Geoserver 2 14 3

For Vendors Help Create Join Login Business Software Open Source Software SourceForge Podcast Resources Articles Case Studies Blog Menu Help Create Join Login Home Browse GeoServer Mailing Lists Brought to you by: aaime, gtbuilder, hai-etlik, ianturton, and 3 others Summary Files Reviews Support Wiki Mailing Lists Tickets ▾ Patches Feature Requests News CVS Menu ▾ ▴ geoserver-builds geoserver-devel geoserver-users geoserver-devel [Geoserver-devel] GeoServer 2.14.2 released From: Torben B. - 2019-01-19 00:11:32 We are happy to announce the release of GeoServer 2.14.2 Downloads are provided (zip with docs (html extensions is a stable release of the GeoServer 2.14 series and is recommendedfor all production systems. Users of prior releases of GeoServer areencouraged to upgrade.This release is made in conjunction with GeoTools 20.2 and GeoWebCache1.14.2. Thanks to all who contributed to this release.For more information please see our release notes (2.14.2 2.14.1 and FixesThis release includes a number of new features and improvements: - gs:DownloadEstimator (almost always) returns true when estimating full raster downloads at native resolution - Cannot create jp2k coverage through rest (IndexOutOfBounds) - KML ignores sortBy parameter when querying records - NullPointerException when using env() function with LIKE operator in CSS filters - Can't modify existing GWC blobstore via UI without renaming - NPE if a Jiffle Rendering Transformation is used with Channel Selection - OpenLayers2 preview does not trigger automatically on IE8 - Bad rendering with JAI-EXT and Input/Output TransparentColor options - Complex MongoDB generated properties are not correctly handlded in SLDs - Move the GeoServer ENV Parametrization documentation

GeoServer 2, in some configurations, allows remote attackers to execute arbitrary code via java.lang.Runtime.getRuntime().exec in wps:LiteralData within a wps:Execute request, as exploited in the wild in June 2023.RCE in JiffleThe Jiffle map algebra language, provided by jai-ext, allows efficiently execute map algebra over large images. A vulnerability CVE-2022-24816 has been recently found in Jiffle, that allows a Code Injection to be performed by properly crafting a Jiffle invocation.In the case of GeoServer, the injection can be performed from a remote request.AssessmentGeoTools includes the Jiffle language as part of the gt-process-raster- module, applications using it should check whether it’s possible to provide a Jiffle script from remote, and if so, upgrade or remove the functionality (see also the GeoServer mitigation, below).The issue is of particular interest for GeoServer users, as GeoServer embeds Jiffle in the base WAR package. Jiffle is available as a OGC function, for usage in SLD rendering transformations.This allows for a Remote Code Execution in properly crafted OGC requests, as well as from the administration console, when editing SLD files.MitigationsIn case you cannot upgrade at once, then the following mitigation is strongly recommended:Stop GeoServerOpen the war file, get into WEB-INF/lib and remove the janino-.jarRestart GeoServer.This effectively removes the Jiffle ability to compile scripts in Java code, from any of the potential attack vectors (Janino is the library used to turn the Java code generated from the Jiffle script, into executable bytecode).GeoServer should still work properly after the removal, but any attempt to use Jiffle will result in an exception.References

