Please Test GeoServer 2.25-RC Release Candidate

[jodygarnett]

Hello georchestra team, can I ask for your testing and feedback on GeoServer 2.25-RC https://geoserver.org/announcements/2024/03/04/geoserver-2-25-RC-released.html

You can read above on some configuration changes that you may make use of when running. If you have team members on geoserver-security list they are already aware of the CVEs that will be disclosed alongside the 2.25.0 release (when they will start to show up in automatic scans).

We look forward to hearing from you and thank you for enjoying GeoServer.

[landryb]

thanks @jodygarnett , that notice is much appreciated.

iirc an update to 2.24 was in the works & #4076 tracked it, so we will at least make sure to update to 2.24.2 that has the security fixes. Is there an ETA for the 2.25 release ? In all cases we have a community meeting planned next week so the timing is right.

btw, i've noted the post mentions (or GeoServer 2.35.5 Release) i suppose that's 2.23.5 :)

[jodygarnett]

Yeah this is about sharing risk, so testing with 2.25-RC for any regressions before release is made next Wednesday.

I am trying to call for greater participation (and funding) as our community does not have the practice of release-early-release-often feedback to share risk.

[landryb]

hi @jodygarnett, in #4211 i'm testing 2.25 branch as of today (eg https://github.com/georchestra/geoserver/commits/2.25.x-georchestra/ is the tip of 2.25 and our commits on top), and i'm hitting an exception coming probably from geoserver/geoserver#7444, as setting -DENTITY_RESOLUTION_ALLOWLIST=* in the tomcat java env fixes the issue. I've tried disabling the url checks and that didn't help.

trying to validate an SLD is enough to trigger org.xml.sax.SAXException: Entity resolution disallowed for null, or trying to render a layer in the openlayers preview.

i suppose that PR has been sufficiently tested, will dig further to try to understand what could cause it. That's with building & running with java 17 and tomcat 9.

[landryb]

that's with the default (probably outdated) polygon.sld from https://github.com/georchestra/geoserver_minimal_datadir/blob/23.0/styles/default_polygon.sld

[landryb]

ok, found the issue. For some reason (will try to figure out if that comes from the integration within georchestra, from the extensions we enable/bundle...) the resulting war contains xercesImpl-2.12.2.jar and that's what causing the issue. the full traceback is:

Caused by: org.xml.sax.SAXException: Entity resolution disallowed for null
        at org.geoserver.util.AllowListEntityResolver.resolveEntity(AllowListEntityResolver.java:176)
        at org.geoserver.util.AllowListEntityResolver.getExternalSubset(AllowListEntityResolver.java:119)
        at org.apache.xerces.util.EntityResolver2Wrapper.getExternalSubset(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentScannerImpl$ContentDispatcher.resolveExternalSubsetAndRead(Unknown Source)
        at org.apache.xerces.impl.XMLNSDocumentScannerImpl$NSContentDispatcher.scanRootElementHook(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at org.geotools.xml.styling.SLDParser.parseSLD(SLDParser.java:469)

if i remove xercesImpl-2.12.2.jar from the webapp and restart tomcat, everything runs fine and 2.25 is smooth.

[miceg]

ok, found the issue. For some reason (will try to figure out if that comes from the integration within georchestra, from the extensions we enable/bundle...) the resulting war contains xercesImpl-2.12.2.jar and that's what causing the issue.

One place xercesImpl comes from is GeoServer's printing plugin. I'm unsure if there are other plugins you're using which also include that module – but for me (using a different GeoServer container), just removing the plugin fixed (well, mitigated) the issue.

[jodygarnett]

We recently forked the mapfish-print-v2 - it does have an explicit dependency on xerces (not sure why). Have you tried excluding the transitive dependency?

[pmauduit]

In a different setup, I had to remove the xercesImpl to make the netcdf plugin working correctly. It looks like GS stays totally functional afterwards.