From 14bda30ca5241f688c03c4fefe3c3977de79d042 Mon Sep 17 00:00:00 2001 From: Long Vu Date: Tue, 9 Jul 2024 15:34:03 -0400 Subject: [PATCH 1/7] geoserver: upgrade to 2.25.2 for vulnerabilities https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/ https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w Scope of Impact Affected Version GeoServer < 2.23.6 2.24.0 <= GeoServer < 2.24.4 2.25.0 <= GeoServer < 2.25.2 GeoTools < 29.6 31.0 <= GeoTools < 31.2 30.0 <= GeoTools < 30.4 Unaffected version GeoServer >= 2.23.6 GeoServer >= 2.24.4 GeoServer >= 2.25.2 GeoTools >= 29.6 GeoTools >= 30.4 GeoTools >= 31.2 Mitigation Official upgrade 1. At present, a new version and security patch have been officially released to fix the above vulnerabilities. Please install updates for protection as soon as possible. Download link: https://github.com/geoserver/geoserver/tags https://github.com/geotools/geotools/tags 2. You can download the patch versions 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.21.5, 2.20.7, 2.20.4, 2.19.2, and 2.18.0 from https://geoserver.org to obtain the gt-app-schema, gt-complex, and gt-xsd-core jar files. Replace the corresponding files in WEB-INF/lib of the affected system for restoration. Other protective measures If relevant users cannot install updates temporarily, the following measures can be taken for temporary relief: Deleting the gt-complex-x.y.jar file in GeoServer (x.y is the version of GeoTools, such as gt-complex-31.1.jar in GeoServer 2.25.1) will remove vulnerable code from GeoServer, but may compromise some GeoServer functionality. When a gt-complex module is required by an extension in use, it may cause the GeoServer deployment to fail. --- birdhouse/config/geoserver/default.env | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/birdhouse/config/geoserver/default.env b/birdhouse/config/geoserver/default.env index 84235d30..9f0ba0ae 100644 --- a/birdhouse/config/geoserver/default.env +++ b/birdhouse/config/geoserver/default.env @@ -8,9 +8,9 @@ # "moving" tags, meaning not reproducible behavior ! # See https://github.com/kartoza/docker-geoserver/issues/232#issuecomment-808754831 # The version is used for representation in CanarieAPI, while the full tag is used to reference the image. -export GEOSERVER_DOCKER=pavics/geoserver -export GEOSERVER_VERSION=2.22.2 -export GEOSERVER_TAGGED=2.22.2-kartoza-build20230226-r7-allow-change-context-root-and-fix-missing-stable-plugins-and-avoid-chown-datadir +export GEOSERVER_DOCKER="pavics/geoserver" +export GEOSERVER_VERSION="2.25.2" +export GEOSERVER_TAGGED="2.25.2--v2024.06.25-kartoza" export GEOSERVER_IMAGE="${GEOSERVER_DOCKER}:${GEOSERVER_TAGGED}" export GEOSERVER_ADMIN_USER="admin" From 5cc4848215bd5db43432ff37e22e339ef2b779db Mon Sep 17 00:00:00 2001 From: Long Vu Date: Wed, 10 Jul 2024 16:18:14 -0400 Subject: [PATCH 2/7] geoserver: enable all ogcapi plugins for testing For testing migration to use these plugins as existing ones (wps-plugin, ...) will be deprecated. Theoretically these new plugins should be able to co-exist with the existing ones. --- birdhouse/config/geoserver/default.env | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/birdhouse/config/geoserver/default.env b/birdhouse/config/geoserver/default.env index 9f0ba0ae..34c7faf0 100644 --- a/birdhouse/config/geoserver/default.env +++ b/birdhouse/config/geoserver/default.env @@ -21,7 +21,9 @@ export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,netcdf-plugin,netcdf-out-plugin, # Install the community edition plugins specified in # https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt -export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin" +export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin,\ +ogcapi-coverages-plugin,ogcapi-dggs-plugin,ogcapi-features-plugin,ogcapi-images-plugin,\ +ogcapi-maps-plugin,ogcapi-styles-plugin,ogcapi-tiled-features-plugin,ogcapi-tiles-plugin" # Must use single-quote for delayed eval. export GEOSERVER_DATA_DIR='${DATA_PERSIST_ROOT}/geoserver' From 1a23e12bb3824a2ad50c034df0c1d7e32de9f51b Mon Sep 17 00:00:00 2001 From: Long Vu Date: Wed, 10 Jul 2024 23:03:29 -0400 Subject: [PATCH 3/7] CHANGES: GeoServer 2.25.2 upgrade --- CHANGES.md | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 871e9fd7..9ce10cdf 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -15,7 +15,32 @@ [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest) ------------------------------------------------------------------------------------------------------------------ -[//]: # (list changes here, using '-' for each new entry, remove this when items are added) +## Changes + +- GeoServer: upgrade to 2.25.2 to fix vulnerabilities + + See + https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/, + https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, + https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w + + This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of gt-complex.jar). + + ``` + $ docker exec -u 0 geoserver find / -iname '**gt-complex**' + /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-31.2.jar + ``` + + The previous version was GeoServer 2.22.2 and GeoTools 28.2. + + ``` + $ docker exec -u 0 geoserver find / -iname '**gt-complex**' + /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-28.2.jar + ``` + + Also enable OGC-API plugins https://docs.geoserver.org/stable/en/user/community/ogc-api/features/index.html + so we can slowly transition from the WPS plugin. + [2.5.1](https://github.com/bird-house/birdhouse-deploy/tree/2.5.1) (2024-07-10) ------------------------------------------------------------------------------------------------------------------ From 63fbbc557311c2dd1a33bd304057ef6f20c8962a Mon Sep 17 00:00:00 2001 From: Long Vu Date: Thu, 11 Jul 2024 14:59:03 -0400 Subject: [PATCH 4/7] geoserver: enable stac-datastore-plugin https://docs.geoserver.org/latest/en/user/community/stac-datastore/index.html Per @fmigneault request. --- birdhouse/config/geoserver/default.env | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/birdhouse/config/geoserver/default.env b/birdhouse/config/geoserver/default.env index 34c7faf0..c73ecb89 100644 --- a/birdhouse/config/geoserver/default.env +++ b/birdhouse/config/geoserver/default.env @@ -23,7 +23,8 @@ export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,netcdf-plugin,netcdf-out-plugin, # https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin,\ ogcapi-coverages-plugin,ogcapi-dggs-plugin,ogcapi-features-plugin,ogcapi-images-plugin,\ -ogcapi-maps-plugin,ogcapi-styles-plugin,ogcapi-tiled-features-plugin,ogcapi-tiles-plugin" +ogcapi-maps-plugin,ogcapi-styles-plugin,ogcapi-tiled-features-plugin,ogcapi-tiles-plugin,\ +stac-datastore-plugin" # Must use single-quote for delayed eval. export GEOSERVER_DATA_DIR='${DATA_PERSIST_ROOT}/geoserver' From 03f0577483c7b6ab6fa126964f1921085242de41 Mon Sep 17 00:00:00 2001 From: Long Vu Date: Fri, 12 Jul 2024 12:28:30 -0400 Subject: [PATCH 5/7] CHANGES: update for readability (review feedback) --- CHANGES.