Released: 25 April 2016
Summary
Version 4.3.1 is a maintenance release of uPortal 4.3. It has been six months since the release of 4.3.0, and there are a large number of updates. In total, 32 JIRA tickets are resolved in this release. The vast majority of these are bug fixes, tasks, and modest improvements to existing features. There are, however, two security-related fixes that are worth knowing about.
UP-4737 - Open Redirection Security Issue
Open redirect occurs when a web page is being redirected to another URL in another domain via a user-controlled input. A security scan of uPortal revealed that a vulnerability in the Login servlet could be used to redirect users to other, non-uPortal websites. This vulnerability is patched in uPortal 4.3.1.
UP-4743 - Add HTTPONLY to PORTLET_COOKIE
The same security scan also revealed that the HttpOnly flag was not set for Portlet Cookies, which are a feature of the JSR-286 spec. Cookies that do not set HttpOnly may be accessed by client-side scripts.
Highlights
- 2 Security items (see above)
- 14 Bugs
- 8 Improvements
- 3 Tasks
Upgrade Notes:
None yet.
Download the release
You can grab the binary releases, including a ready-to-start Quickstart release, from the GitHub release page.
Security bugs known to affect uPortal 4.3.1
This macro will automatically display publicly visible security bugs tagged as affecting this release in the issue tracker.
See also : Release announcement as posted on uportal-user@ email list.
Human readable release notes
See the GitHub release page for human-readable release notes.
Downloads: https://github.com/Jasig/uPortal/releases/
Maven Project Site: http://developer.jasig.org/projects/
Issues addressed in uPortal 4.3.1
Bugs known to afflict uPortal 4.3.1
(Note that this is only as good as the affects-version metadata on JIRA issues).