Versions Compared

Old Version 9

changes.mady.by.user Andrew Petro

Saved on

compared with

New Version Current

changes.mady.by.user Jim Helwig

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Repair Jira Macros

23 May 2014

uPortal 4.0.13.1 Announcement

Apereo has released uPortal 4.0.13.1, which is uPortal 4.0.13 with security fixes to properly enforce MANAGE and CONFIG permissions.

Prior to this release, portlet administration permissions are bugged such that

  1. CVE-2014-31463416 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and
  2. CVE-2014-31473417 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.

...

Security Bug

  • [UP-4105] - CVE-2014-3146 3416 MANAGE[-*] permissions not enforced
  • [UP-4106] - CVE-2014-3147 3417 Any user can Configure any portlet they can SUBSCRIBE

...

Issues addressed in uPortal 4.0.13.1

Jira Legacy
serverJASIG Issue TrackerSystem JIRA
columnskey,summary,type,priority,status,resolution
maximumIssues20
jqlQueryproject = UP AND fixVersion = 4.0.13.1 AND status in (resolved, closed) ORDER BY priority
serverId76221f40d8d429a7-4501dc92-3df13696-857885f0-6c87908cbdf71de5d4e9bcf6

Bugs known to afflict uPortal 4.0.13.1

(Note that this listing is only as good as JIRA issue metadata about affects-version.)

Jira Legacy
serverJASIG Issue TrackerSystem JIRA
columnskey,summary,type,priority,status,resolution
maximumIssues20
jqlQueryproject = UP AND issuetype = Bug AND affectedVersion = 4.0.13.1 ORDER BY priority DESC
serverId76221f40d8d429a7-4501dc92-3df13696-857885f0-6c87908cbdf71de5d4e9bcf6