[Geoserver-users] LOG4J Version in GeoServer

Hello!

I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: “…Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes…” (https://logging.apache.org/log4j/2.x/security.html)

Are there any plans of integrating log4j Version 2 in GeoServer?

Thanks for your short feedback and all the best,
Michael

Note that there is also the Logback library, which is a continuation
of the 1.x branch of Log4j 1.x.
http://logback.qos.ch/
I am not sure if it is exactly a drop-in replacement but it is
probably the most similar thing to a drop-in replacement.

Best regards,
César Martínez

On Mon, 13 Dec 2021 at 19:55, Michael Steigemann via Geoserver-users
<geoserver-users@lists.sourceforge.net> wrote:

Hello!

I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: "...Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes...." (https://logging.apache.org/log4j/2.x/security.html)

Are there any plans of integrating log4j Version 2 in GeoServer?

Thanks for your short feedback and all the best,
Michael
_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   César Martínez Izquierdo
   GIS developer
   - - - - - - - - - - - - - - - - - - - -
   SCOLAB: http://www.scolab.es
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Hi,

please be aware that also log4j 1.x might be affected when using the JMSAppender in the configuration!

From the log4j project website:

Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228

Regards
Daniel

···

Hello!

I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: “…Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes…” (https://logging.apache.org/log4j/2.x/security.html)

Are there any plans of integrating log4j Version 2 in GeoServer?

Thanks for your short feedback and all the best,

Michael

I understand that the GeoTools/Geoserver community has made a fix to address the JMSAppender vulnerability: log4j-1.2.17.norce.jar
https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar

But there also an older vulnerability https://nvd.nist.gov/vuln/detail/CVE-2019-17571

that says:
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. "

Does this affect Geoserver?

Regard,
Ron

On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. daniel.calliess@anonymised.com wrote:

Hi,

please be aware that also log4j 1.x might be affected when using the JMSAppender in the configuration!

From the log4j project website:

Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228

Regards
Daniel

From: Michael Steigemann via Geoserver-users [mailto:geoserver-users@lists.sourceforge.net]
Sent: Monday, December 13, 2021 7:53 PM
To: GeoServer Mailing List List geoserver-users@anonymised.come.net
Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer

Hello!

I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: “…Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes…” (https://logging.apache.org/log4j/2.x/security.html)

Are there any plans of integrating log4j Version 2 in GeoServer?

Thanks for your short feedback and all the best,

Michael


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Our official statement covers both vulnerabilities, please read:

http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html

Cheers
Andrea

···

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 333 8128928

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Hello!
Thank you very much for providing the geoserver.war: log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check ( https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html)

The library is still classified as critical:

geoserver.war: log4j-1.2.17.norce.jar cpe:2.3:a:apache:log4j:1.2.17:::::::* pkg:maven/log4j/log4j@anonymised.com. CRITICAL 2 Highest 27

Do you think it is possible and a good idea to register the library as “safe” in the central database?

All the best,
Michael

Am Do., 16. Dez. 2021 um 14:39 Uhr schrieb Andrea Aime <andrea.aime@anonymised.com>:

Our official statement covers both vulnerabilities, please read:

http://geoserver.org/announcements/2021/12/13/logj4-rce-statement.html

Cheers
Andrea

On Thu, Dec 16, 2021 at 2:28 PM Ron Lindhoudt via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:

I understand that the GeoTools/Geoserver community has made a fix to address the JMSAppender vulnerability: log4j-1.2.17.norce.jar
https://repo.osgeo.org/repository/geotools-releases/log4j/log4j/1.2.17.norce/log4j-1.2.17.norce.jar

But there also an older vulnerability https://nvd.nist.gov/vuln/detail/CVE-2019-17571

that says:
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17. "

Does this affect Geoserver?

Regard,
Ron

On Thursday, 16 December 2021, 13:59:52 CET, Calliess Daniel Ing. <daniel.calliess@anonymised.com> wrote:

Hi,

please be aware that also log4j 1.x might be affected when using the JMSAppender in the configuration!

From the log4j project website:

Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44228

Regards
Daniel

From: Michael Steigemann via Geoserver-users [mailto:geoserver-users@anonymised.com.net]
Sent: Monday, December 13, 2021 7:53 PM
To: GeoServer Mailing List List <geoserver-users@anonymised.come.net>
Subject: [EXTERN!]: [Geoserver-users] LOG4J Version in GeoServer

Hello!

I think most of you have heard of the LOG4J vulnerability these days: https://nvd.nist.gov/vuln/detail/CVE-2021-44228

As far as I see GeoServer 2.20.1 uses still Log4J Version 1 log4j-1.2.17.jar and luckily is not affected by the problem itself. On the other hand the used log4j version 1 is not officially supported since 2015: “…Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes…” (https://logging.apache.org/log4j/2.x/security.html)

Are there any plans of integrating log4j Version 2 in GeoServer?

Thanks for your short feedback and all the best,

Michael


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 333 8128928

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:

Hello!
Thank you very much for providing the geoserver.war: log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check ( https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html)

The library is still classified as critical:
geoserver.war: log4j-1.2.17.norce.jar cpe:2.3:a:apache:log4j:1.2.17:*:*:*:*:*:*:* pkg:maven/log4j/log4j@anonymised.com CRITICAL 2 Highest 27

Do you think it is possible and a good idea to register the library as "safe" in the central database?

No, this is not a new release but the same release with some files removed and a way of preventing people from shooting themselves in the foot because they can no longer configure the culprit appenders.

After inspection of the new jar file you can add a suppression for false positives like

<suppress>
     <notes>
         <![CDATA[

                  CVE-2019-17571 log4j Socket Server
                  CVE-2020-9488 log4j SMTP appender
                  CVE-2021-4104 log4j JMSAppender
         ]]>
     </notes>
     <gav regex="true">^log4j:log4j:1\.2\.17$</gav>
     <cve>CVE-2019-17571</cve>
     <cve>CVE-2020-9488</cve>
     <cve>CVE-2021-4104</cve>
</suppress>

Our customers are demanding to support the latest version of log4j in Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is EOL.
On the Geoserver website I found this (13-12-2021):

We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are actively looking for funding to perform an upgrade to more recent versions of them. All new logging libraries have a different API and a different configuration file layout, with potential backwards compatibility issues, so this will be likely done on newer versions of GeoServer (2.21.x).

What is the status at this moment?

Thanks,
Ron

On Monday, 20 December 2021, 11:38:54 CET, Mark Prins mc.prins@anonymised.com wrote:

On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:

Hello!
Thank you very much for providing the geoserver.war:
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check (
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
<https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>)

The library is still classified as critical:
geoserver.war: log4j-1.2.17.norce.jar
cpe:2.3:a:apache:log4j:1.2.17:::::::*
pkg:maven/log4j/log4j@anonymised.com CRITICAL 2 Highest 27

Do you think it is possible and a good idea to register the library as
“safe” in the central database?

No, this is not a new release but the same release with some files
removed and a way of preventing people from shooting themselves in the
foot because they can no longer configure the culprit appenders.

After inspection of the new jar file you can add a suppression for false
positives like

<![CDATA[

CVE-2019-17571 log4j Socket Server
CVE-2020-9488 log4j SMTP appender
CVE-2021-4104 log4j JMSAppender
]]>

^log4j:log4j:1.2.17$
CVE-2019-17571
CVE-2020-9488
CVE-2021-4104


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Currently there are no plans to change the logging framework. The question is how much do you and your customers want to make this change happen? Even estimating the cost of the update is probably several days work, so until we get funding to start looking there isn’t even a plan.

There is a chance we can use OSGeo funds to look at the problem but that still won’t happen unless someone organises it but we are always happy to receive volunteers.

