Project Title: Student Success Plan (SSP)
The SSP is a software application and process for student success, designed to increase the persistence, success, and graduation rates of targeted students. Through holistic counseling, web-based support systems, and intervention techniques, students are identified, supported and monitored. Data is collected and analyzed to make decisions about future efforts to promote student success.
SSP was introduced as a Jasig project in 2012 through a cooperative development effort led by Sinclair Community College. The SSP software was converted to a java platform and deployed inside a uPortal instance called SSP-Platform. The combination of tools allows existing uPortal instances to simply add SSP as a portlet. A deployment of SSP-Platform allows institutions that do not use uPortal to quickly implement SSP and integrate to an existing user management system.
Beginning with all development of SSP after the 2.7.0 release (2.7.1 snapshot and 2.8.0), the SSP-Platform repository was moved from the uPortal repository to a separate repository in the Jasig organization. The new url for SSP-Platform source code is https://github.com/Jasig/SSP-Platform.git. All implementers retrieving source code for SSP-Platform must update the remote url for the repository. Git help provides documentation to update the url.
CAS-integrated deployments (the SSP team is not aware of any such deployments) of any version are strongly encouraged to consider integrating the security patches referenced by https://issues.jasig.org/browse/SSP-2721 and https://issues.jasig.org/browse/SSP-2724). At this writing those patches are included in the 2.4.2 GA release and will be included in the upcoming 2.5.2 and 2.6.0 releases. Patches for all 2.4.x+ code lines are available in GitHub; check the JIRA tickets for pointers. Any of those patch sets should be readily back-portable to previous SSP versions. The most comprehensive documentation of the configuration impact of the patches is currently in the 2.4.2 Release Notes. Please contact the ssp-user mailing list with any questions.
If you are running SSP version 2.0.0 or 2.0.0-b3, you are strongly encouraged to upgrade to 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0 or any subsequent version or otherwise apply the Confidentiality Level-related patches for the Student Documents tool as described by SSP-1917.
If you are running any SSP version prior to 2.0.0-b2, you are strongly encouraged to double-check your deployment to ensure that the CAS
acceptAnyProxy configuration directive has been removed from
<tomcat>/webapps/ssp-platform/WEB-INF/web.xml. See here for the original uPortal security vulnerability announcement and here for the corresponding SSP announcement. SSP deployments are very unlikely to actually exhibit the described vulnerability because they do not typically leverage CAS. But removing the problematic configuration is still recommended to guard against future vulnerability.
If you are running SSP 1.2.0 or SSP 2.0.0-b1 (the SSP team is not aware of any such public installs), you are strongly encouraged to upgrade to 1.2.1 or otherwise apply the Confidentiality Level subsystem security patches as described by SSP-1239.
If you are running a SSP version prior to 1.1.1, you are strongly encouraged to upgrade or otherwise apply the reporting subsystem security patches described by SSP-701