Tier 2 portlet release wave complete — 10 portlets aligned to uportal-portlet-parent v51
15 views
Skip to first unread message
Benito Gonzalez
May 3, 2026, 10:28:59 PM (13 days ago) May 3
to Developers, uPortal, uPortal Community, announcemen...@apereo.org, uPortal Steering Committee
Hi all,
Wrapping up a release wave that brings the actively-maintained portlet
fleet to a consistent baseline. Over the past two days, ten portlets
shipped patch / minor releases, all aligned to uportal-portlet-parent v51:
- AnnouncementsPortlet 2.5.2
- basiclti-portlet 1.5.1
- BookmarksPortlet 1.3.1
- CalendarPortlet 2.7.1
- CoursesPortlet 2.1.1
- FeedbackPortlet 1.3.1
- JasigWidgetPortlets 2.4.1
- NewsReaderPortlet 5.1.2
- SimpleContentPortlet 3.4.1
- WebproxyPortlet 2.4.1
All ten are drop-in upgrades — no schema changes, no portlet-API contract
changes, no portlet-preferences migrations. Earlier in the wave,
NotificationPortlet 4.8.2 and uportal-portlet-parent v51 itself shipped as
the dependencies the rest of the wave was built on.
Security: the wave closes three CVE-tracked issues across the fleet —
CVE-2023-37460 (plexus-archiver symlink path traversal during WAR
packaging), CVE-2025-48924 (commons-lang 2.x DoS in
StringUtils.escapeJava), and CVE-2012-5783 (commons-httpclient SSL hostname
verification, where the dep was still pinned). Plus per-portlet bumps for
jackson, logback, bouncycastle (→ bcprov-jdk18on), xstream, hsqldb, and
others.
Bug fixes worth calling out: an initNews NPE in NewsReaderPortlet, a
double-? in proxied URLs in WebproxyPortlet, a NoopHostnameVerifier removal
in JasigWidgetPortlets that was disabling outbound HTTPS hostname checks,
an videos.jsp XSS fix in NewsReader, and innerHTML XSS hardening in
JasigWidget.
Frontend: several portlets picked up jQuery / Bootstrap modernization
passes from @Naenyn, including dropping bundled JavaScript in favor of the
resource-server webjars.
What's still deferred (fleet-level, gated by Spring 6 / Jakarta EE):
Hibernate ORM 7.x, pluto-taglib v3, jaxb-xjc v4, portletmvc4spring 6.x,
Pluto retirement decisions. CalendarPortlet 3.0.0 is also tracked
separately to drop on-prem Exchange / NTLM support and migrate to
httpclient 4.x.
Release notes for each portlet are linked from the GitHub Releases page on
the respective repo. The uportal-project.github.io developer manual's Maven
release process doc was also updated with a couple of recovery scenarios
encountered during the wave — see PR #99.
Thanks to everyone who reviewed PRs and to @Naenyn / @ChristianMurphy for
the contributed cleanup work.
- B
Wrapping up a release wave that brings the actively-maintained portlet
fleet to a consistent baseline. Over the past two days, ten portlets
shipped patch / minor releases, all aligned to uportal-portlet-parent v51:
- AnnouncementsPortlet 2.5.2
- basiclti-portlet 1.5.1
- BookmarksPortlet 1.3.1
- CalendarPortlet 2.7.1
- CoursesPortlet 2.1.1
- FeedbackPortlet 1.3.1
- JasigWidgetPortlets 2.4.1
- NewsReaderPortlet 5.1.2
- SimpleContentPortlet 3.4.1
- WebproxyPortlet 2.4.1
All ten are drop-in upgrades — no schema changes, no portlet-API contract
changes, no portlet-preferences migrations. Earlier in the wave,
NotificationPortlet 4.8.2 and uportal-portlet-parent v51 itself shipped as
the dependencies the rest of the wave was built on.
Security: the wave closes three CVE-tracked issues across the fleet —
CVE-2023-37460 (plexus-archiver symlink path traversal during WAR
packaging), CVE-2025-48924 (commons-lang 2.x DoS in
StringUtils.escapeJava), and CVE-2012-5783 (commons-httpclient SSL hostname
verification, where the dep was still pinned). Plus per-portlet bumps for
jackson, logback, bouncycastle (→ bcprov-jdk18on), xstream, hsqldb, and
others.
Bug fixes worth calling out: an initNews NPE in NewsReaderPortlet, a
double-? in proxied URLs in WebproxyPortlet, a NoopHostnameVerifier removal
in JasigWidgetPortlets that was disabling outbound HTTPS hostname checks,
an videos.jsp XSS fix in NewsReader, and innerHTML XSS hardening in
JasigWidget.
Frontend: several portlets picked up jQuery / Bootstrap modernization
passes from @Naenyn, including dropping bundled JavaScript in favor of the
resource-server webjars.
What's still deferred (fleet-level, gated by Spring 6 / Jakarta EE):
Hibernate ORM 7.x, pluto-taglib v3, jaxb-xjc v4, portletmvc4spring 6.x,
Pluto retirement decisions. CalendarPortlet 3.0.0 is also tracked
separately to drop on-prem Exchange / NTLM support and migrate to
httpclient 4.x.
Release notes for each portlet are linked from the GitHub Releases page on
the respective repo. The uportal-project.github.io developer manual's Maven
release process doc was also updated with a couple of recovery scenarios
encountered during the wave — see PR #99.
Thanks to everyone who reviewed PRs and to @Naenyn / @ChristianMurphy for
the contributed cleanup work.
- B
Benito J. Gonzalez
Software Architect
Unicon, Inc.
Email: bgon...@unicon.net
GitHub: bjagg
GitLab: bjagg
BitBucket: bgon...@unicon.net
Reply all
Reply to author
Forward
0 new messages