Unchecked JNDI lookups in GeoTools (CVE-2022-24818)

The recent log4shell vulnerability has brought to our attention that unchecked JNDI lookups are inadvisable. We have isolated the JNDI lookup code responsible in GeoTools and reported the vulnerability as GHSA-jvh2-668r-g75x / CVE-2022-24818.

To address this issue we are pleased to introduce the jndiLookup(String) function:

DataSource dataSource = (DataSource) GeoTools.jndiLookup(name);

This method is provides safe look-ups by default (limited to no-schema and java lookups). You may override this policy for your application by supplying a JNDI Name validator.

Please update your application to one of the patched releases: GeoTools 26.4, GeoTools 25.6 or GeoTools 24.6 (and following the update instructions).

The approach used (limiting lookups to no-schema and java lookups) is the same one taken by the Log4J project. You may wish to review your application for any use of InitialContext.lookup(fixedName), and consider making use of jndiLookup(String) as a resolution. For more information see the GeoTools utility class documentation, and javadocs.

GeoTools 25.5 released

The GeoTools team is pleased to announce the release GeoTools 25.5:

• geotools-25.5-bin.zip
• geotools-25.5-doc.zip
• geotools-25.5-userguide.zip
• geotools-25.5-project.zip

GeoTools 25.5 is published to repo.osgeo.org for direct build integration. This release is made in conjunction with GeoServer 2.19.5. The GeoTools team is grateful to Astun Technology for allowing Ian Turton the time to prepare this release.

Bug Fixes

This is a maintenance release and includes the following bug fixes and tasks: 

• GEOT-7073 GeoPackage store fails to use spatial indexes when multiple BBOX filters are used at the same time

• GEOT-7071 GetFeatureInfo in WMSLayer has problems in transinformation of I,J params

It's worth noting that GeoTools does not directly use Log4J, but adopts the Java Logging Framework. However, it has a plugin allowing to redirect all the logging calls to Log4J, for which we have made a fix in GEOT-7038. Please read more about the vulnerability assessment of Log4J 1.2.17 vulnerabilities in this GeoServer blog post.

About GeoTools 25 Series 

For more information see the release notes (25.5 |25.4 | 25.3 | 25.2 | 25.1 | 25.0 | 25-RC ).

• Repackaged downloads with html readme and license files and ready-to-use bin download
• New gt-http module, allowing gt-wms and gt-wps-client to use your choice of http library
• Massive code-cleanup with PMD integrated into our build chain
• Quality of life improvements with increased use of variable arguments, and revised Map<String?> datastore connection parameters.

GeoTools 26.2 Released

The GeoTools team is pleased to share the availability  GeoTools 26.2 : 

• geotools-26.2-bin.zip 
• geotools-26.2-doc.zip 
• geotools-26.2-userguide.zip 
• geotools-26.2-project.zip 

This release is also available from the  OSGeo Maven Repository and is made in conjunction with GeoServer 2.21.2

Update: Initial release was accidentially compiled with Java 11, and has been recompiled using Java 8 on Feburary 22, 2020.

Source code

The active GeoTools branches (main, 26.x and 25.x) now include a .gitattributes file specifying how linefeeds are handled for our repository. With this change you are no longer required to set global core.autocrlf=input to prevent conflict with other developers when editing text files.

A number of files with inconsistent line endings were cleaned up as part of this activity.

Use git reset as outlined below if encounter difficulty updating your checkout:

git pull --rebase

git reset --hard

Fixes and improvements

• Release notes now attached to GitHub tag, no longer stored in Jira as this required a credentials to access
• Rendering pre-process Mark Factories Hint available allowing improved performance
• YSLD support for rule vendor options

For more information see the 26.2 Release Notes.

About GeoTools 26 Series

For more information see the release notes ( 26.2 | 26.1 | 26.0 | 26-RC).

• main is now the default branch, repository now inclues .gitattributes file for consistent linefeed handling.
• GML support improved with support for surface, multi curves, curved polygons and arcs with more than three control points
• Krovak North Orientated, used for EPSG:5514

GeoTools 25.4 released

The GeoTools team is pleased to announce the release GeoTools 25:

• geotools-25.4-bin.zip
• geotools-25.4-doc.zip
• geotools-25.4-userguide.zip
• geotools-25.4-project.zip

GeoTools 25.4 is published to repo.osgeo.org for direct build integration. This release is made in conjunction with GeoServer 2.19.4. The GeoTools team is grateful to GeoSolutions for allowing Andrea Aime the time to prepare this release.

Bug Fixes

This is a maintenance release and includes the following improvements:

• GEOT-7020 Add ProjectionHandler for orthographic
• GEOT-7007 Shapefile set files search may take very long on big shapefile directories

And the following bug fixes and tasks:

• GEOT-7040 Don't linearize warp transformations while oversampling
• GEOT-7022 Concurrent CRS Factories access can result in deadlock
• GEOT-7038 Update log4j to a version that does not support RCE

It's worth noting that GeoTools does not directly use Log4J, but adopts the Java Logging Framework. However, it has a plugin allowing to redirect all the logging calls to Log4J, for which we have made a fix in GEOT-7038. Please read more about the vulnerability assessment of Log4J 1.2.17 vulnerabilities in this GeoServer blog post.

