Released: 1X August 2014
Download the release
You can grab the binary releases, including a ready-to-start Quickstart release, from the GitHub release page.
TODO: make it actually true that you can there grab the releases!
See also
- the page for this release on the Apereo website (TODO: make that link actually work!)
uPortal 4.0.15 GA Announcement
Apereo is proud to announce uPortal 4.0.15, continuing in our regular patch releases of uPortal 4.0.
Human-readable release notes
uPortal 4.0.15 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.0-patches maintenance branch. Prior to this release, uPortal CAS integration was bugged such that
1) CVE-2014-5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and
2) CVE-2014-4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.
This release addresses these vulnerabilities by
- Shipping a corrected default, example security.properties configuration, and
- Shipping fix CAS-integration uPortal SecurityContext implementations that fail safe even when the incorrect security.properties configuration is applied, and
- Fronting the vulnerable Java CAS Client with a new Filter that blocks CVE-2014-4172.
You can make your implementation secure against these vulnerabilities without otherwise upgrading by
- Fixing your security.properties AND/OR upgrading to the fixed version of the CasAssertionSecurityContext Java class, AND
- Fronting your local usage of the Java CAS Client as desc
You can make your implementation secure against these vulnerabilities by upgrading so long as in the course of that upgrade
- You fix your security.properties OR pick up the new version of the CasAssertionSecurityContext Java class, AND
- You update your web.xml to front your local usage of the Java CAS client as shown in the web.xml provided with the release.
You are not vulnerable to these specific issues if you are not using CAS as the mechanism for authenticating users to your uPortal.
Updating from uPortal 4.0.0 through 4.0.5
If you are upgrading from very old versions of uPortal 4.0:
If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.
After configuring your uPortal 4.0.14 source run:
ant db-update
But you're not on such an old version of uPortal 4.0, are you?
Downloads: https://github.com/Jasig/uPortal/releases/tag/uportal-4.0.15 (TODO: make this work)
Release Notes: https://wiki.jasig.org/display/UPC/4.0.15
Maven Project Site: http://developer.jasig.org/projects/uportal/4.0.15/ (TODO: make this work).
These developers contributed commits to this release:
- TODO: ack developers
Full Release Notes Generated from JIRA:
Release Notes - uPortal - Version 4.0.15
TODO: capture from JIRA.
Security Bugs Fixed
- Something
Other Bugs fixed
- Something else
Improvements Realized
- Oodles
New Features Added
- Lots
Stories Told
- Around the campfire
Tasks Completed
- gotta do em
-Andrew Petro
Deployer Notes
- Requires Servlet API 2.5 to run. Tomcat 6.0 is the first version of Tomcat to support Servlet 2.5. You probably actually want a recent Tomcat 7.
- Requires JDK 1.6.0_26 or newer. Oracle JDK 6 is ridiculously old, so you probably want JDK 7 instead, which will work. JDK 8 will almost certainly also work, but wasn't the target version for this patch series.
- Data export and import is required when upgrading from a version earlier than 4.0.0. Login event aggregation data migration is required when upgrading from a version 4.0.0 to 4.0.5, see above.
Issues addressed in uPortal 4.0.15 (TODO: update macro)
Bugs known to afflict uPortal 4.0.15 (TODO: update macro)
(Note that this is only as good as the affects-version metadata on JIRA issues).