The highlight of this release is our CoreSpatial Portal release based on MapStore2 v2025.02.02. This is a large rollup that advances through multiple upstream MapStore2 releases. See full details below.

We also look forward to continued development in the following areas:

• Bulk tile collection projects via Map Manager UI
• Expanded image handling capabilities in Map Manager – georectification of commercial drone imagery using JPEG EXIF
• Desktop GIS integration via QGIS

CoreSpatial Server and Basemaps Release Notes

2026.1.7 (03/31/2026)

• Update GeoServer to 2.28.3
• Update PostgreSQL JDBC jar to 42.7.10
• Update C3P0 Connection Pooling lib 0.12.0
• Improve SBOM/CVE diff automation (new scripts, live image scans, and previous-release SBOM comparisons)

2026.1.6 (03/03/2026)

• Patch five High/Medium CVEs in bundled JARs
• Add support for multiple SBOM formats: SPDX, CycloneDX, and Syft

2026.1.5 (01/21/2026)

• Patch vulnerabilities discovered in UBI 9 base image

2026.1.4 (01/30/2026)

• Patch vulnerabilities discovered in UBI 9 base image

2026.1.3 (01/26/2026)

• Patch vulnerabilities discovered in UBI 9 base image

2026.1.2 (01/21/2026)

• Patch gnupg2 High severity vulnerability affecting the Docker container base image

2026.1.1 (01/14/2026)

• Patch libpng to remediate High severity vulnerability affecting the Docker container base image

CoreSpatial Map Manager Release Notes

2026.1.9 (03/30/2026)

• Refresh runtime container packages in the final Docker image to clear fixed vulnerabilities in the release container

2026.1.8 (03/25/2026)

• Bump Spring Boot to 3.5.12 to remediate JAR vulnerabilities affecting Tomcat and Spring Web MVC
• Update PostgreSQL JDBC to 42.7.10, Logback to 1.5.32, commons-io to 2.18.0, commons-lang3 to 3.19.0, and commons-compress to 1.27.1
• Separate WMS Scraper into its own versioned release flow

2026.1.7 (03/06/2026)

• Bump Jackson to 2.18.6 to remediate a JAR vulnerability

2026.1.6 (03/03/2026)

• This release was cut to patch vulnerabilities discovered in the base container image

2026.1.5 (02/02/2026)

• Bump react-router and react-router-dom to 6.30.3 and @remix-run/router to 1.23.2
• Bump lodash to 4.17.23

2026.1.4 (01/30/2026)

• Remove Python from the runtime image so it remains build-time only for GDAL
• Pin Logback to 1.5.25 for vulnerability remediation
• Set Flyway baselineVersion to 0 in application and test configuration

2026.1.3 (01/26/2026)

• This release was cut to patch vulnerabilities discovered in the base container image

2026.1.2 (01/21/2026)

• Patch gnupg2 and jaraco-context High severity vulnerabilities affecting the Docker container base image

2026.1.1 (01/14/2026)

• Patch libpng to remediate High severity vulnerability affecting the Docker container base image

CoreSpatial Portal Release Notes

2026.1.1 (3/30/2026)

This release is a large rollup that advances the MapStore2 submodule through multiple upstream releases. The full details of upstream changes can be found in the MapStore2 release notes on GitHub:

• MapStore2 v2025.01.00
• MapStore2 v2025.02.00
• MapStore2 v2025.02.01
• MapStore2 v2025.02.02

New Features & Enhancements

• Cesium Ion World Terrain — Added Cesium Ion World Terrain support for 3D map view; reads ionAccessToken and terrainProvider from localConfig.json with graceful fallback to default ellipsoid when no token is configured
• Manager Page Plugins — Fixed blank manager page by adding UserManager, GroupManager, TagsManager, IPManager, and Footer plugins to the manager configuration; added missing translation keys throughout

Bug Fixes

• Fixed duplicate file upload attempt that could trigger two concurrent upload requests
• Fixed OSM background layer CORS errors by using explicit HTTPS tile URLs in base configuration

