uPortal community, This is a public disclosure of a security vulnerability, near the tail end of applying the uPortal Security Incident Response Plan to this issue. All Webproxy Portlet 2 versions through 2.2.1 are affected . 2.2.2 includes a fix. Recent uPortal versions ship with bugged Webproxy Portlet versions. See apereo.github.io post for details. Kind regards, Andrew
The uportal-dev@ list discusses the technical substance of the vulnerability and its fix, identifying opportunities to refactor the fix in subsequent releases now that it has more eyes on it and opportunities to improve the product and development practices to prevent or mitigate these issues in the future.
On Dec 20, 2016, at 10:00 AM, Andrew Petro <andrew...@wisc.edu> wrote:
- Is caching worth re-adding more carefully to the Web Proxy Portlet v2?
- How might we improve practices to reduce bad-caching security bugs in the future?