uPortal 5.17.9 + SimpleContentPortlet 3.4.4 — security & maintenance patches
3 views
Skip to first unread message
Benito Gonzalez
Jun 24, 2026, 12:18:16 PM (6 days ago) Jun 24
to Developers, uPortal, uPortal Community, uPortal Steering Committee, announcemen...@apereo.org, Bill Smith
Hey folks,
Couple of patch releases just landed on Maven Central: uPortal
5.17.9 and SimpleContentPortlet 3.4.4. Drop-in for most of you --
here's what's in them and the one upgrade note worth a look.
The theme is dependency hygiene:
- Dropped log4j-core from uPortal. uPortal logs through
slf4j/logback anyway, so log4j-core was just sitting in the WAR
as attack surface (and scanner noise). It's gone -- log4j2 API
calls now route to slf4j via the log4j-to-slf4j bridge. If your
scans have been flagging log4j-core in the uPortal WAR, that
should quiet down.
- Moved S3 storage off AWS SDK v1. AWS put SDK v1 out of security
support (some of you got the emails). SimpleContentPortlet's S3
attachment storage and uPortal's dynamic-skin S3 storage both
moved to SDK v2.
Plus two uPortal fixes:
- JGroups JDBC_PING no longer piles up zombie rows. A node killed
hard (kill -9, OOM) used to leave a stale row behind, and the
discovery table just grew over time. The coordinator now clears
it on each view change.
- LESS skin bootstrap.css 404. Skins still on the LESS path hit a
bad relative import for bootstrap.css -- fixed.
Getting them: bump uPortalVersion=5.17.9 and
simpleContentPortletVersion=3.4.4 in your uPortal-start
gradle.properties (the tracked one is gradle.properties.example).
PRs are up against uPortal-start if you'd rather just merge
those.
One upgrade note: if you use the S3-backed storage options --
SimpleContentPortlet attachments on S3, or uPortal dynamic-skin
storage on S3 (both opt-in, off by default) -- AWS SDK v2 is
stricter about region. It won't quietly default to us-east-1 like
v1 did, so set AWS_REGION (or your profile/instance region)
explicitly. On the default DB attachment storage and filesystem
skin storage? Nothing to do.
Full notes:
- uPortal 5.17.9
https://github.com/uPortal-Project/uPortal/releases/tag/v5.17.9
- SimpleContentPortlet 3.4.4
Couple of patch releases just landed on Maven Central: uPortal
5.17.9 and SimpleContentPortlet 3.4.4. Drop-in for most of you --
here's what's in them and the one upgrade note worth a look.
The theme is dependency hygiene:
- Dropped log4j-core from uPortal. uPortal logs through
slf4j/logback anyway, so log4j-core was just sitting in the WAR
as attack surface (and scanner noise). It's gone -- log4j2 API
calls now route to slf4j via the log4j-to-slf4j bridge. If your
scans have been flagging log4j-core in the uPortal WAR, that
should quiet down.
- Moved S3 storage off AWS SDK v1. AWS put SDK v1 out of security
support (some of you got the emails). SimpleContentPortlet's S3
attachment storage and uPortal's dynamic-skin S3 storage both
moved to SDK v2.
Plus two uPortal fixes:
- JGroups JDBC_PING no longer piles up zombie rows. A node killed
hard (kill -9, OOM) used to leave a stale row behind, and the
discovery table just grew over time. The coordinator now clears
it on each view change.
- LESS skin bootstrap.css 404. Skins still on the LESS path hit a
bad relative import for bootstrap.css -- fixed.
Getting them: bump uPortalVersion=5.17.9 and
simpleContentPortletVersion=3.4.4 in your uPortal-start
gradle.properties (the tracked one is gradle.properties.example).
PRs are up against uPortal-start if you'd rather just merge
those.
One upgrade note: if you use the S3-backed storage options --
SimpleContentPortlet attachments on S3, or uPortal dynamic-skin
storage on S3 (both opt-in, off by default) -- AWS SDK v2 is
stricter about region. It won't quietly default to us-east-1 like
v1 did, so set AWS_REGION (or your profile/instance region)
explicitly. On the default DB attachment storage and filesystem
skin storage? Nothing to do.
Full notes:
- uPortal 5.17.9
https://github.com/uPortal-Project/uPortal/releases/tag/v5.17.9
- SimpleContentPortlet 3.4.4
https://github.com/uPortal-Project/SimpleContentPortlet/releases/tag/SimpleContentPortlet-3.4.4
Reply here if you hit anything.
Reply here if you hit anything.
-bjagg
Benito J. Gonzalez
Software Architect
Unicon, Inc.
Email: bgon...@unicon.net
GitHub: bjagg
GitLab: bjagg
BitBucket: bgon...@unicon.net
Reply all
Reply to author
Forward
0 new messages