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 9ce10cdf..f69b0dc4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -19,27 +19,30 @@ - GeoServer: upgrade to 2.25.2 to fix vulnerabilities - See - https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/, - https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, - https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w + See: + * https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/ + * https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv + * https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w - This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of gt-complex.jar). + This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of `gt-complex.jar`). - ``` + ```shell $ docker exec -u 0 geoserver find / -iname '**gt-complex**' /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-31.2.jar ``` The previous version was GeoServer 2.22.2 and GeoTools 28.2. - ``` + ```shell $ docker exec -u 0 geoserver find / -iname '**gt-complex**' /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-28.2.jar ``` - Also enable OGC-API plugins https://docs.geoserver.org/stable/en/user/community/ogc-api/features/index.html - so we can slowly transition from the WPS plugin. + Also enable + * OGC-API plugins https://docs.geoserver.org/stable/en/user/community/ogc-api/features/index.html + so we can slowly transition from the WPS plugin. + * STAC Datastore plugin https://docs.geoserver.org/latest/en/user/community/stac-datastore/index.html + so we can test integration with our STAC component. [2.5.1](https://github.com/bird-house/birdhouse-deploy/tree/2.5.1) (2024-07-10) From 6282c9c052c5c13932fa400a80e89bcdfde7c6ff Mon Sep 17 00:00:00 2001 From: Long Vu Date: Thu, 18 Jul 2024 12:39:21 -0400 Subject: [PATCH 6/7] geoserver: list extensions on separate line for readability --- birdhouse/config/geoserver/default.env | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/birdhouse/config/geoserver/default.env b/birdhouse/config/geoserver/default.env index c73ecb89..373bf021 100644 --- a/birdhouse/config/geoserver/default.env +++ b/birdhouse/config/geoserver/default.env @@ -17,13 +17,23 @@ export GEOSERVER_ADMIN_USER="admin" # # Install the stable plugin specified in # https://github.com/kartoza/docker-geoserver/blob/master/build_data/stable_plugins.txt -export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,netcdf-plugin,netcdf-out-plugin,csw-iso-plugin,metadata-plugin" +export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,\ +netcdf-plugin,\ +netcdf-out-plugin,\ +csw-iso-plugin,\ +metadata-plugin" # Install the community edition plugins specified in # https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin,\ -ogcapi-coverages-plugin,ogcapi-dggs-plugin,ogcapi-features-plugin,ogcapi-images-plugin,\ -ogcapi-maps-plugin,ogcapi-styles-plugin,ogcapi-tiled-features-plugin,ogcapi-tiles-plugin,\ +ogcapi-coverages-plugin,\ +ogcapi-dggs-plugin,\ +ogcapi-features-plugin,\ +ogcapi-images-plugin,\ +ogcapi-maps-plugin,\ +ogcapi-styles-plugin,\ +ogcapi-tiled-features-plugin,\ +ogcapi-tiles-plugin,\ stac-datastore-plugin" # Must use single-quote for delayed eval. From a6011b1dc9d6c2d80e9a69a417c575cf159866aa Mon Sep 17 00:00:00 2001 From: Long Vu Date: Thu, 18 Jul 2024 23:04:07 -0400 Subject: [PATCH 7/7] =?UTF-8?q?Bump=20version:=202.5.1=20=E2=86=92=202.5.2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .bumpversion.cfg | 6 +++--- CHANGES.md | 5 +++++ Makefile | 2 +- README.rst | 8 ++++---- RELEASE.txt | 2 +- .../canarie-api/docker_configuration.py.template | 8 ++++---- docs/source/conf.py | 4 ++-- 7 files changed, 20 insertions(+), 15 deletions(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index c782e737..c97bfc5b 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 2.5.1 +current_version = 2.5.2 commit = True tag = False tag_name = {new_version} @@ -30,11 +30,11 @@ search = {current_version} replace = {new_version} [bumpversion:file:RELEASE.txt] -search = {current_version} 2024-07-10T17:42:25Z +search = {current_version} 2024-07-19T03:04:07Z replace = {new_version} {utcnow:%Y-%m-%dT%H:%M:%SZ} [bumpversion:part:releaseTime] -values = 2024-07-10T17:42:25Z +values = 2024-07-19T03:04:07Z [bumpversion:file(version):birdhouse/components/canarie-api/docker_configuration.py.template] search = 