Released: 1X August 2014
Download the release
You can grab the binary releases, including a ready-to-start Quickstart release, from the GitHub release page.
TODO: make it actually true that you can there grab the releases!
See also
- the page for this release on the Apereo website (TODO: make that link actually work!)
uPortal 4.0.15 GA Announcement
Apereo is proud to announce uPortal 4.0.15, continuing in our regular patch releases of uPortal 4.0.
Human-readable release notes
uPortal 4.0.15 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.0-patches maintenance branch. Prior to this release, uPortal CAS integration was bugged such that
1) CVE-2014-XXXX a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and
2) CVE-2014-XXXX the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.
This release addresses these vulnerabilities by
- Shipping a corrected default, example security.properties configuration, and
- Shipping fix CAS-integration uPortal SecurityContext implementations that fail safe even when the incorrect security.properties configuration is applied, and
- Upgrading the Java CAS Client version to a release not vulnerable to the specific known illicit proxy attack in CVE-2014-XXXX.
You can make your implementation secure against these vulnerabilities by
- Fixing your security.properties AND/OR upgrading to the fixed versions of the uPortal security context Java classes, AND
- Upgrading to a fixed version of the Java CAS Client, such as that included in this release.
You are not vulnerable to these specific issues if you are not using CAS as the mechanism for authenticating users to your uPortal.
Updating from uPortal 4.0.0 through 4.0.5
If you are upgrading from very old versions of uPortal 4.0:
If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.
After configuring your uPortal 4.0.14 source run:
ant db-update
But you're not on such an old version of uPortal 4.0, are you?
Downloads: https://github.com/Jasig/uPortal/releases/tag/uportal-4.0.15 (TODO: make this work)
Release Notes: https://wiki.jasig.org/display/UPC/4.0.15
Maven Project Site: http://developer.jasig.org/projects/uportal/4.0.15/ (TODO: make this work).
These developers contributed commits to this release:
- TODO: ack developers
Full Release Notes Generated from JIRA:
Release Notes - uPortal - Version 4.0.15
TODO: capture from JIRA.
Security Bugs Fixed
- Something
Other Bugs fixed
- Something else
Improvements Realized
- Oodles
New Features Added
- Lots
Stories Told
- Around the campfire
Tasks Completed
- gotta do em
-Andrew Petro
Deployer Notes
- Requires Servlet API 2.5 to run. Tomcat 6.0 is the first version of Tomcat to support Servlet 2.5. You probably actually want a recent Tomcat 7.
- Requires JDK 1.6.0_26 or newer. Oracle JDK 6 is ridiculously old, so you probably want JDK 7 instead, which will work. JDK 8 will almost certainly also work, but wasn't the target version for this patch series.
- Data export and import is required when upgrading from a version earlier than 4.0.0. Login event aggregation data migration is required when upgrading from a version 4.0.0 to 4.0.5, see above.
Issues addressed in uPortal 4.0.15 (TODO: update macro)
Bugs known to afflict uPortal 4.0.15 (TODO: update macro)
(Note that this is only as good as the affects-version metadata on JIRA issues).