Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade GeoServer for vulnerabilities #465

Merged
merged 10 commits into from
Jul 19, 2024
Merged

Upgrade GeoServer for vulnerabilities #465

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
14bda30
geoserver: upgrade to 2.25.2 for vulnerabilities
tlvu Jul 9, 2024
5cc4848
geoserver: enable all ogcapi plugins for testing
tlvu Jul 10, 2024
a4ac8fe
Merge remote-tracking branch 'origin/master' into upg-geoserver-for-v…
tlvu Jul 11, 2024
1a23e12
CHANGES: GeoServer 2.25.2 upgrade
tlvu Jul 11, 2024
63fbbc5
geoserver: enable stac-datastore-plugin
tlvu Jul 11, 2024
faf6de5
Merge remote-tracking branch 'origin/ouranos-deploy' into upg-geoserv…
tlvu Jul 11, 2024
03f0577
CHANGES: update for readability (review feedback)
tlvu Jul 12, 2024
6282c9c
geoserver: list extensions on separate line for readability
tlvu Jul 18, 2024
60fbdb7
Merge remote-tracking branch 'origin/ouranos-deploy' into upg-geoserv…
tlvu Jul 18, 2024
a6011b1
Bump version: 2.5.1 → 2.5.2
tlvu Jul 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion CHANGES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,32 @@
[Unreleased](https://github.com/bird-house/birdhouse-deploy/tree/master) (latest)
------------------------------------------------------------------------------------------------------------------

[//]: # (list changes here, using '-' for each new entry, remove this when items are added)
## Changes

- GeoServer: upgrade to 2.25.2 to fix vulnerabilities

See
https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/,
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv,
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make them as list items, easier to read after when the text is wrapped in HTML.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 03f0577


This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of gt-complex.jar).

```
$ docker exec -u 0 geoserver find / -iname '**gt-complex**'
/usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-31.2.jar
```

The previous version was GeoServer 2.22.2 and GeoTools 28.2.

```
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add the shell style.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done 03f0577

$ docker exec -u 0 geoserver find / -iname '**gt-complex**'
/usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-28.2.jar
```

Also enable OGC-API plugins https://docs.geoserver.org/stable/en/user/community/ogc-api/features/index.html
so we can slowly transition from the WPS plugin.


[2.5.1](https://github.com/bird-house/birdhouse-deploy/tree/2.5.1) (2024-07-10)
------------------------------------------------------------------------------------------------------------------
Expand Down
11 changes: 7 additions & 4 deletions birdhouse/components/geoserver/default.env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
# "moving" tags, meaning not reproducible behavior !
# See https://github.com/kartoza/docker-geoserver/issues/232#issuecomment-808754831
# The version is used for representation in CanarieAPI, while the full tag is used to reference the image.
export GEOSERVER_DOCKER=pavics/geoserver
export GEOSERVER_VERSION=2.22.2
export GEOSERVER_TAGGED=2.22.2-kartoza-build20230226-r7-allow-change-context-root-and-fix-missing-stable-plugins-and-avoid-chown-datadir
export GEOSERVER_DOCKER="pavics/geoserver"
export GEOSERVER_VERSION="2.25.2"
export GEOSERVER_TAGGED="2.25.2--v2024.06.25-kartoza"
export GEOSERVER_IMAGE='${GEOSERVER_DOCKER}:${GEOSERVER_TAGGED}'
export GEOSERVER_IMAGE_URI='registry.hub.docker.com/${GEOSERVER_IMAGE}'

Expand All @@ -22,7 +22,10 @@ export GEOSERVER_STABLE_EXTENSIONS="grib-plugin,netcdf-plugin,netcdf-out-plugin,

# Install the community edition plugins specified in
# https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt
export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin"
export GEOSERVER_COMMUNITY_EXTENSIONS="geopkg-plugin,\
ogcapi-coverages-plugin,ogcapi-dggs-plugin,ogcapi-features-plugin,ogcapi-images-plugin,\
ogcapi-maps-plugin,ogcapi-styles-plugin,ogcapi-tiled-features-plugin,ogcapi-tiles-plugin,\
stac-datastore-plugin"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can they be placed line-by-line for easier readability?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I can do this for other plugins that we will enable in the future. For the ogcapi bunch, I consider them as a "group" so I'd rather keep them on the same lines if you don't mind.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the "group" is more obvious with the "ogcapi-" prefix that would align on all lines when following each other.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Knowing you do not like long line, that's why I broke it down to 2 lines of "ogcapi-". Do you really want me to put it on one line?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or I can keep 2 lines with a comment to group related plugins on the same line, else if they are unrelated, on different line for readability?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the ogcapi- items are already spread out across 2 lines because there are too many entries, I would rather have everything on their own line.

Also, just noticed that https://github.com/kartoza/docker-geoserver/blob/master/build_data/community_plugins.txt is still referenced above the variable. This is not valid anymore because they switched to develop branch with a new plugin download strategy. The old master reference only contains ogcapi-plugin as a whole, which is misleading. Maybe https://build.geoserver.org/geoserver/ should be used as reference instead.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 6282c9c.


# Must use single-quote for delayed eval.
export GEOSERVER_DATA_DIR='${BIRDHOUSE_DATA_PERSIST_ROOT}/geoserver'
Expand Down
Loading