GeoServer Enterprise 2023.2.1 Release Notes

GeoCat is pleased provide our long-term support customers with this release of GeoServer Enterprise 2023.2.1.

Overview

This patch release updates existing installations of GeoServer 2023.2 to address CVE-2024-36401.

GeoServer Enterprise 2023.2.1 is an urgent update for customers to respond to this security issue. The appropriate mitigation measure should already be applied.

General

GeoServer Enterprise 2023.2 release notes:

• GeoServer Enterprise 2023.2 is proudly open source with the latest GeoServer 2.23.6, GeoWebCache 1.23.5, and GeoTools 29.6 technologies.

  GeoCat made these releases on behalf of our GeoServer Enterprise customers.

Detailed change log:

• GeoServer posts ( 2.23.5, 2.23.6 )

• GeoServer release notes ( 2.23.5 | 2.23.6 )

Security considerations:

• GeoCat respects the GeoServer coordinated disclosure policy, contact support directly to discuss list of known security vulnerabilities.

  • CVE-2024-36401 9.8 Critical

  • CVE-2024-24749 5.9 Moderate

  The above vulnerabilities are not disclosed at the time of writing.

• The following vulnerabilities are publicly disclosed:

  • CVE-2023-51445 Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API

  • CVE-2024-23634 Arbitrary file renaming vulnerability in REST Coverage/Data Store API (Moderate).

Known issues:

• Known issues for GeoServer Enterprise 2023.2

GeoServer Enterprise Standard

Fixes:

• Fix LegendGraphic generation using PostGIS datastore when using hideEmptyRules with Support on the fly geometry simplification enabled

GeoServer Enterprise Premium

Technology preview:

• Improve OAuth2 and OIDC integration with role service use