Child pages
  • 4.0.15
Skip to end of metadata
Go to start of metadata

Released: 21 August 2014

Download the release

Icon

You can grab the binary releases, including a ready-to-start Quickstart release, from the GitHub release page.

Publicly Acknowledged Security Bugs Known to Affect uPortal 4.0.15

Icon

This macro will automatically display Security Bugs known to affect this release if any should be added to the project issue tracker in the future.

Loading
Key Summary P

 

uPortal 4.0.15 GA Announcement

Apereo is proud to announce uPortal 4.0.15, continuing in our regular patch releases of uPortal 4.0.

About the vulnerabilities fixed in this release

uPortal 4.0.15 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.0-patches maintenance branch.  Prior to this release, uPortal CAS integration was bugged such that

1) CVE-2014-5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and

2) CVE-2014-4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.

This release addresses these vulnerabilities by

  • Shipping a corrected default, example security.properties configuration, and
  • Shipping fix CAS-integration uPortal SecurityContext implementations that fail safe even when the incorrect security.properties configuration is applied, and
  • Fronting the vulnerable Java CAS Client with a new Filter that blocks CVE-2014-4172.

You can make your implementation secure against these vulnerabilities without otherwise upgrading by

  • Fixing your security.properties AND/OR upgrading to the fixed version of the CasAssertionSecurityContext Java class, AND
  • Fronting your local usage of the Java CAS Client as desc

You can make your implementation secure against these vulnerabilities by upgrading so long as in the course of that upgrade

  • You fix your security.properties OR pick up the new version of the CasAssertionSecurityContext Java class, AND
  • You update your web.xml to front your local usage of the Java CAS client as shown in the web.xml provided with the release.

 

You are not vulnerable to these specific issues if you are not using CAS as the mechanism for authenticating users to your uPortal.

 

About the other goodness in this release

uPortal 4.0.15 rolls back an introduction of an acceptAnyProxy configuration that had been introduced in the 4.0 line for 4.0.14. acceptAnyProxy tells the Java CAS Client to accept proxy tickets regardless of what application is proxying them. While this is convenient for demoing, it would be unfortunate for that configuration to inadvertently slip into production in any uPortal environments, and this change makes the out of the box configuration a little further from that.

The Attachments component of e.g. the SimpleContentPortlet had been inadvertently using a Hibernate-internal not-for-production-use connection pool. This release fixes that configuration.

This release turns on Travis-CI continuous integration testing for the uPortal 4.0-patches branch. This provides an additional safety net and feedback mechanism for uPortal product development on this maintenance branch and also provides you the adopter with a better starting point for using Travis-CI for continuous integration testing of your local uPortal implementation.

This release no longer looks for dependencies in remote Maven snapshot repositories it probably shouldn't have been using.

 

 

Updating from uPortal 4.0.0 through 4.0.5

Icon

If you are upgrading from very old versions of uPortal 4.0:

If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.

After configuring your uPortal 4.0.14 source run:

  • ant db-update

But you're not on such an old version of uPortal 4.0, are you?

 

 

 

Downloads:  https://github.com/Jasig/uPortal/releases/tag/uportal-4.0.15 

Release Notes: https://wiki.jasig.org/display/UPC/4.0.15 
Maven Project Site: 
http://developer.jasig.org/projects/uportal/4.0.15/

 

Tim LevettAndrew Petro, and James Wennmacher contributed commits to this release.

 

-Andrew Petro

 

Deployer Notes

  • Requires Servlet API 2.5 to run. Tomcat 6.0 is the first version of Tomcat to support Servlet 2.5.  You probably actually want a recent Tomcat 7.
  • Requires JDK 1.6.0_26 or newer.  Oracle JDK 6 is ridiculously old, so you probably want JDK 7 instead, which will work.  JDK 8 will almost certainly also work, but wasn't the target version for this patch series.
  • Data export and import is required when upgrading from a version earlier than 4.0.0.  Login event aggregation data migration is required when upgrading from a version 4.0.0 to 4.0.5, see above.

Issues addressed in uPortal 4.0.15

Loading
Key Summary T Created Updated Due Assignee Reporter P Status Resolution
UP-4205 CVE-2014-4172 uPortal includes Java CAS Client vulnerable to illicit proxy attack Security Bug Aug 11, 2014 Dec 30, 2014 Andrew Petro Andrew Petro Blocker Resolved Fixed
UP-4192 CVE-2014-5059 Security Context chaining allows arbitrary username assertion Security Bug Jul 29, 2014 Jan 20, 2015 Andrew Petro Drew Wills Blocker Resolved Fixed
UP-4164 acceptAnyProxy set to true in ootb CAS overlay Bug Jul 01, 2014 Aug 11, 2014 James Wennmacher Andrew Petro Blocker Resolved Fixed
UP-4229 Update wiki documentation to warn of issue and to document creating secure security.properties configurations Technical task Sep 10, 2014 Dec 30, 2014 Drew Wills Andrew Petro Major Resolved Fixed
UP-4032 SimpleContentPortlet (attachments) uses Hibernate test connection pool Bug Mar 21, 2014 Jun 25, 2014 James Wennmacher Paul Gazda Major Resolved Fixed
UP-4737 CVE-2016-1000257 Open Redirection Security Issue Security Bug Oct 04, 2016 Jan 10, 2017 Drew Wills Aaron Grant Major Resolved Fixed
UP-4167 Exclude maven sonatype and apache snapshots from source repos Improvement Jul 08, 2014 Nov 05, 2014 James Wennmacher James Wennmacher Minor Resolved Fixed
UP-4144 Travis-CI continuous integration New Feature Jun 16, 2014 Jul 06, 2014 Andrew Petro Andrew Petro Minor Resolved Fixed