'version': '{current_version}' diff --git a/CHANGES.md b/CHANGES.md index f69b0dc4..47b10f1d 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -15,6 +15,11 @@ [Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest) ------------------------------------------------------------------------------------------------------------------ +[//]: # (list changes here, using '-' for each new entry, remove this when items are added) + +[2.5.2](https://github.com/bird-house/birdhouse-deploy/tree/2.5.2) (2024-07-19) +------------------------------------------------------------------------------------------------------------------ + ## Changes - GeoServer: upgrade to 2.25.2 to fix vulnerabilities diff --git a/Makefile b/Makefile index 99795c85..1b79f856 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ # Generic variables override SHELL := bash override APP_NAME := birdhouse-deploy -override APP_VERSION := 2.5.1 +override APP_VERSION := 2.5.2 # utility to remove comments after value of an option variable override clean_opt = $(shell echo "$(1)" | $(_SED) -r -e "s/[ '$'\t'']+$$//g") diff --git a/README.rst b/README.rst index 26bd6311..3cb2890c 100644 --- a/README.rst +++ b/README.rst @@ -18,13 +18,13 @@ for a full-fledged production platform. * - citation - | |citation| -.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.5.1.svg +.. |commits-since| image:: https://img.shields.io/github/commits-since/bird-house/birdhouse-deploy/2.5.2.svg :alt: Commits since latest release - :target: https://github.com/bird-house/birdhouse-deploy/compare/2.5.1...master + :target: https://github.com/bird-house/birdhouse-deploy/compare/2.5.2...master -.. |latest-version| image:: https://img.shields.io/badge/tag-2.5.1-blue.svg?style=flat +.. |latest-version| image:: https://img.shields.io/badge/tag-2.5.2-blue.svg?style=flat :alt: Latest Tag - :target: https://github.com/bird-house/birdhouse-deploy/tree/2.5.1 + :target: https://github.com/bird-house/birdhouse-deploy/tree/2.5.2 .. |readthedocs| image:: https://readthedocs.org/projects/birdhouse-deploy/badge/?version=latest :alt: ReadTheDocs Build Status (latest version) diff --git a/RELEASE.txt b/RELEASE.txt index 4d5a88ed..57f37a7d 100644 --- a/RELEASE.txt +++ b/RELEASE.txt @@ -1 +1 @@ -2.5.1 2024-07-10T17:42:25Z +2.5.2 2024-07-19T03:04:07Z diff --git a/birdhouse/components/canarie-api/docker_configuration.py.template b/birdhouse/components/canarie-api/docker_configuration.py.template index 7925f464..e30c9c96 100644 --- a/birdhouse/components/canarie-api/docker_configuration.py.template +++ b/birdhouse/components/canarie-api/docker_configuration.py.template @@ -108,8 +108,8 @@ SERVICES = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '2.5.1', - 'releaseTime': '2024-07-10T17:42:25Z', + 'version': '2.5.2', + 'releaseTime': '2024-07-19T03:04:07Z', 'institution': '${BIRDHOUSE_INSTITUTION}', 'researchSubject': '${BIRDHOUSE_SUBJECT}', 'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}', @@ -141,8 +141,8 @@ PLATFORMS = { # NOTE: # Below version and release time auto-managed by 'make VERSION=x.y.z bump'. # Do NOT modify it manually. See 'Tagging policy' in 'birdhouse/README.rst'. - 'version': '2.5.1', - 'releaseTime': '2024-07-10T17:42:25Z', + 'version': '2.5.2', + 'releaseTime': '2024-07-19T03:04:07Z', 'institution': '${BIRDHOUSE_INSTITUTION}', 'researchSubject': '${BIRDHOUSE_SUBJECT}', 'supportEmail': '${BIRDHOUSE_SUPPORT_EMAIL}', diff --git a/docs/source/conf.py b/docs/source/conf.py index ef670808..5169e5af 100644 --- a/docs/source/conf.py +++ b/docs/source/conf.py @@ -69,9 +69,9 @@ # built documents. # # The short X.Y version. -version = '2.5.1' +version = '2.5.2' # The full version, including alpha/beta/rc tags. -release = '2.5.1' +release = '2.5.2' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages.