uPortal 5.17.9 + SimpleContentPortlet 3.4.4 — security & maintenance patches
3 views
Skip to first unread message
Benito Gonzalez
Jun 24, 2026, 12:18:16 PM (5 days ago) Jun 24
to Developers, uPortal, uPortal Community, uPortal Steering Committee, announcemen...@apereo.org, Bill Smith
Hey folks,
Couple of patch releases just landed on Maven Central: uPortal
5.17.9 and SimpleContentPortlet 3.4.4. Drop-in for most of you --
here's what's in them and the one upgrade note worth a look.
The theme is dependency hygiene:
- Dropped log4j-core from uPortal. uPortal logs through
slf4j/logback anyway, so log4j-core was just sitting in the WAR
as attack surface (and scanner noise). It's gone -- log4j2 API
calls now route to slf4j via the log4j-to-slf4j bridge. If your
scans have been flagging log4j-core in the uPortal WAR, that
should quiet down.
- Moved S3 storage off AWS SDK v1. AWS put SDK v1 out of security
support (some of you got the emails). SimpleContentPortlet's S3
attachment storage and uPortal's dynamic-skin S3 storage both
moved to SDK v2.
Plus two uPortal fixes:
- JGroups JDBC_PING no longer piles up zombie rows. A node killed
hard (kill -9, OOM) used to leave a stale row behind, and the
discovery table just grew over time. The coordinator now clears
it on each view change.
- LESS skin bootstrap.css 404. Skins still on the LESS path hit a
bad relative import for bootstrap.css -- fixed.
Getting them: bump uPortalVersion=5.17.9 and
simpleContentPortletVersion=3.4.4 in your uPortal-start
gradle.properties (the tracked one is gradle.properties.example).
PRs are up against uPortal-start if you'd rather just merge
those.
One upgrade note: if you use the S3-backed storage options --
SimpleContentPortlet attachments on S3, or uPortal dynamic-skin
storage on S3 (both opt-in, off by default) -- AWS SDK v2 is
stricter about region. It won't quietly default to us-east-1 like
v1 did, so set AWS_REGION (or your profile/instance region)
explicitly. On the default DB attachment storage and filesystem
skin storage? Nothing to do.
Full notes:
- uPortal 5.17.9
https://github.com/uPortal-Project/uPortal/releases/tag/v5.17.9
- SimpleContentPortlet 3.4.4
Couple of patch releases just landed on Maven Central: uPortal
5.17.9 and SimpleContentPortlet 3.4.4. Drop-in for most of you --
here's what's in them and the one upgrade note worth a look.
The theme is dependency hygiene:
- Dropped log4j-core from uPortal. uPortal logs through
slf4j/logback anyway, so log4j-core was just sitting in the WAR
as attack surface (and scanner noise). It's gone -- log4j2 API
calls now route to slf4j via the log4j-to-slf4j bridge. If your
scans have been flagging log4j-core in the uPortal WAR, that
should quiet down.
- Moved S3 storage off AWS SDK v1. AWS put SDK v1 out of security
support (some of you got the emails). SimpleContentPortlet's S3
attachment storage and uPortal's dynamic-skin S3 storage both
moved to SDK v2.
Plus two uPortal fixes:
- JGroups JDBC_PING no longer piles up zombie rows. A node killed
hard (kill -9, OOM) used to leave a stale row behind, and the
discovery table just grew over time. The coordinator now clears
it on each view change.
- LESS skin bootstrap.css 404. Skins still on the LESS path hit a
bad relative import for bootstrap.css -- fixed.
Getting them: bump uPortalVersion=5.17.9 and
simpleContentPortletVersion=3.4.4 in your uPortal-start
gradle.properties (the tracked one is gradle.properties.example).
PRs are up against uPortal-start if you'd rather just merge
those.
One upgrade note: if you use the S3-backed storage options --
SimpleContentPortlet attachments on S3, or uPortal dynamic-skin
storage on S3 (both opt-in, off by default) -- AWS SDK v2 is
stricter about region. It won't quietly default to us-east-1 like
v1 did, so set AWS_REGION (or your profile/instance region)
explicitly. On the default DB attachment storage and filesystem
skin storage? Nothing to do.
Full notes:
- uPortal 5.17.9
https://github.com/uPortal-Project/uPortal/releases/tag/v5.17.9
- SimpleContentPortlet 3.4.4
https://github.com/uPortal-Project/SimpleContentPortlet/releases/tag/SimpleContentPortlet-3.4.4
Reply here if you hit anything.
Reply here if you hit anything.
-bjagg
Benito J. Gonzalez
Software Architect
Unicon, Inc.
Email: bgon...@unicon.net
GitHub: bjagg
GitLab: bjagg
BitBucket: bgon...@unicon.net
Julien Gribonvald
Jun 24, 2026, 5:02:27 PM (5 days ago) Jun 24
to uporta...@apereo.org
Thanks Benito and everyone who contributed !
Julien
--
You received this message because you are subscribed to the Google Groups "uPortal Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-user...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/uportal-user/CAJ_1GkT8%3DfWivN7Y%3D%3DfKFeUMetMvTnv8YcBxbJRHbfRAZo3YpQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages