GeoServer 2.21.4 Release

Release notes

Vulnerabilities

• CVE-2023-25158 OGC Filter SQL Injection Vulnerabilities (GeoTools)
• CVE-2023-25157 OGC Filter SQL Injection Vulnerabilities (GeoServer)

Bug

• GEOS-7506 shutdown.bat cannot run without JAVA_HOME set

• GEOS-10683 FileWrapperResourceTheoryTest fails on Windows since Java 11

• GEOS-10689 OSHISystemInfoCollector holds non daemon threads, prevents clean shutdown of Tomcat

• GEOS-10807 LayerGroup with nested group POST rest op fails with null styles attribute

• GEOS-10813 jdbc config cache bug

• GEOS-10817 Features Templating - XML HTML output doesn't escape all html and xml symbols

• GEOS-10818 Schemaless Property Accessor returns emptylist instead of null for null/not existing properties

• GEOS-10829 JDBC Config missing some nested layer properties

• GEOS-10842 Escape user inputs in SQL queries

• GEOS-10846 Enable auto-escaping for REST HTML templates

Improvement

• GEOS-10814 Update jdbc config to use consistent SQL formatting

• GEOS-10816 OGC API Features complex features test fails since introduction of tag in HTML templates

• GEOS-10848 Column remarks documentation should be updated to reflect that functionality is supported with JNDI

• GEOS-10851 GWC S3 Blobstore Parameters Get Converted back to plain text after an application restart