Released: 1X August 2014
...
uPortal 4.0.15 GA Announcement
Apereo is proud to announce uPortal 4.0.15, continuing in our regular patch releases of uPortal 4.0.
Human-readable release notes
uPortal 4.0.15 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.0-patches maintenance branch. Prior to this release, uPortal CAS integration was bugged such that
1) CVE-2014-XXXX a 5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and
2) CVE-2014-XXXX 4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.
...
- Shipping a corrected default, example security.properties configuration, and
- Shipping fix CAS-integration uPortal SecurityContext implementations that fail safe even when the incorrect security.properties configuration is applied, and
- Upgrading Fronting the vulnerable Java CAS Client version to a release not vulnerable to the specific known illicit proxy attack in with a new Filter that blocks CVE-2014-XXXX4172.
You can make your implementation secure against these vulnerabilities without otherwise upgrading by
- Fixing your security.properties AND/OR upgrading to the fixed versions of the uPortal security context Java classes, ANDUpgrading to a fixed version of the Java CAS Client, such as that included in this release.version of the CasAssertionSecurityContext Java class, AND
- Fronting your local usage of the Java CAS Client as desc
You can make your implementation secure against these vulnerabilities by upgrading so long as in the course of that upgrade
- You fix your security.properties OR pick up the new version of the CasAssertionSecurityContext Java class, AND
- You update your web.xml to front your local usage of the Java CAS client as shown in the web.xml provided with the release.
You are not vulnerable to these specific issues if you are not using CAS as the mechanism for authenticating users to your uPortal.
...