portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Watler <randywat...@gmail.com>
Subject Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Date Fri, 17 Jul 2015 05:32:26 GMT
+1

On Thu, Jul 16, 2015 at 6:38 PM, DavidSeanTaylor <david@bluesunrise.com>
wrote:

> Dear Jetspeed and Pluto team and community,
>
> I have staged a release candidate for the Portlet API 2.1.0  Version
> 1.0project.
>
> This release is a new version of the Portlet API, addressing a Security
> CVE. We are changing one method implementation,
> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
> provided a default implementation that could serve any resource
> in the web application. Having it serve resources without the programmer
> actually implementing the serveResource method was
>  considered to be a potential security vulnerability.
>
> From the 2.1.0 Portlet Specification:
>
> ------
> PLT.2.6 Changes Introduced with Version 2.1.0
>
> Version 2.1.0 is a maintenance release amending the description of
> Resource Serving Dispatching in section PLT.5.4.5.3.
> This change, along with the associated Portlet API version 2.1.0 jar file
> update, closes a potential security vulnerability
>  associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>
> By default the serveResource method in the GenericPortlet class does
> nothing.
>
> However, if a portlet initialization parameter with the reserved name
>
> “javax.portlet.automaticResourceDispatching” is set to true, the
> GenericPortlet serveResource method will attempt to forward
> the request to the resource ID set on the URL triggering the resource
> request. If no resource ID is set, the serveResource method does nothing.
> -----
>
> Please review the release candidate of this project which is available in
> the following staging repository:
>
>
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>
> The source distribution is also provided through the above staging
> repository:
>
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>
> Please vote on releasing:
>
> Portlet API 2.1.0 Release 1.0
>
> This Vote is open for the next 72 hours. I am putting this vote up for
> both Jetspeed and Pluto committers. Please carefully review the release
> prior to voting.
>
> Please cast your vote:
>
> [ ] +1 for Release
> [ ]  0  for Don't care
> [ ] -1 Don't release (do provide a reason then)
>
>
> With kind regards,
>
> David Sean Taylor
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message