4.0.15

Released: 21 August 2014

uPortal 4.0.15 GA Announcement

Apereo is proud to announce uPortal 4.0.15, continuing in our regular patch releases of uPortal 4.0.

About the vulnerabilities fixed in this release

uPortal 4.0.15 is a patch release of uPortal 4.0 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.0-patches maintenance branch.  Prior to this release, uPortal CAS integration was bugged such that

1) CVE-2014-5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and

2) CVE-2014-4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.

This release addresses these vulnerabilities by

• Shipping a corrected default, example security.properties configuration, and
• Shipping fix CAS-integration uPortal SecurityContext implementations that fail safe even when the incorrect security.properties configuration is applied, and
• Fronting the vulnerable Java CAS Client with a new Filter that blocks CVE-2014-4172.

You can make your implementation secure against these vulnerabilities without otherwise upgrading by

• Fixing your security.properties AND/OR upgrading to the fixed version of the CasAssertionSecurityContext Java class, AND
• Fronting your local usage of the Java CAS Client as desc

You can make your implementation secure against these vulnerabilities by upgrading so long as in the course of that upgrade

• You fix your security.properties OR pick up the new version of the CasAssertionSecurityContext Java class, AND
• You update your web.xml to front your local usage of the Java CAS client as shown in the web.xml provided with the release.

You are not vulnerable to these specific issues if you are not using CAS as the mechanism for authenticating users to your uPortal.

About the other goodness in this release

uPortal 4.0.15 rolls back an introduction of an acceptAnyProxy configuration that had been introduced in the 4.0 line for 4.0.14. acceptAnyProxy tells the Java CAS Client to accept proxy tickets regardless of what application is proxying them. While this is convenient for demoing, it would be unfortunate for that configuration to inadvertently slip into production in any uPortal environments, and this change makes the out of the box configuration a little further from that.

The Attachments component of e.g. the SimpleContentPortlet had been inadvertently using a Hibernate-internal not-for-production-use connection pool. This release fixes that configuration.

This release turns on Travis-CI continuous integration testing for the uPortal 4.0-patches branch. This provides an additional safety net and feedback mechanism for uPortal product development on this maintenance branch and also provides you the adopter with a better starting point for using Travis-CI for continuous integration testing of your local uPortal implementation.

This release no longer looks for dependencies in remote Maven snapshot repositories it probably shouldn't have been using.

-Andrew Petro

Deployer Notes

• Requires Servlet API 2.5 to run. Tomcat 6.0 is the first version of Tomcat to support Servlet 2.5.  You probably actually want a recent Tomcat 7.
• Requires JDK 1.6.0_26 or newer.  Oracle JDK 6 is ridiculously old, so you probably want JDK 7 instead, which will work.  JDK 8 will almost certainly also work, but wasn't the target version for this patch series.
• Data export and import is required when upgrading from a version earlier than 4.0.0.  Login event aggregation data migration is required when upgrading from a version 4.0.0 to 4.0.5, see above.

Issues addressed in uPortal 4.0.15

Bugs known to afflict uPortal 4.0.15 

(Note that this is only as good as the affects-version metadata on JIRA issues).