portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DavidSeanTaylor <da...@bluesunrise.com>
Subject Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Date Mon, 20 Jul 2015 15:52:23 GMT
+1

> On Jul 17, 2015, at 4:34 AM, Woonsan Ko <woonsan@apache.org> wrote:
> 
> +1
> 
> Woonsan
> On Jul 16, 2015 8:38 PM, "DavidSeanTaylor" <david@bluesunrise.com> wrote:
> 
>> Dear Jetspeed and Pluto team and community,
>> 
>> I have staged a release candidate for the Portlet API 2.1.0  Version
>> 1.0project.
>> 
>> This release is a new version of the Portlet API, addressing a Security
>> CVE. We are changing one method implementation,
>> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
>> provided a default implementation that could serve any resource
>> in the web application. Having it serve resources without the programmer
>> actually implementing the serveResource method was
>> considered to be a potential security vulnerability.
>> 
>> From the 2.1.0 Portlet Specification:
>> 
>> ------
>> PLT.2.6 Changes Introduced with Version 2.1.0
>> 
>> Version 2.1.0 is a maintenance release amending the description of
>> Resource Serving Dispatching in section PLT.5.4.5.3.
>> This change, along with the associated Portlet API version 2.1.0 jar file
>> update, closes a potential security vulnerability
>> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>> 
>> By default the serveResource method in the GenericPortlet class does
>> nothing.
>> 
>> However, if a portlet initialization parameter with the reserved name
>> 
>> “javax.portlet.automaticResourceDispatching” is set to true, the
>> GenericPortlet serveResource method will attempt to forward
>> the request to the resource ID set on the URL triggering the resource
>> request. If no resource ID is set, the serveResource method does nothing.
>> -----
>> 
>> Please review the release candidate of this project which is available in
>> the following staging repository:
>> 
>> 
>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>> 
>> The source distribution is also provided through the above staging
>> repository:
>> 
>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>> 
>> Please vote on releasing:
>> 
>> Portlet API 2.1.0 Release 1.0
>> 
>> This Vote is open for the next 72 hours. I am putting this vote up for
>> both Jetspeed and Pluto committers. Please carefully review the release
>> prior to voting.
>> 
>> Please cast your vote:
>> 
>> [ ] +1 for Release
>> [ ]  0  for Don't care
>> [ ] -1 Don't release (do provide a reason then)
>> 
>> 
>> With kind regards,
>> 
>> David Sean Taylor
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message