Upgrade GeoServer for vulnerabilities

[tlvu]

Overview

GeoServer: upgrade to 2.25.2 to fix vulnerabilities

See:

• https://nsfocusglobal.com/remote-code-execution-vulnerability-between-geoserver-and-geotools-cve-2024-36401-cve-2024-36404-notification/
• https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv

• https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w

  This change will upgrade to GeoServer 2.25.2 and GeoTools 31.2 (the version of gt-complex.jar).

  $ docker exec -u 0 geoserver find / -iname '**gt-complex**'
  /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-31.2.jar

  The previous version was GeoServer 2.22.2 and GeoTools 28.2.

  $ docker exec -u 0 geoserver find / -iname '**gt-complex**'
  /usr/local/tomcat/webapps/geoserver/WEB-INF/lib/gt-complex-28.2.jar

Also enable

• OGC-API plugins https://docs.geoserver.org/stable/en/user/community/ogc-api/features/index.html so we can slowly transition from the WPS plugin.
• STAC Datastore plugin https://docs.geoserver.org/latest/en/user/community/stac-datastore/index.html so we can test integration with our STAC component.

Test result: jenkins-console-output.txt

Changes

Non-breaking changes

• Upgrade GeoServer to 2.25.2
• Enable additional GeoServer plugins

birdhouse_daccs_configs_branch: master birdhouse_skip_ci: false

[tlvu]

@huard @tlogan2000 FYI the new GeoServer is already live on our production, without waiting for this PR to be merged, so we are protected against the vulnerability. All the OGC-API plugins have been enabled if ever you guys want to test it out.

[tlvu]

@fmigneault I do not see the CI pipelline being triggered for this PR. Is there a problem on your side?

[fmigneault]

@tlvu I don't see issues in the CI. Not sure why it doesn't trigger. @ldperron Do you have an idea?

[fmigneault]

All the OGC-API plugins have been enabled if ever you guys want to test it out.

Nice!

OGC API Maps seems to respond nicely: https://pavics.ouranos.ca/geoserver/ogc/maps/v1/collections/public:HydroLAKES_poly/styles/polygon/map?f=html OGC API Coverages works for some cases, and others not: https://pavics.ouranos.ca/geoserver/ogc/coverages/v1/collections/Synthese2015:TempAnnObs/coverage?f=image%2Fgeotiff OGC API Tiles also seem ok: https://pavics.ouranos.ca/geoserver/ogc/tiles/v1/collections/public:CanVec_WaterBodies/styles/CanVec_WaterBodies/map/tiles/EPSG:4326?f=text%2Fhtml OGC API Features seems to be missing a config somewhere to resolve the type: https://pavics.ouranos.ca/geoserver/ogc/features/v1/collections?f=text%2Fhtml They are however accessible: https://pavics.ouranos.ca/geoserver/ogc/features/v1/collections/public%3Aglobal_admin_boundaries/items?f=application%2Fjson&limit=50 (obtained via the OGC API Stlyes endpoint with JSON format selected: https://pavics.ouranos.ca/geoserver/ogc/styles/v1/styles/global_admin_boundaries/metadata?f=html)

Overall, very promising support!

[fmigneault]

@tlvu Manually triggered in the meantime: http://daccs-jenkins.crim.ca/job/DACCS-iac-birdhouse/2729/

[tlvu]

@fmigneault FYI the STAC datastore that you requested is also live.

[fmigneault]

@tlvu

FYI the STAC datastore that you requested is also live.

Thanks. Good to know. I won't be able to test it on your instance though since we need to create a new "data store" pointing to STAC as per https://docs.geoserver.org/latest/en/user/community/stac-datastore/install.html

Will try to find time to test it next week on a test instance.

[tlvu]

@fmigneault Can you approuve so we can merge this PR if no critical blocking issue since this PR is to address a vulnerability so it has to be deployed fast. I think on CRIM and UofT side, you guys would also want to deploy this earlier than later. For other non-critical, I think we can address in subsequent PR.