About GeoTools 25 Series 

For more information see the release notes (25.4 | 25.3 | 25.2 | 25.1 | 25.0 | 25-RC ).

• Repackaged downloads with html readme and license files and ready-to-use bin download
• New gt-http module, allowing gt-wms and gt-wps-client to use your choice of http library
• Massive code-cleanup with PMD integrated into our build chain
• Quality of life improvements with increased use of variable arguments, abd revised Map<String?> datastore connection parameters.

GeoTools 26.1 Released

The GeoTools team is pleased to share the availability GeoTools 26.1 : 

• geotools-26.1-bin.zip 
• geotools-26.1-doc.zip 
• geotools-26.1-userguide.zip 
• geotools-26.1-project.zip 

This release is also available from the OSGeo Maven Repository and is made in conjunction with GeoServer 2.21

About GeoTools 26 Series

For more information see the release notes (26.1 | 26-RC).

• main is now the default branch
• GML support improved with support for surface, multi curves, curved polygons and arcs with more than three control points
• Krovak North Orientated, used for EPSG:5514

GeoTools 25.3 Released

The GeoTools team is pleased to announce the release GeoTools 25.3:

• geotools-25.3-bin.zip
• geotools-25.3-doc.zip
• geotools-25.3-userguide.zip
• geotools-25.3-project.zip

GeoTools 25.3 is published to repo.osgeo.org for direct build integration. This release is made in conjunction with GeoServer 2.19.3. The GeoTools team is grateful to Astun Technology for allowing Ian Turton the time to prepare this release.

Bug Fixes

This is a maintenance release and includes the following bug fixes:

• GEOT-6982 Update Mongo DB driver to 4.0.6 to mitigate CVE-2021-20328
• GEOT-6959 SimpleHttpClient does support proxy
• GEOT-6958 ImageMosaic stores made of multiple coverages (homogeneous + heterogeneous) may fail on heterogeneous read
• GEOT-6944 Deadlock at org.geotools.xsd.XSD.getSchema
• GEOT-6937 AppSchema JdbcMultipleValue will fill wrong values if targetColumn is a PK
• GEOT-6881 GreaterThanEqualTo and LessThanEqualTo incorrectly marked as unsupported in WFS query
• GEOT-6410 Conversion from boolean true/false in geoserver to SQL Server bit 0/1, is broken

About GeoTools 25 Series 

For more information see the release notes (25.3 | 25.2 | 25.1 | 25.0 | 25-RC ).

• Repackaged downloads with html readme and license files and ready-to-use bin download
• New gt-http module, allowing gt-wms and gt-wps-client to use your choice of http library
• Massive code-cleanup with PMD integrated into our build chain
• Quality of life improvements with increased use of variable arguments, abd revised Map<String?> datastore connection parameters.

GeoTools 26.0 released

The GeoTools team is pleased to share the availability GeoTools 26.0 : 

• geotools-26.0-bin.zip 
• geotools-26.0-doc.zip 
• geotools-26.0-userguide.zip 
• geotools-26.0-project.zip 

This release candidate is also available from the OSGeo Maven Repository and is made in conjunction with GeoServer 2.20 and JTS 1.18.2.

Upgrade

There is no specific incompatibilities noted for this release (see User Manual "upgrading" page):

• Deprecated HTTPClient interfaces are now removed (previously these were deprecated after being relocated to a new package in the 25.x series)
• Changes occurred in some internal handling of units of measure, as a result of units library upgrade. Should not be of concern for most users.

Updated Libraries

Each major release is an opportunity to update the libraries that GeoTools uses: 

• JTS 1.18.2
• commons-io 2.10.0
• Upgraded JDBC drivers
• oracle ojdbc9 19.12.0.0
• mysql-connector-java 8.0.26
• postgresql 42.2.23
• mysql-jdbc 9.4.0.jre8
• db2 bcc 11.5.6.0
• solr 8.9.0
• httpclient 4.5.13
• batik 1.14

Improvements and Fixes 

Public service announcement:

• Removed unsupported epsg-oracle, georest, imagemosiac-jdbc, jdbc-ingres, gtopo30 modules.
• Removed dependency on xpp3 (now use standard StAX API).
• main is now the default branch.
• Ongoing quality assurance improvements covering topics from refactoring complicated methods to catching accidentally committed System.out.println statements

From our issue tracker release notes: 

• Introduce vendor options for rules
• A new vendor option used to mark individual rules, symbolizers, or feature type style elements to be ignored (when rendering Maps or Legends).
• WPS 2.0 EMF model and xml binding configuration
• GML support has improved for unsupported wfs-ng module, with a separate gt-gml module created for improvements including surface, multi curves, curved polygons and arcs with more than three control points
• Krovak North Orientated, used for EPSG:5514
• Improve shapefile quadtree build performance
• MultithreadedHTTPClient now sets the user agent to "GeoTools".

About GeoTools 26 Series

For more information see the release notes (26.0 | 26-RC).

• main is now the default branch
• GML support improved with support for surface, multi curves, curved polygons and arcs with more than three control points
• Krovak North Orientated, used for EPSG:5514