Released: 25 April 2016
...
Version 4.3.1 is a maintenance release of uPortal 4.3. It has been six months since the release of 4.3.0, and there are a large number of updates. In total, 32 JIRA tickets are resolved in this release. The vast majority of these are bug fixes, tasks, and modest improvements to existing features. There are, however, two security-related fixes that are worth knowing about.
...
Open redirect occurs when a web page is being redirected to another URL in another domain via a user-controlled input. A security scan of uPortal revealed that a vulnerability in the Login servlet could be used to redirect users to other, non-uPortal websites. This vulnerability is patched in uPortal 4.3.1.
UP-4743 - Add HTTPONLY to PORTLET_COOKIE
The same security scan also revealed that the HttpOnly flag was not set for Portlet Cookies, which are a feature of the JSR-286 spec. Cookies that do not set HttpOnly may be accessed by client-side scripts.
Highlights
...
- 14 Bugs
- 8 Improvements
- 3 Tasks
...
| Warning | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||
This macro will automatically display publicly visible security bugs tagged as affecting this release in the issue tracker.
|
See also : Release announcement as posted on uportal-user@ email list.
| Tip | ||
|---|---|---|
| ||
See the GitHub release page for human-readable release notes. |
...