/geospatial-techno.html>
* Using Value Comparison Operators in GeoServer Filters <https://
geoserver.org/tutorials/2024/09/03/geospatial-techno.html>
* Using Binary Comparison Operators in GeoServer Filters <https://
geoserver.org/tutorials/2024/08/03/geospatial-techno.html>
* Utilizing the Demo Section in Geoserver <https://geoserver.org/
tutorials/2024/07/08/geoserver-tutorials.html>
* How to Implement Basic Security in Geoserver <https://geoserver.org/
tutorials/2024/06/05/geoserver-tutorials.html>
* How to create Tile Layers with GeoServer <https://geoserver.org/
tutorials/2024/05/10/geoserver-tutorials.html>
* How to style layers using GeoServer and QGIS <https://geoserver.org/
tutorials/2024/04/04/geoserver-tutorials.html>
* How to Publish a GeoTIFF file in GeoServer <https://geoserver.org/
tutorials/2024/03/08/geospatial-techno.html>
* A Comprehensive Guide to Publishing a Shapefile in GeoServer
<https://geoserver.org/tutorials/2024/02/01/geospatial-techno.html>
* GeoServer About & Status - A Practical Guide <https://geoserver.org/
tutorials/2024/01/17/geospatial-techno.html>

Developer notes

* GeoServer repository transition to main branch <https://

geoserver.org/developer%20notes/2021/03/04/main-branch.html>

Atom feedAtom feed <https://geoserver.org/feed.xml> ©2024 Open Source

Geospatial Foundation <https://www.osgeo.org/>. License Creative Commons
Attribution <http://creativecommons.org/licenses/by/3.0/>.