Security & Infrastructure

• Switch to Iron Bank ubi9 base image for the container
• Bump Tomcat to 9.0.108 (from 9.0.90) in RPM and container builds, addressing multiple CVEs across the 9.0.x series
• Bump org.apache.commons:commons-lang3 from 3.17.0 to 3.18.0
• Bump org.apache.cxf:cxf-core from 3.5.10 to 3.5.11
• Multi-format SBOM generation (syft-json, cyclonedx-json, spdx-json, table) now included with all releases
• CVE diff reporting added to release pipeline for tracking vulnerability changes between releases

Database Migrations

• Migration 005 — Adds gs_ip_range and gs_security_ip_range tables required by GeoStore 2.4.0 for IP-based access control. Deployments upgrading from older GeoStore versions will have schema validation errors fixed by this migration.

Testing

• Added Playwright end-to-end regression test suite

The post CoreSpatial 2026-Q1 Release Announcement first appeared on .

We anticipate the release of Portal in the upcoming weeks based on MapStore2 v2025.01.01, as well as promoting FIPS compliance for GeoServer to a generally available release.

Other exciting features on our roadmap include:

• Expanded deployment options with Docker Compose
• AI Enablement via MCP API
• Expanded FIPS 140 compliance across all CoreSpatial modules

CoreSpatial Server and Basemaps Release Notes

2025.3.5 (9/24/2025)

• Docker setup scripts hardened and simplified:
  • Unified permission / ownership helpers (fix_dir, fix_file) across data load steps
  • More robust curl version / SigV4 capability detection and consolidated S3 / MinIO download logic
  • Non‑root friendly: scripts no longer require running as root
• Default basemap data storage now points to Cloudflare R2 (via BUCKET_HOST)

2025.3.4 (8/29/2025)

• Update GeoServer to 2.27.2
• Docker build now uses Iron Bank ubi9 base image
• Minor improvements to docker setup script

2025.3.3 (8/14/2025)

• Patch vulnerabilities in OpenJDK 17

2025.3.1 (7/2/2024)

• Update PostgreSQL JDBC jar to 42.7.7 – patches CVE-2025-49146
• Update commons-beanutils to 1.11.0 – patches CVE-2025-48734

2025.2.4 (7/1/2025)

• Add logic for catalog manifest to allow for updates to catalog

CoreSpatial Map Manager Release Notes

2025.3.3 (9/22/2025)

• Bump Spring Boot to 3.5.6 to clear 1 High severity CVE

2025.3.2 (8/27/2025)

• Bump Spring Boot to 3.5.5 to clear 1 High and 1 Medium severity CVEs

2025.3.1 (7/7/2025)

• Bump Postgres JDBC Jar to 42.7.7
• Bump Spring Boot to 3.5.3 to clear 1 High and 2 Medium severity CVEs

The post CoreSpatial 2025-Q3 Release Announcement first appeared on .

What Is FIPS Compliance and Why Does It Matter?

FIPS stands for Federal Information Processing Standards, a set of publicly announced standards developed by the National Institute of Standards and Technology (NIST) for use in computer systems by non-military government agencies and contractors. Specifically, FIPS 140-2 and 140-3 relate to cryptographic module validation. They define the security requirements for cryptographic operations like encryption, hashing, and signing.

• Learn more about FIPS 140-2
  
• Explore the latest FIPS 140-3 standard
  
• NIST’s full FIPS series can be found at csrc.nist.gov
  

Many U.S. federal systems (and an increasing number of enterprise platforms handling sensitive or regulated data) are required to run only FIPS-validated cryptographic modules. Without this validation, software components like web services, authentication providers, or spatial data servers will be deemed unsuitable for use in secure environments, particularly those that handle Controlled Unclassified Information (CUI), Protected Health Information (PHI), or mission-critical defense data.

Why This Is a Big Deal for CoreSpatial and GeoServer Users

GeoServer, a cornerstone of open-source geospatial services, is widely adopted across both public and private sectors. However, until now, deploying GeoServer in a FIPS-validated environment was not possible due to compatibility issues related to the use of older style JCEKS keystores for secret management, among other password handling issues. 

