23 May 2014
uPortal 126.96.36.199 Announcement
Apereo has released uPortal 188.8.131.52, which is uPortal 4.0.13 with security fixes to properly enforce MANAGE and CONFIG permissions.
Prior to this release, portlet administration permissions are bugged such that
- CVE-2014-3416 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and
- CVE-2014-3417 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.
Updating from 4.0.0-4.0.5
If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.
After configuring your uPortal 184.108.40.206 source run:
Where to get it
Release Notes: https://wiki.jasig.org/display/UPC/220.127.116.11
Maven Project Site: http://developer.jasig.org/projects/uportal/18.104.22.168/
In Maven Central: http://search.maven.org/#browse%7C84002748
Full Release Notes
- [UP-4105] - CVE-2014-3416 MANAGE[-*] permissions not enforced
- [UP-4106] - CVE-2014-3417 Any user can Configure any portlet they can SUBSCRIBE
- [UP-3869] - Bamboo build failures with 'connection exception: connection failure: java.io.EOFException' on hsql shutdown
Screenshots from uPortal 22.214.171.124
Issues addressed in uPortal 126.96.36.199
Bugs known to afflict uPortal 188.8.131.52
(Note that this listing is only as good as JIRA issue metadata about affects-version.)