For all existing installations the published Release notes should be reviewed. - To upgrade from 2.0.X follow the upgrade instructions for 2.1, 2.2, 2.3, 2.4.0 and 2.4.1 Release Notes before deploying the 2.4.2
- To upgrade from 2.1.X follow the upgrade instructions for the 2.2, 2.3, 2.4.0 and 2.4.1 Release Notes before deploying the 2.4.2
- To upgrade from 2.2.X follow the upgrade instructions for the 2.3, 2.4.0 and 2.4.1 Release Notes before deploying the 2.4.2 code
It is critical to complete the steps described in the 2.4.0 release notes for any deployment not upgrading directly from 2.4.1 to 2.4.2 The SSP development team is not aware of any SSP deployments integrated with CAS, but this release includes two security-related patch sets specifically targeted at CAS integrations: - SSP-2721 - Scrubs certain CAS-specific request parameters. Details of the changes and effects are detailed in the uPortal project. No work should be required to enable the patch, but you may want to review that document to better understand the CAS-related configuration changes included in this release.
- SSP-2724 - Works around what amounts to a CAS-specific session hijacking vulnerability. The Details of the changes and effects are detailed in the uPortal project has not yet published the details of this patch, but the and the
<platform-src>/uportal-war/src/main/resources/properties/security.properties file includes greatly expanded comments describing recommended configuration changes. You will likely want to review the email thread and changes to that file whether or not you use CAS. The new defaults may interfere with your existing authentication provider integrations, especially AD/LDAP. Details SSP-specific details below.
|