With this new release of CoreSpatial Server, we’ve resolved those limitations by:

• Configuring the Java runtime environment to use Bouncy Castle FIPS 140-2 validated cryptographic providers
  
• Hardening container images and RPM-based installations to ensure strict FIPS mode enforcement
  
• Providing turnkey compatibility with RHEL FIPS-enabled operating systems
  
• Validating compatibility with secure ingress and TLS termination using approved ciphers and key lengths
  
• Ensuring continued compatibility with key plugins and extensions, such as WMS/WFS/WCS services, PostGIS integration, and security modules
  

This means CoreSpatial Server customers can now deploy GeoServer in environments where FIPS 140-2 compliance is not optional – including DoD, DHS, and state-level emergency management systems.

Deployment Scenarios Supported

The FIPS-compliant CoreSpatial Server supports:

• Bare metal or VM installations on RHEL 8 and 9 with FIPS mode enabled
  
• Containerized deployments using Podman, Docker, or Kubernetes where the underlying host supports FIPS 140-2 compliant cryptography
  

Whether you’re deploying in a SCIF, in a hybrid cloud with strict compliance policies, or inside an accredited container security boundary, CoreSpatial Server now enables you to take full advantage of GeoServer’s spatial publishing power without compromising on compliance.

Get Started Today

To explore FIPS-ready deployment options or see a demo, contact us at sales@newmoyergeospatial.com or visit our CoreSpatial overview.

For federal agencies and contractors already navigating FedRAMP, CMMC, or NIST 800-171 compliance landscapes, this enhancement brings CoreSpatial one step closer to being your go-to open-source alternative for secure geospatial systems.

The post CoreSpatial Server Adds FIPS 140-2 Compliance to GeoServer first appeared on .

This release includes major security and performance updates across the stack. We are hard at work to bring a new release of Portal based on the recently dropped MapStore2 v2025.01.00, as well as FIPS compliance for GeoServer (CS Server).

CoreSpatial Server and Basemaps Release Notes

2025.2.3 (6/10/2025)

• Update GeoServer to 2.27.1
• Update Jetty to 9.4.57.v20241219
• Update PostgreSQL JDBC jar to 42.7.6
• Update C3P0 Connection Pooling lib 0.11.1
• Update Marlin Jar to v0_9_4_8_jdk17

2025.2.2 (5/12/2025)

• Add ability to map data from mounted volume in Kubernetes environment

2025.2.1 (5/2/2025)

• Improvements to container initialization scripts
• Multiple High and Medium severity security patches in OpenJDK, libexpat, c-ares, and giflib
• Update OSM database to 3/31/2025 build

CoreSpatial Map Manager Release Notes

2025.2.2 (6/10/2025)

• Bump Spring Boot to 3.5.0 to clear 2 Low severity CVEs
• Bump Python to 3.12.11 to clear multiple CVEs (Medium, High, and Critical severity)
• Bump Postgres JDBC Jar to 42.7.6

2025.2.1 (5/2/2025)

• Bump Spring Boot to 3.4.5 to clear multiple CVEs

The post CoreSpatial 2025-Q2 Release Announcement first appeared on .

CoreSpatial Server 2025.1.2 (3/16/2025)

• Updates GeoServer to 2.26.2
• Update PostgreSQL JDBC jar to 42.7.5
• Allow container to start with default catalog
• Added support for optional map data loading in container initialization
• Moved Docker container usage instructions to Admin Guide
• Enable use of WPS for Geoprocessing services in CoreSpatial Portal
• Fixed issue with loading fonts in container image

CoreSpatial Map Manager 2025.1.3 (3/13/2025)

• Improve startup logic for creating highres store and layers in GeoServer
• Fix bug with initialization of PG variables in datastore.xmls
• Bump spring boot to 3.4.3 to clear multiple CVEs
• Bump Postgres JDBC Jar to 42.7.5
• Bump multiple babel frontend deps to clear 2 Moderate CVEs
• Bump axios frontend dep to clear 1 Critical CVE

CoreSpatial Portal 2025.1.1 (4/01/2025)

New Features & Enhancements

• Interactive Legends & TOC Improvements
  • Enhanced interactive legends for both WFS and Vector layers, including fixes for filter icon visibility and smoother filter management.
• Text Widget Upgrades
  • Enabled image uploads within Text widgets by introducing a new property (renamed to uploadEnabled) along with accompanying unit tests.
• Vector File Import Enhancements
  • Added configurable file size limits for vector imports (now set to 3 MB by default), with warning notifications, translations, and updated tests.
• Layer Style Editing Configuration
  • Introduced dynamic configuration for editing the default styles of layers.
• Cesium Integration Improvements
  • Allowed dynamic setting of the CESIUM_BASE_URL and added support for the Cesium Ion Terrain Provider.
  • Fixed an issue where Cesium maps appeared too dark when opened in the evening.

