GeoServer Enterprise 2023.2 Release Notes

GeoCat is pleased to present our latest distribution of GeoServer Enterprise.

Overview

GeoServer Enterprise 2023.2 provides support for publishing geospatial data using open standards.

This distribution is made available to GeoCat customers:

• GeoServer Enterprise Standard distribution provides a web archive (or docker image) of GeoServer bundled with popular extensions backed by GeoCat long-term support

• GeoServer Enterprise Premium offers a custom distribution with your selection of extensions backed by GeoCat extended support.

• GeoCat Live provides a hosted GeoServer environment

GeoServer Enterprise 2023.2 is a recommended upgrade for all our customers and is compatible with GeoCat Bridge for both ArcGIS Desktop and QGIS Desktop.

General

GeoServer Enterprise 2023.2 release notes:

• Offers our GeoServer Enterprise Premium customers “predefined war” service with a ready to use war including your selection of supported GeoServer extensions.

• GeoServer Enterprise 2023.2 is proudly open source with the latest GeoServer 2.23.4, GeoWebCache 1.23.3, and GeoTools 29.4 technologies.

Detailed change log:

• GeoServer posts ( 2.23.3 | 2.23.4 )

• GeoServer release notes ( 2.23.3 | 2.23.4 )

• Additional GeoServer Enterprise issues addressed:

  • [GEOS-10248] Check WPSInitializer interaction with reload process

Security considerations:

• GeoCat respects the GeoServer coordinated disclosure policy, contact support directly to discuss list of known security vulnerabilities.

  • CVE-2023-51445 Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API

  • CVE-2024-23634 GeoServer Arbitrary file renaming vulnerability in REST Coverage/Data Store API

  • CVE-2024-23640 GeoServer’s Style Publisher vulnerable to Stored Cross-Site Scripting (XSS)

  • CVE-2024-23642 GeoServer’s Simple SVG Renderer vulnerable to Stored Cross-Site Scripting (XSS)

  • CVE-2024-23643 GeoServer’s GWC Seed Form vulnerable to Stored Cross-Site Scripting (XSS)

  • CVE-2024-23818 Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format

  • CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page

  • CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page

• Java 11 is now required for continued access to latest dependency security updates

• Component updates:

  • [GEOS-11091] Update spring-security 5.7.10

Known issues:

• Known issues for GeoServer Enterprise 2023.2

GeoServer Enterprise Standard

Improvements:

• Admin Console display of disabled text fields

• [GEOS-11090] Use Catalog streaming API in WorkspacePage

  Startup time greatly improved for large catalogues

• [GEOS-11094] Update hsqldb 2.7.2

GeoServer Enterprise Premium

New functionality:

• [GEOS-11209] Open ID Connect Proof Key of Code Exchange (PKCE)

• [GEOS-11212] OIDC accessToken verification using only JWKs URI

Fix:

• [GEOS-11032] Unlucky init order with GeoWebCacheExtension gwcFacade before DiskQuotaMonitor

  Adressed problem preventing GeoServer Enterprise startup depending on extensions included.

Technology preview:

• OAUth 2 / OpenID Connect (OIDC)

• Cloud Optimized GeoTIFF: under customer evaluation for roadmap planning

• ogcapi-features: under customer evaluation for roadmap planning