A remote. Many submodules link to a specific branch, so make sure you get the right one (ask a developer if you are unsure)! % cd geoserver/externals/geoserver % git pull origin 2.7.xIn order for this update to be reflected in the server project, it must be commited like any other change: % cd ../ % git add geoserver % git commit -m "update geoserver submodule"You can then push this change to your fork and create a pull request, like any other commit.Release BranchesDuring regular development, server changes are commited to the master branch. Prior to a release, a release branch (of the form r4.7) is created. Any changes should be made against that branch instead, and backported to master if necessary.When commiting a change to the release branch, note the commit id: [r4.7 0c66de5] update geoserver submoduleTo backport this commit to master, switch to the master branch and use cherry-pick to copy the commit. Remember to push your change up to the server repository: % git checkout master % git cherry-pick 0c66de5 % git push upstream masterCertain submodules (mainly geoserver) will also have release specific branches. If you are updating a submodule on the release branch, first check if it has its own branch for this release (usually of the form server-4.7). Ask a developer if you are unsure.What's nextTo build Boundless Server, go to step 2 of the Quickstart.For more information about the build system, see the Build System Overview.For information on the individual components that comprise server, follow the links in the Modules section.If you are preparing for a new release of Boundless Server, refer to the Release Procedure section.QuickstartClone the repository: % git clone git://github.com/boundlessgeo/server.git server % cd serverInitialize submodule dependencies: % git submodule update --init --recursiveDo a full build:Or build the module of your choice:Build System

To a specific branch, so make sure you get the right one (ask a developer if you are unsure)! % cd geoserver/externals/geoserver % git pull origin 2.7.xIn order for this update to be reflected in the suite project, it must be commited like any other change: % cd ../ % git add geoserver % git commit -m "update geoserver submodule"You can then push this change to your fork and create a pull request, like any other commit.Release BranchesDuring regular development, suite changes are commited to the master branch. Prior to a release, a release branch (of the form r4.7) is created. Any changes should be made against that branch instead, and backported to master if necessary.When commiting a change to the release branch, note the commit id: [r4.7 0c66de5] update geoserver submoduleTo backport this commit to master, switch to the master branch and use cherry-pick to copy the commit. Remember to push your change up to the suite repository: % git checkout master % git cherry-pick 0c66de5 % git push upstream masterCertain submodules (mainly geoserver) will also have release specific branches. If you are updating a submodule on the release branch, first check if it has its own branch for this release (usually of the form suite-4.7). Ask a developer if you are unsure.What's nextTo build suite, go to step 2 of the Quickstart.For more information about the build system, see the Build System Overview.For information on the individual components that comprise suite, follow the links in the Modules section.QuickstartClone the repository: % git clone git://github.com/boundlessgeo/suite.git suite % cd suiteInitialize submodule dependencies: % git submodule update --init --recursiveDo a full build:Or build the module of your choice:Build System OverviewThe suite repository is made up a number of modules (ie projects). During developmenttypically modules are built individually as opposed to all

