GeoServer Enterprise 2024.0 Release Notes
GeoCat is pleased to present our latest distribution of GeoServer Enterprise.
Overview
GeoServer Enterprise 2024.0 provides support for publishing geospatial data using open standards.
This distribution is made available to GeoCat customers:
GeoServer Enterprise Standard distribution provides a web archive (or docker image) of GeoServer bundled with popular extensions backed by GeoCat long-term support
GeoServer Enterprise Premium offers a custom distribution with your selection of extensions backed by GeoCat extended support.
GeoCat Live provides a hosted GeoServer environment
GeoServer Enterprise 2024.0 is a recommended upgrade for all our customers and is compatible with GeoCat Bridge for both ArcGIS Desktop and QGIS Desktop.
General
GeoServer Enterprise 2024.0 release notes:
Offers our GeoServer Enterprise Premium customers “predefined war” service with a ready to use war including your selection of supported GeoServer extensions.
GeoServer Enterprise 2024.0 is proudly open source with the latest GeoServer 2.25.1, GeoWebCache 1.25.1, and GeoTools 31.1 technologies.
Detailed change log:
Security considerations:
GeoCat respects the GeoServer coordinated vulnerability disclosure policy, contact us directly to discuss known security vulnerabilities mitigation and resolution availability.
-
Not disclosed at the time of writing.
CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
Mitigation only.
-
Not disclosed at time of writing
CVE-2024-34696 GeoServer’s Server Status shows sensitive environmental variables and Java properties
CVE-2024-35230 Welcome and About GeoServer pages communicate version and revision information
The above vulnerabilities are not disclosed at the time of writing.
-
The following vulnerabilities are presently disclosed:
CVE-2023-51444 Arbitrary file upload vulnerability in REST Coverage Store API
CVE-2023-41877 GeoServer log file path traversal vulnerability
CVE-2024-23634 Arbitrary file renaming vulnerability in REST Coverage/Data Store API
CVE-2024-23643 Stored Cross-Site Scripting (XSS) vulnerability in GWC Seed Form
CVE-2024-23821 Stored Cross-Site Scripting (XSS) vulnerability in GWC Demos Page
CVE-2024-23819 Stored Cross-Site Scripting (XSS) vulnerability in MapML HTML Page
CVE-2024-23818 Stored Cross-Site Scripting (XSS) vulnerability in WMS OpenLayers Format
CVE-2024-23642 Stored Cross-Site Scripting (XSS) vulnerability in Simple SVG Renderer
CVE-2024-23640 Stored Cross-Site Scripting (XSS) vulnerability in Style Publisher
CVE-2023-51445 Stored Cross-Site Scripting (XSS) vulnerability in REST Resources API
If you are using GeoServer Enterprise 2023.3 the disclosed vulnerabilities have already been patched.
Known issues:
Known issues for 2024.0
GeoServer Enterprise Standard
Upgrade notes:
Tile Caching / Disk Quota store changes from H2 Database has been replaced with HSQL database to track use of diskspace.
During initial startup you will receive a log message indicating the DiskQuota has been disabled.
Use the Disk Quota page to configure an external HSQL database or switch to in-process HSQL database.
You may then remove the unused
gwc/diskquota_page_store_h2/databases.
New Feature:
Feature type description can now be edited when customizing feature type attribute
Improvements:
About page version and build details only displayed when logged in as an administrator
Java 17 support for GetFeature “lazy” count(*) performance optimization
Fast polygon intersection enabled by default
FreeMarker Template HTML Auto-escaping is now enabled by default.
Configuration option
ENTITY_RESOLUTION_ALLOWLISTdefault changed to to ogc, w3c, and inspire required by the majority of our customers. Previously this was an optional setting.Configuration option
GEOSERVER_USE_STRICT_FIREWALLenabled by default.Configuration option
GEOSERVER_DISABLE_STATIC_WEB_FILESavailable to restrict use ofgeoserver/wwwfolder (used to serve static web files).Configuration option
GEOSERVER_MODULE_SYSTEM_ENVIRONMENT_STATUS_ENABLEDandGEOSERVER_MODULE_SYSTEM_PROPERTY_STATUS_ENABLEDto control behaviour of Module Status information