Close an open redirect vulnerability in the Login servlet issue in 4.1.2

24 views
Skip to first unread message

Malini Ramaprasad

unread,
Jun 15, 2020, 6:18:39 PM6/15/20
to uPortal Developers
Hi

Looks like the issue https://apereo.atlassian.net/browse/UP-4737 has not been fixed in portal 4.1.2.  What should be done to fix this in 4.1.2? Any help is appreciated.

Thanks
Malini

Julien Gribonvald

unread,
Jun 16, 2020, 2:47:12 AM6/16/20
to uport...@apereo.org

Hi,

The fix was applied and a new release was done, so upgrade at least to the version 4.1.3 or apply the patch on your version !

I would sugggest that you watch to move on uP 5.x with uPortal-start, on which upgrading to a new version is really really easy !

Thanks,

Julien

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-dev...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org.
--
Julien Gribonvald

Malini Ramaprasad

unread,
Jun 16, 2020, 7:03:23 PM6/16/20
to uPortal Developers
Thanks Julien for getting back. How do I apply the patch to my current version? Could not find the details of what exactly was changed to fix this issue.

Thanks
Malini

On Monday, June 15, 2020 at 11:47:12 PM UTC-7, Julien Gribonvald wrote:

Hi,

The fix was applied and a new release was done, so upgrade at least to the version 4.1.3 or apply the patch on your version !

I would sugggest that you watch to move on uP 5.x with uPortal-start, on which upgrading to a new version is really really easy !

Thanks,

Julien

Le 16/06/2020 à 00:18, Malini Ramaprasad a écrit :
Hi

Looks like the issue https://apereo.atlassian.net/browse/UP-4737 has not been fixed in portal 4.1.2.  What should be done to fix this in 4.1.2? Any help is appreciated.

Thanks
Malini
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uport...@apereo.org.
--
Julien Gribonvald

Malini Ramaprasad

unread,
Jun 16, 2020, 7:27:07 PM6/16/20
to uPortal Developers
I think I found the link. Will give it a try.

Thank you!

Julien Gribonvald

unread,
Jun 17, 2020, 3:55:32 AM6/17/20
to uport...@apereo.org

Malini you have several ways with git to merge change or rebase the source. Also you can apply a patch file if you didn't use git.

To see all change between v4.1.2 and 4.1.3 your have this link : https://github.com/Jasig/uPortal/compare/uportal-4.1.2...uportal-4.1.3

I would suggest that you apply all change from 4.1.2 to 4.1.3 as there are several fix and with dependencies security (like with commons collection to upgrade to 3.2.2 version).

The change that you are looking for is here : https://github.com/Jasig/uPortal/commit/b4d15875391f94564dbcd15c58857fdd464d0d7c

To apply a such commit with git you can do a `git cherry-pick b4d15875391f94564dbcd15c58857fdd464d0d7c`.

But know that all 4.x uPortal version aren't anymore maintained, so moving to 5.x would be recommanded, and it shouldn't be a big effort even true with uPortal-start, but it's depending on your customizations (we can provide some guidance to help).

Thanks,

Julien

To unsubscribe from this group and stop receiving emails from it, send an email to uportal-dev...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/ca4d5c6e-625c-4ad7-86f2-c73b7c4600c2o%40apereo.org.
--
Julien Gribonvald
Reply all
Reply to author
Forward
0 new messages