Bug Fixes

• WMS & 3D Mode
  • Corrected Cesium/3D mode behavior to ensure WMS requests use version 1.1.1.
• Legend & Style Editing
  • Resolved incompatibilities between the legend filter and style editing.
• GeoFence & Proxy Issues
  • Fixed error notifications when moving GeoFence rules.
  • Addressed proxy call issues affecting CORS-disabled domains on the Model layer.
• UI & View Update Fixes
  • Fixed problems with view updates (e.g., when the center prop changes) and issues in various UI elements (dashboard save, search bar overlaps, navbar icon order, etc.).
• Additional Bug Resolutions
  • Corrected parsing issues in WPS responses and resolved problems in feature grid customizations, resource re-rendering, and measure tool functionality.

Build, Dependencies & Infrastructure

• Security & Base Image Updates
  • Updated the Tomcat base image to address multiple external security warnings.
• Build Script & Configuration Improvements
  • Revised build scripts (including build.sh) to pass shellcheck and use build arguments for memory heap configuration.
  • Updated Babel configuration, ESLint settings, and utility package files.
• CI/CD Enhancements
  • Upgraded GitHub Actions for artifact uploads and caching.
• Dependency Bumps
  • Bumped jinja2 from 3.1.4 to 3.1.6.

Documentation & Testing

• Docs Updates
  • Revised query parameter documentation and added missing parts for interactive legends (WFS layer).
  • Improved LDAP and corporate proxy configuration guides.
• Testing Enhancements
  • Expanded unit and integration tests across new features and bug fixes, ensuring better coverage for text widgets, vector import limits, and map preview functionalities.

Miscellaneous

• Code Cleanup & Refactoring
  • Removed unused code and comments, reverted select changes, and fixed lint errors.
• Localization & Styling
  • Updated translations (including Catalan support) and refined resource card styling.
• Developer & Context Updates
  • context configuration and updated various developer guides and JSDoc comments.

The post CoreSpatial 2025-Q1 Release Announcement first appeared on .

2024.4.1 (12/29/2024) Release Notes

CoreSpatial Server

• Update GeoServer to 2.26.1

CoreSpatial Basemaps

• Update OSM database to 12/20/2024 build

CoreSpatial Map Manager

• Fix bug with initial creation of highres store in GeoServer on app startup
• Improvements and updates to User and Admin documentation, move Docker Readme into Admin_Guide.md
• Minor version bumps to patch security vulnerabilities in Javascript dependencies: postcss, cross-spawn, path-to-regexp, express, nanoid, picocolors, postcss, source-map-js
• Bump spring boot to 3.4.1 to clear spring-context CVE-2022-22968

Previous release notes below

2024.3.2 (9/23/2024) Release Notes

Server

• Update Jetty to 9.4.56.v20240826
• Update Postgres JDBC Jar to 42.7.4
• Migrated from Java 11 to Java 17
• Mitigate multiple BouncyCastle, protobuf, and Spring CVEs

Upgrade Notes:

To upgrade your configuration to use Java 17 you must modify the JAVA_HOME variable in /opt/geoserver/conf/geoserver.env to point to /usr/lib/jvm/jre-17. This is an optional upgrade, but recommended for security and performance.

Basemaps

• OSM database updated to 2024-09-13 build

Map Manager (10/10/2024)

• Bump apache commons-io to 2.17.0 to resolve CVE-2024-47554 (High sev)
• Upgrade to Spring Boot 3.3.4

The post CoreSpatial 2024-Q4 Release Announcement first appeared on .