[Geoserver-users] GeoTools 29.2 & GeoServer 2.23.2 released

GeoTools 29.2 has been released as the new stable release of the library - more details at the blog, GeoWebCache 1.23.1 and GeoServer 2.23.2 are also released based on this release. Full details of the GeoServer release including two security related issues are available at the GeoServer blog.

We encourage all users to upgrade as soon as possible.

···

Ian Turton

Good morning Ian and all other people on this list,

thank you very much for your work and time.

The latest GeoServer release contains two security related fixes:

Security Considerations
This release addresses security vulnerabilities and is considered an essential upgrade for production systems.

GEOS-10949 Control remote resources accessed by GeoServer
GEOS-11008 Update sqlite-jdbc from 3.34.0 to 3.41.2.2

See project security policy for more information on how security vulnerabilities are managed.

The links for both fixes result in a 404 resource not found error! That is a bit confusing and should be fixed.

The currently used links are:

- https://geoserver.org/browse/GEOS-10949
- https://geoserver.org/browse/GEOS-11008

A working link for "issue" 10949 is:

     https://osgeo-org.atlassian.net/browse/GEOS-10949

The same schema works for 11008:

     https://osgeo-org.atlassian.net/browse/GEOS-11008

If the working links are the correct ones, someone could fix the links on the release page

     https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html

Kind regards and have a nice day!

  Eike

On 24.07.23 09:00, Ian Turton wrote:

GeoTools 29.2 has been released as the new stable release of the library -
more details at the blog
<https://geotoolsnews.blogspot.com/2023/07/geotools-292-released.html&gt;,
GeoWebCache 1.23.1 and GeoServer 2.23.2 are also released based on this
release. Full details of the GeoServer release including two security
related issues are available at the GeoServer blog
<https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html&gt;
.

We encourage all users to upgrade as soon as possible.

_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
Jürrens, Eike Hinderk

52°North Spatial Information Research GmbH
Martin-Luther-King-Weg 24
48155 Münster, Germany

E-Mail: e.h.juerrens@...1693...
Fon: +49-(0)-251–396371-33
Fax: +49-(0)-251–396371-11

https://52north.org/
Twitter: @FiveTwoN

Managing Directors:
Dr. Benedikt Gräler, Dr. Simon Jirka, Matthes Rieke
Local Court Muenster HRB 10849

Sorry about that, the links should be fixed now

Jody: Where should I add bugs for the announce script?

Ian

···

Ian Turton

Jira is fine, I think we have a website or blog category.

There was some deleted text from the last anouncement that provided some more context on GEOS-10949. It is actually a new feature allowing us greater control of how open web services access external resources. The security aspect, ability to mitigate SSRF, is secondary.

https://github.com/geoserver/geoserver.github.io/commit/f0a6422d722d7f6756552e2b2c37aea90df27de7

This text also highlights the new feature with a screen snap.

Jody

···

Ian Turton


Jody Garnett

Same deal with GEOS-11008 - although the original reporter marked this as a vulnerability (ignoring our security policy) there was no effort at all made to check if the SQLite issue is a problem for GeoServer.

So it is just a regular sqlite upgrade as far as we are concerned.

Jody

···

Ian Turton


Jody Garnett