Versions Compared

Old Version 4

changes.mady.by.user Andrew Petro

Saved on

compared with

New Version 5

changes.mady.by.user Andrew Petro

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Succinct description of fixes in release.

Intended 20 May 2014

uPortal 4.0.13.1 Announcement

Apereo has released uPortal 4.0.13.1, which is uPortal 4.0.13 with security fixes to properly enforce MANAGE and CONFIG permissions.

 

Features and Changes of Note

...

Prior to this release, portlet administration permissions are bugged such that

  1. CVE-2014-3146 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and
  2. CVE-2014-3147 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.



Updating from 4.0.0-4.0.5

Info

If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.

After configuring your uPortal 4.0.13.1 source run:

  • ant db-update

Downloads: TODO: have a download link
Release Notes: https://wiki.jasig.org/display/UPC/4.0.13.1
Maven Project Site: http://developer.jasig.org/projects/uportal/4.0.13.1/

...