jive
March 5, 2025, 7:54am
1
@groldan and myself are on deck for GeoServer 2.27.0 later this month.
Starting a thread here for any PRs folks need to see reviewed ahead of release.
For those who volunteer on geoserver-security please check-in as we review what vulnerabilities have been addressed and can be disclosed alongside 2.27.0.
jive
March 5, 2025, 8:04am
2
There are a couple of JAI integration issues I would like to see make the cut.
The change of logger from javax.media.jai to org.geoserver.jai seems temporary with upcoming change to ImageN on the roadmap. Any alternatives to consider?
The main purpose of the PR was to throw JAI runtime exceptions instead of just logging them so the logger name change was removed from the PR.
An additional PR to review would be:
geotools:main ← sikeoka:GEOT-7724
opened 06:03PM - 03 Mar 25 UTC
[](https://osgeo-org… .atlassian.net/browse/GEOT-7724) [<img width="16" alt="Powered by Pull Request Badge" src="https://user-images.githubusercontent.com/1393946/111216524-d2bb8e00-85d4-11eb-821b-ed4c00989c02.png">](https://pullrequestbadge.com/?utm_medium=github&utm_source=geotools&utm_campaign=badge_info)
- Removed java.net.InetAddress and java.util.Hashtable from the default allow list to effectively block deserializing SerializableRenderedImage instances
- Refactored the primitive array allow list to allow both 1D and 2D primitive arrays
- Made the methods to set the allow list pattern non-private to support unit testing
- Added a unit test to verify that SerializableRenderedImage is blocked by default and can be allowed using the system property
- Added more logging messages and added the file path to all logging message
- Updated the sample image files in the imagepyramid test data to the new format
- Added a warning about deserializing GridCoverage2D instances
# Checklist
- [x] I have read the [contribution guidelines](https://github.com/geotools/geotools/blob/main/CONTRIBUTING.md).
- [x] I have sent a [Contribution Licence Agreement](https://docs.geotools.org/latest/developer/procedures/contribution_license.html) (not required for small changes, e.g., fixing typos in documentation).
- [x] First PR targets the `main` branch (backports managed later; ignore for branch specific issues).
- [x] Avoid [Java 9+ split packages](http://tutorials.jenkov.com/java/modules.html#split-packages-not-allowed).
- [x] All the build checks are green ([see automated QA checks](https://docs.geotools.org/latest/developer/conventions/code/qa.html)).
For core and extension modules:
- [x] New unit tests have been added covering the changes.
- [x] [Documentation](https://github.com/geotools/geotools/tree/main/docs) has been updated (if change is visible to end users).
- [x] There is an issue in [GeoTools Jira](https://osgeo-org.atlassian.net/projects/GEOT) (except for changes not visible to end users).
- [x] Commit message(s) must be in the form ``[GEOT-XYZW] Title of the Jira ticket``.
- [x] Bug fixes and small new features are presented as a single commit.
- [x] The commit targets a single objective (if multiple focuses cannot be avoided, each one is in its own commit, and has a separate ticket describing it).
jive
March 7, 2025, 8:44pm
4
jive
March 8, 2025, 2:23am
5
Release mapfish-print-v2 2.3.3 was uneventful, synchronized the versions used with GeoServer prior to release.
There is a PR for geoserver here: [GEOS-11754] Update mapfish-print-v2 to 2.3.3 by jodygarnett · Pull Request #8381 · geoserver/geoserver · GitHub