To enable its use in a Tomcat proxy:sudo nano /opt/tomcat/webapps/geoserver/WEB-INF/web.xmlStep 6.1: Configure Proxy Base URL in GeoServerLocate the following configuration and uncomment it to utilize the domain proxy: PROXY_BASE_URL param-name>PROXY_BASE_URL/param-name> param-value> the allow list for CSRF Protection on Geoserver. GEOSERVER_CSRF_WHITELIST subdomain.example.com">context-param> param-name>GEOSERVER_CSRF_WHITELIST/param-name> param-value>subdomain.example.com/param-value>/context-param>Step 6.2: Enable Cross-Origin CorsFilterSearch for the following configuration and uncomment it to enable CORS in Catalina with Tomcat: cross-origin org.apache.catalina.filters.CorsFilter cors.allowed.origins * cors.allowed.methods GET,POST,PUT,DELETE,HEAD,OPTIONS cors.allowed.headers * ">!-- Uncomment following filter to enable CORS in Tomcat. Do not forget the second config block further down. -->filter> filter-name>cross-origin/filter-name> filter-class>org.apache.catalina.filters.CorsFilter/filter-class> init-param> param-name>cors.allowed.origins/param-name> param-value>*/param-value> /init-param> init-param> param-name>cors.allowed.methods/param-name> param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS/param-value> /init-param> init-param> param-name>cors.allowed.headers/param-name> param-value>*/param-value> /init-param>/filter> cross-origin /*">!-- Uncomment following filter-mapping to enable CORS -->filter-mapping> filter-name>cross-origin/filter-name> url-pattern>/*/url-pattern>/filter-mapping>Make sure to save the changes after uncommenting these configurations to apply the settings for the GeoServer application using Tomcat's proxy functionality.Step 7: Set Up GeoSpatial DatabaseStep 7.1: Install PostgreSQL 14 and PostGIS 3Install PostgreSQL 14 and PostGIS 3 using the following commands:sudo apt install postgis postgresql-14-postgis-3psql --versionsudo systemctl status postgresqlStep 7.2: Create Database and User for the ServiceSwitch to the 'postgres' user:Using the 'postgres' user, create a user and a database:createuser geocreatedb geodb -O geoStep 7.2: Add the PostGIS Extension in the DatabaseAccess the 'geodb' database:psql -d geodb sudo -u geo psql geodbWithin the 'geodb' database, enable the PostGIS extension:geodb=# CREATE EXTENSION postgis;geodb=# CREATE EXTENSION postgis_topology;geodb=# SELECT PostGIS_version();Set a password for the 'geo' user in the Spatial Database and grant all privileges:geodb=# ALTER USER geo WITH PASSWORD 'password';geodb=# GRANT ALL PRIVILEGES ON DATABASE geodb TO geo;geodb=# \q;exitStep 7.3: Expose the Spatial DatabaseModify the PostgreSQL configuration file to allow connections from all origins:sudo nano /etc/postgresql/14/main/postgresql.confUncomment and modify the following line to listen on all IP addresses:#------------------------------------------------------------------------------# CONNECTIONS AND AUTHENTICATION#------------------------------------------------------------------------------# - Connection Settings -listen_addresses = '*' # what IP address(es) to listen on;Configure allowed hosts in the 'pg_hba.conf' file:sudo nano /etc/postgresql/14/main/pg_hba.confAdd the following lines to allow connections to the 'geodb' database from any address:# TYPE DATABASE USER ADDRESS METHOD# "local" is for Unix domain socket connections onlylocal all all peer# IPv4 local connections:host all all 127.0.0.1/32 trusthost geodb geo 0.0.0.0/0 md5# IPv6 local connections:host all all ::1/128 md5# Allow replication connections from localhost, by a user with the# replication privilege.local replication all peerhost replication all 127.0.0.1/32 trusthost replication all ::1/128 md5Allow incoming connections on port 5432 (PostgreSQL default port):Restart the PostgreSQL service:sudo systemctl restart postgresqlFinally, test the connection to the database from a local terminal:psql -U userremoteconnexion -h server_ip_address_hosting_this_database

Version assigned to geotools, geowebcache, and geoserver (instead of -SNAPSHOT), use the build/versions.xml ant script to set a custom version. For example, to build server 4.9-beta1: % ant -f build/versions.xml set-versions -Dserver.minor_version=-beta1 % ant all -Dserver.minor_version=-beta1To undo this action and reset te versions back to -SNAPSHOT: % git reset --hard HEAD % git submodule foreach --recursive git reset --hardCustom-building a GeoServer extension for SupportOccasionally, we will have to build (or re-build) an extension or jar after a server release has gone out.I will be using Server 4.9.1 as the server version for the purposes of this example.Checkout the correct server branch and update submodules: % git checkout r4.9.1 % git submodule update --init --recursiveSet the server version for the geoserver artifacts: % ant -f build/versions.xml set-versions -Dserver.minor_version=-server-4.9.1If you are building an extension that does not normally ship with server, modify build/build.properties and add that module to gs.exts_core or gs.exts_comm (depending upon whether or not it is a community module).Change to the geoserver directory and run a build. % cd geoserver % ant clean build assemble -Dserver.minor_version=-server-4.9.1The geoserver artifacts will be in geoserver/geoserver/src/target/release. The server war will be in webapp/target.ModulesThe server repository is composed of the following modules:composerdashboarddocsgeoservergeowebcachewpsbuilderConsult the module README files for module specific information.