thanks @jodygarnett , that notice is much appreciated.

iirc an update to 2.24 was in the works & #4076 tracked it, so we will at least make sure to update to 2.24.2 that has the security fixes. Is there an ETA for the 2.25 release ?
In all cases we have a community meeting planned next week so the timing is right.

btw, i've noted the post mentions (or GeoServer 2.35.5 Release) i suppose that's 2.23.5 :)

Yeah this is about sharing risk, so testing with 2.25-RC for any regressions before release is made next Wednesday.

I am trying to call for greater participation (and funding) as our community does not have the practice of release-early-release-often feedback to share risk.

hi @jodygarnett, in #4211 i'm testing 2.25 branch as of today (eg https://github.com/georchestra/geoserver/commits/2.25.x-georchestra/ is the tip of 2.25 and our commits on top), and i'm hitting an exception coming probably from geoserver/geoserver#7444, as setting -DENTITY_RESOLUTION_ALLOWLIST=* in the tomcat java env fixes the issue. I've tried disabling the url checks and that didn't help.

trying to validate an SLD is enough to trigger org.xml.sax.SAXException: Entity resolution disallowed for null, or trying to render a layer in the openlayers preview.

i suppose that PR has been sufficiently tested, will dig further to try to understand what could cause it. That's with building & running with java 17 and tomcat 9.

that's with the default (probably outdated) polygon.sld from https://github.com/georchestra/geoserver_minimal_datadir/blob/23.0/styles/default_polygon.sld

ok, found the issue. For some reason (will try to figure out if that comes from the integration within georchestra, from the extensions we enable/bundle...) the resulting war contains xercesImpl-2.12.2.jar and that's what causing the issue. the full traceback is:

Caused by: org.xml.sax.SAXException: Entity resolution disallowed for null
        at org.geoserver.util.AllowListEntityResolver.resolveEntity(AllowListEntityResolver.java:176)
        at org.geoserver.util.AllowListEntityResolver.getExternalSubset(AllowListEntityResolver.java:119)
        at org.apache.xerces.util.EntityResolver2Wrapper.getExternalSubset(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentScannerImpl$ContentDispatcher.resolveExternalSubsetAndRead(Unknown Source)
        at org.apache.xerces.impl.XMLNSDocumentScannerImpl$NSContentDispatcher.scanRootElementHook(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
        at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
        at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
        at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
        at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
        at org.geotools.xml.styling.SLDParser.parseSLD(SLDParser.java:469)

if i remove xercesImpl-2.12.2.jar from the webapp and restart tomcat, everything runs fine and 2.25 is smooth.

ok, found the issue. For some reason (will try to figure out if that comes from the integration within georchestra, from the extensions we enable/bundle...) the resulting war contains xercesImpl-2.12.2.jar and that's what causing the issue.

One place xercesImpl comes from is GeoServer's printing plugin. I'm unsure if there are other plugins you're using which also include that module – but for me (using a different GeoServer container), just removing the plugin fixed (well, mitigated) the issue.

We recently forked the mapfish-print-v2 - it does have an explicit dependency on xerces (not sure why). Have you tried excluding the transitive dependency?