Skip to Content

uPortal 4.0.13.1

uPortal 4.0.13.1 is now available. This is a security-fix release patching 4.0.13 with two important security fixes to properly enforce MANAGE and CONFIG permissions.

Prior to this release, portlet administration permissions are bugged such that:

  1. CVE-2014-3416 : anyone who can SUBSCRIBE the portlet-admin portlet can MANAGE any portlet, regardless of intended delegated administration MANAGE and MANAGE-* permission restrictions, and
  2. CVE-2014-3417 : anyone who can SUBSCRIBE a given portlet can enter CONFIG mode of that portlet to the extent that the portlet has a CONFIG mode.

Vulnerability descriptions and workarounds are linked from each of the CVE identifiers above.

See the wiki page release notes for this release for additional information.

uPortal developers Andrew Petro, James Wennmacher, and Drew Wills contributed commits included in this release. Petro performed release engineering with a lot of help from Tim Levett.