Tuesday, April 12, 2022

Unchecked JNDI lookups in GeoTools (CVE-2022-24818)

The recent log4shell vulnerability has brought to our attention that unchecked JNDI lookups are inadvisable. We have isolated the JNDI lookup code responsible in GeoTools and reported the vulnerability as GHSA-jvh2-668r-g75x / CVE-2022-24818.

To address this issue we are pleased to introduce the jndiLookup(String) function:

DataSource dataSource = (DataSource) GeoTools.jndiLookup(name);

This method is provides safe look-ups by default (limited to no-schema and java lookups). You may override this policy for your application by supplying a JNDI Name validator.

Please update your application to one of the patched releases: GeoTools 26.4, GeoTools 25.6 or GeoTools 24.6 (and following the update instructions).

The approach used (limiting lookups to no-schema and java lookups) is the same one taken by the Log4J project. You may wish to review your application for any use of InitialContext.lookup(fixedName), and consider making use of jndiLookup(String) as a resolution. For more information see the GeoTools utility class documentation, and javadocs.

Sunday, February 20, 2022

GeoTools 25.5 released

The GeoTools team is pleased to announce the release GeoTools 25.5:

GeoTools 25.5 is published to for direct build integration. This release is made in conjunction with GeoServer 2.19.5. The GeoTools team is grateful to Astun Technology for allowing Ian Turton the time to prepare this release.

Bug Fixes

This is a maintenance release and includes the following bug fixes and tasks: 
  • GEOT-7073 GeoPackage store fails to use spatial indexes when multiple BBOX filters are used at the same time
  • GEOT-7071 GetFeatureInfo in WMSLayer has problems in transinformation of I,J params
It's worth noting that GeoTools does not directly use Log4J, but adopts the Java Logging Framework. However, it has a plugin allowing to redirect all the logging calls to Log4J, for which we have made a fix in GEOT-7038. Please read more about the vulnerability assessment of Log4J 1.2.17 vulnerabilities in this GeoServer blog post.

About GeoTools 25 Series 

For more information see the release notes (25.5 |25.425.3 | 25.2 | 25.1 | 25.0 | 25-RC ).
  • Repackaged downloads with html readme and license files and ready-to-use bin download
  • New gt-http module, allowing gt-wms and gt-wps-client to use your choice of http library
  • Massive code-cleanup with PMD integrated into our build chain
  • Quality of life improvements with increased use of variable arguments, and revised Map<String?> datastore connection parameters.

Monday, January 24, 2022

GeoTools 26.2 Released

The GeoTools team is pleased to share the availability  GeoTools 26.2 

This release is also available from the  OSGeo Maven Repository and is made in conjunction with GeoServer 2.21.2
Update: Initial release was accidentially compiled with Java 11, and has been recompiled using Java 8 on Feburary 22, 2020.

Source code

The active GeoTools branches (main, 26.x and 25.x) now include a .gitattributes file specifying how linefeeds are handled for our repository. With this change you are no longer required to set global core.autocrlf=input to prevent conflict with other developers when editing text files.
A number of files with inconsistent line endings were cleaned up as part of this activity.
Use git reset as outlined below if encounter difficulty updating your checkout:
git pull --rebase
git reset --hard

Fixes and improvements

  • Release notes now attached to GitHub tag, no longer stored in Jira as this required a credentials to access
  • Rendering pre-process Mark Factories Hint available allowing improved performance
  • YSLD support for rule vendor options
For more information see the 26.2 Release Notes.

About GeoTools 26 Series

For more information see the release notes ( 26.2 | 26.1 | 26.0 | 26-RC).
  • main is now the default branch, repository now inclues .gitattributes file for consistent linefeed handling.
  • GML support improved with support for surface, multi curves, curved polygons and arcs with more than three control points
  • Krovak North Orientated, used for EPSG:5514