Ian

On Mon, 10 Jan 2022, 16:34 Ron Lindhoudt via Geoserver-users, <geoserver-users@anonymised.comorge.net> wrote:

Our customers are demanding to support the latest version of log4j in Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is EOL.
On the Geoserver website I found this (13-12-2021):

We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are actively looking for funding to perform an upgrade to more recent versions of them. All new logging libraries have a different API and a different configuration file layout, with potential backwards compatibility issues, so this will be likely done on newer versions of GeoServer (2.21.x).

What is the status at this moment?

Thanks,
Ron

On Monday, 20 December 2021, 11:38:54 CET, Mark Prins <mc.prins@anonymised.com> wrote:

On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:

Hello!
Thank you very much for providing the geoserver.war:
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check (
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
<https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>)

The library is still classified as critical:
geoserver.war: log4j-1.2.17.norce.jar
cpe:2.3:a:apache:log4j:1.2.17:::::::*
pkg:maven/log4j/log4j@anonymised.com CRITICAL 2 Highest 27

Do you think it is possible and a good idea to register the library as
“safe” in the central database?

No, this is not a new release but the same release with some files
removed and a way of preventing people from shooting themselves in the
foot because they can no longer configure the culprit appenders.

After inspection of the new jar file you can add a suppression for false
positives like

<![CDATA[

CVE-2019-17571 log4j Socket Server
CVE-2020-9488 log4j SMTP appender
CVE-2021-4104 log4j JMSAppender
]]>

^log4j:log4j:1.2.17$
CVE-2019-17571
CVE-2020-9488
CVE-2021-4104


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@anonymised.comrceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

There is now a fork of log4j named reload4j: https://reload4j.qos.ch/ It is a drop-in replacement and the project aims to fix the most urgent issues.

Stefan

···

From: Ron Lindhoudt via Geoserver-users geoserver-users@anonymised.comceforge.net
Sent: Monday, January 10, 2022 5:34 PM
To: geoserver-users@lists.sourceforge.net; Mark Prins
Subject: Re: [Geoserver-users] [EXTERN!]: LOG4J Version in GeoServer

Our customers are demanding to support the latest version of log4j in Geoserver, I mean the latest 2.* without vulnerabilities because log4j 1.* is EOL.
On the Geoserver website I found this (13-12-2021):

We are also aware that Log4J 1.2.17 is an “End Of Life” (EOL) project, and are actively looking for funding to perform an upgrade to more recent versions of them. All new logging libraries have a different API and a different configuration file layout, with potential backwards compatibility issues, so this will be likely done on newer versions of GeoServer (2.21.x).

What is the status at this moment?

Thanks,
Ron

On Monday, 20 December 2021, 11:38:54 CET, Mark Prins <mc.prins@anonymised.com84…> wrote:

On 19-12-2021 11:11, Michael Steigemann via Geoserver-users wrote:

Hello!
Thank you very much for providing the geoserver.war:
log4j-1.2.17.norce.jar.
I have integrated into geoserver and ran a OWASP dependency check (
https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html
<https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html>)

The library is still classified as critical:
geoserver.war: log4j-1.2.17.norce.jar
cpe:2.3:a:apache:log4j:1.2.17:::::::*
pkg:maven/log4j/log4j@anonymised.com CRITICAL 2 Highest 27

Do you think it is possible and a good idea to register the library as
“safe” in the central database?

No, this is not a new release but the same release with some files
removed and a way of preventing people from shooting themselves in the
foot because they can no longer configure the culprit appenders.

After inspection of the new jar file you can add a suppression for false
positives like

<![CDATA[

CVE-2019-17571 log4j Socket Server
CVE-2020-9488 log4j SMTP appender
CVE-2021-4104 log4j JMSAppender
]]>

^log4j:log4j:1.2.17$
CVE-2019-17571
CVE-2020-9488
CVE-2021-4104


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

See http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html

If you and your customers are in urgent need for this upgrade, don’t hesitate to sponsor the effort.

Cheers
Andrea

···

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 333 8128928

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

We actually have a call out for sponsors and proposals on replacing the log4j1 library: http://geoserver.org/behind%20the%20scenes/2022/01/20/log4j-upgrade.html

Please support geoserver!

···


Jody Garnett