Bugs known to afflict uPortal 4.0.15 

(Note that this is only as good as the affects-version metadata on JIRA issues).

Loading
Key Summary T Created Updated Due Assignee Reporter P Status Resolution
UP-4221 Continuing ant build issues with downloaded artifacts having 301 Moved Permanently html content Bug Sep 04, 2014 May 18, 2015 James Wennmacher James Wennmacher Blocker Resolved Fixed
UP-4004 Portlet Registry does not load with CSS/Javascript Aggregation turned on Bug Mar 05, 2014 Oct 31, 2014 Unassigned Paul Gazda Critical Resolved Cannot Reproduce
UP-3315 Manage Users admin UI don't correctly escape dynamic content Bug Jan 25, 2012 Feb 17, 2015 Unassigned Eric Dalquist Critical Resolved Fixed
UP-4679 Associating a single user with multiple fragment definitions (normally by accident) cripples the portal Bug May 11, 2016 Oct 14, 2017 Unassigned James Wennmacher Critical Open Unresolved
UP-4446 NPE for RDBMServices attempting to release connection never obtained Bug Apr 27, 2015 May 06, 2015 Unassigned James Wennmacher Major Resolved Fixed
UP-4425 Marketplace Search returns portlets user does not have access to Bug Mar 19, 2015 Mar 19, 2015 Unassigned James Wennmacher Major Resolved Fixed
UP-4410 Directory portlet uncovers general bug of PersonDirectory queries for all possible attribute values Bug Feb 12, 2015 Jun 17, 2015 Unassigned James Wennmacher Major Resolved Fixed
UP-4411 Directory portlet queries PersonDirectory for all search results not just those displayed Bug Feb 12, 2015 Apr 13, 2015 Unassigned James Wennmacher Major Resolved Fixed
UP-4264 request.getETag() sometimes provides eTag value when If-None-Match not in request header Bug Oct 10, 2014 Dec 30, 2014 James Wennmacher James Wennmacher Major Resolved Won't Fix
UP-4210 ant targets always causing mvn install on uportal-parent pom.xml Bug Aug 22, 2014 May 18, 2015 James Wennmacher James Wennmacher Major Resolved Fixed
UP-4189 Default persondirs config issue -- CascadingPersonAttributeDao is 'blending' local account users with users in other data sources Bug Jul 25, 2014 Feb 12, 2015 Unassigned Drew Wills Major Resolved Won't Fix
UP-4178 Google Analytics integration (portlet) throws stack trace for each PAGS group when the guest user accesses the portal Bug Jul 16, 2014 Dec 30, 2014 Drew Wills Drew Wills Major Resolved Fixed
UP-4143 EventSession purge fails to page, OutOfMemory can result Bug Jun 16, 2014 Dec 30, 2014 Unassigned Andrew Petro Major Resolved Fixed
UP-3918 Portlets in Header folder break if Tips is not on page Bug Jan 15, 2014 Apr 20, 2015 Unassigned Paul Gazda Major Resolved Cannot Reproduce
UP-3899 renaming portlet fname creates constraint violation Bug Dec 23, 2013 Jul 07, 2014 Tim Levett Ernst-Jan Verhoeven Major Resolved Fixed
UP-3728 Bundled CalendarPortlet has logging config file with the wrong name Bug Jun 10, 2013 Dec 30, 2014 Unassigned Drew Wills Major Resolved Fixed
UP-3553 Transient portlets loaded by fname change the current tab Bug Aug 17, 2012 Dec 30, 2014 James Wennmacher Anthony Colebourne Major Resolved Fixed
UP-3516 Profile-Based DLM evaluator does not import/export consistently Bug Jul 17, 2012 Jul 07, 2014 Unassigned Eric Domazlicky Major Resolved Duplicate
UP-3295 Portlet title not escaped allowing for the injection of script or the breaking of the student GUI with partial tags Bug Jan 17, 2012 Aug 11, 2014 Unassigned Alan Berg Major Resolved Fixed
UP-3307 Using the back button in a web browser causes side effects for showing users permissions Bug Jan 23, 2012 Dec 30, 2014 Unassigned Alan Berg Major Resolved Cannot Reproduce
Showing 20 out of 35 issues Refresh