Upgrade GeoServer for vulnerabilities (#465)

## Overview GeoServer: upgrade to 2.25.2 to fix vulnerabilities See: * https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/ * GHSA-6jj6-gm7p-fcvv * GHSA-w3pj-wh35-fq8w This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of `gt-complex.jar`). ```shell $ docker exec -u 0 geoserver find / -iname '**gt-complex**' /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-31.2.jar ``` The previous version was GeoServer 2.22.2 and GeoTools 28.2. ```shell $ docker exec -u 0 geoserver find / -iname '**gt-complex**' /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-28.2.jar ``` Also enable * OGC-API plugins https://docs.geoserver.org/stable/en/user/community/ogc-api/features/index.html so we can slowly transition from the WPS plugin. * STAC Datastore plugin https://docs.geoserver.org/latest/en/user/community/stac-datastore/index.html so we can test integration with our STAC component. Test result: [jenkins-console-output.txt](https://github.com/user-attachments/files/16171002/jenkins-console-output.txt) ## Changes **Non-breaking changes** - Upgrade GeoServer to 2.25.2 - Enable additional GeoServer plugins  birdhouse_daccs_configs_branch: master birdhouse_skip_ci: false
bird-house · Jul 19, 2024 · 86ffba0 · 86ffba0
2 parents 6b723bc + a6011b1
commit 86ffba0
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 20 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.5.1
+current_version = 2.5.2
 commit = True
 tag = False
 tag_name = {new_version}
@@ -30,11 +30,11 @@ search = {current_version}
 replace = {new_version}
 
 [bumpversion:file:RELEASE.txt]
-search = {current_version} 2024-07-10T17:42:25Z
+search = {current_version} 2024-07-19T03:04:07Z
 replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ}
 
 [bumpversion:part:releaseTime]
-values = 2024-07-10T17:42:25Z
+values = 2024-07-19T03:04:07Z
 
 [bumpversion:file(version):birdhouse/components/canarie-api/docker_configuration.py.template]
 search = 'version': '{current_version}'

diff --git a/CHANGES.md b/CHANGES.md
@@ -17,6 +17,39 @@
 
 [//]: # (list changes here, using '-' for each new entry, remove this when items are added)
 
+[2.5.2](https://github.com/bird-house/birdhouse-deploy/tree/2.5.2) (2024-07-19)
+------------------------------------------------------------------------------------------------------------------
+
+## Changes
+
+- GeoServer: upgrade to 2.25.2 to fix vulnerabilities
+
+  See:
+  * https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/
+  * https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
+  * https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
+
+  This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of `gt-complex.jar`).
+
+  ```shell
+  $ docker exec -u 0 geoserver find / -iname '**gt-complex**'
+  /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-31.2.jar
+  ```
+
+  The previous version was GeoServer 2.22.2 and GeoTools 28.2.
+
+  ```shell
+  $ docker exec -u 0 geoserver find / -iname '**gt-complex**'
+  /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-28.2.jar
+  ```
+
+  Also enable
+  * OGC-API plugins https://docs.geoserver.org/stable/en/user/community/ogc-api/features/index.html
+    so we can slowly transition from the WPS plugin.
+  * STAC Datastore plugin https://docs.geoserver.org/latest/en/user/community/stac-datastore/index.html
+    so we can test integration with our STAC component.
+
+
 [2.5.1](https://github.com/bird-house/birdhouse-deploy/tree/2.5.1) (2024-07-10)
 ------------------------------------------------------------------------------------------------------------------
 

diff --git a/Makefile b/Makefile
@@ -1,7 +1,7 @@
 # Generic variables
 override SHELL       := bash
 override APP_NAME    := birdhouse-deploy
-override APP_VERSION := 2.5.1
+override APP_VERSION := 2.5.2
 
 # utility to remove comments after value of an option variable
 override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g")

diff --git a/README.rst b/README.rst
@@ -18,13 +18,13 @@ for a full-fledged production platform.
     * - citation
       - | |citation|
 
-.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.5.1.svg
+.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.5.2.svg
     :alt: Commits since latest release
-    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.5.1...master
+    :target: https://github.com/bird-house/birdhouse-deploy/compare/2.5.2...master
 
