23 May 2014
uPortal 4.0.13.1 Announcement
Apereo has released uPortal 4.0.13.1, which is uPortal 4.0.13 with security fixes to properly enforce MANAGE and CONFIG permissions.
Prior to this release, portlet administration permissions are bugged such that
- CVE-2014-3146 anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions , and
- CVE-2014-3147 anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.
Updating from 4.0.0-4.0.5
If you have data you care about in the UP_LOGIN_EVENT_AGGREGATE table please back it up externally or rename the table before executing the following steps. db-update will drop this table.
After configuring your uPortal 4.0.13.1 source run:
ant db-update
Where to get it
Downloads: http://downloads.jasig.org/uportal/uportal-4.0.13.1/
Release Notes: https://wiki.jasig.org/display/UPC/4.0.13.1
Maven Project Site: http://developer.jasig.org/projects/uportal/4.0.13.1/ (TODO: Make this work)
In Maven Central: http://search.maven.org/#browse%7C84002748
Full Release Notes
JIRA-generated Release Notes - uPortal - Version 4.0.13.1
Sub-task
- [UP-3330] - Restore the 'Popular Apps' portlet in uPortal4
Bug
- [UP-3562] - Portlet Manager -- Using a comma within a portlet preference value has the effect of splitting that value in two
- [UP-3581] - The new example LDAP config in ldapContext.xml doesn't seem to play well with SimpleLdapSecurityContext
- [UP-3707] - Bundle Announcement Portlet in uPortal 4.1
- [UP-3716] - Test failures with Java 7
- [UP-3760] - Adding portlet on locked tab/column
- [UP-3767] - Mobile search URL incorrect
- [UP-3769] - Layout import fails
- [UP-3775] - CLONED from SSP - Permissons Editing Not Visible in IE
- [UP-3788] - uportal-maven-plugin does not properly copy MANIFEST.MF files within war files handled by deploy-ear
- [UP-3799] - Upgrade weather portlet to 1.1.0
- [UP-3815] - Manage Portlets displays 'setParameters.deleteButton' in Edit Parameters
- [UP-3823] - Enhance UP-3701 and/or change logging initialization of Listener classes
Improvement
- [UP-3741] - Simplify PortletExecutionEvent creation
- [UP-3743] - Provide additional information for unhandled exceptions at the Web Intercepter
- [UP-3757] - Use JDK7 chmod in maven build
- [UP-3779] - Enhance json.xsl (JSON rendering theme) to include info about portlets that are not within tabs and columns
- [UP-3841] - Make background preferences use thumbnails instead of actual wallpaper images
- [UP-3842] - Change CSS so that background image from background preferences displays without scolling
New Feature
- [UP-3749] - Provide a portlet that allows users to select a background image for the page
- [UP-3762] - Add ability for users to select a background image to apply to desktop and mobile pages
- [UP-3774] - Bundle announcement portlet
- [UP-3785] - Implement Background Changer portlet on mobile web
Story
- [UP-3721] - Create TinCan API Data Model
- [UP-3730] - Create mapping of uPortal events to TinCan API Verbs
- [UP-3734] - Create unit tests to verify TinCan API objects transform into the correct JSON structures
- [UP-3784] - Google Analytics issue if you have more than one host
- [UP-3843] - Issue with search aggregation if someone searches for a space
- Andrew Petro (with a lot of help from Tim Levett )
Screenshots
Screenshots from uPortal 4.0.13.1 |
---|
There are no images attached to this page. |
Issues addressed in uPortal 4.0.13.1
Bugs known to afflict uPortal 4.0.13.1
(Note that this listing is only as good as JIRA issue metadata about affects-version.)