-.. |latest-version| image:: https://img.shields.io/badge/tag-2.5.1-blue.svg?style=flat
+.. |latest-version| image:: https://img.shields.io/badge/tag-2.5.2-blue.svg?style=flat
     :alt: Latest Tag
-    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.5.1
+    :target: https://github.com/bird-house/birdhouse-deploy/tree/2.5.2
 
 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest
     :alt: ReadTheDocs Build Status (latest version)

diff --git a/RELEASE.txt b/RELEASE.txt
@@ -1 +1 @@
-2.5.1 2024-07-10T17:42:25Z
+2.5.2 2024-07-19T03:04:07Z
diff --git a/birdhouse/components/canarie-api/docker_configuration.py.template b/birdhouse/components/canarie-api/docker_configuration.py.template
@@ -108,8 +108,8 @@ SERVICES = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.5.1',
-            'releaseTime': '2024-07-10T17:42:25Z',
+            'version': '2.5.2',
+            'releaseTime': '2024-07-19T03:04:07Z',
             'institution': '${BIRDHOUSE_INSTITUTION}',
             'researchSubject': '${BIRDHOUSE_SUBJECT}',
             'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}',
@@ -141,8 +141,8 @@ PLATFORMS = {
             # NOTE:
             #   Below version and release time auto-managed by 'make VERSION=x.y.z bump'.
             #   Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'.
-            'version': '2.5.1',
-            'releaseTime': '2024-07-10T17:42:25Z',
+            'version': '2.5.2',
+            'releaseTime': '2024-07-19T03:04:07Z',
             'institution': '${BIRDHOUSE_INSTITUTION}',
             'researchSubject': '${BIRDHOUSE_SUBJECT}',
             'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}',

diff --git a/birdhouse/components/geoserver/default.env b/birdhouse/components/geoserver/default.env
@@ -8,21 +8,34 @@
 # "moving" tags, meaning not reproducible behavior !
 # See https://github.com/kartoza/docker-geoserver/issues/232#issuecomment-808754831
 # The version is used for representation in CanarieAPI, while the full tag is used to reference the image.
-export GEOSERVER_DOCKER=pavics/geoserver
-export GEOSERVER_VERSION=2.22.2
-export GEOSERVER_TAGGED=2.22.2-kartoza-build20230226-r7-allow-change-context-root-and-fix-missing-stable-plugins-and-avoid-chown-datadir
+export GEOSERVER_DOCKER="pavics/geoserver"
+export GEOSERVER_VERSION="2.25.2"
+export GEOSERVER_TAGGED="2.25.2--v2024.06.25-kartoza"
 export GEOSERVER_IMAGE='${GEOSERVER_DOCKER}:${GEOSERVER_TAGGED}'
 export GEOSERVER_IMAGE_URI='registry.hub.docker.com/${GEOSERVER_IMAGE}'
 
 export GEOSERVER_ADMIN_USER="admin"
 
 # # Install the stable plugin specified in
 # https://github.com/kartoza/docker-geoserver/blob/master/build_data/stable_plugins.txt
-export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,netcdf-plugin,netcdf-out-plugin,csw-iso-plugin,metadata-plugin"
+export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,\
+netcdf-plugin,\
+netcdf-out-plugin,\
+csw-iso-plugin,\
+metadata-plugin"
 
 # Install the community edition plugins specified in
 # https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt
-export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin"
+export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin,\
+ogcapi-coverages-plugin,\
+ogcapi-dggs-plugin,\
+ogcapi-features-plugin,\
+ogcapi-images-plugin,\
+ogcapi-maps-plugin,\
+ogcapi-styles-plugin,\
+ogcapi-tiled-features-plugin,\
+ogcapi-tiles-plugin,\
+stac-datastore-plugin"
 
 # Must use single-quote for delayed eval.
 export GEOSERVER_DATA_DIR='${BIRDHOUSE_DATA_PERSIST_ROOT}/geoserver'

diff --git a/docs/source/conf.py b/docs/source/conf.py
@@ -69,9 +69,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '2.5.1'
+version = '2.5.2'
 # The full version, including alpha/beta/rc tags.
-release = '2.5.1'
+release = '2.5.2'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.