portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DavidSeanTaylor <da...@bluesunrise.com>
Subject [VOTE] Release Portlet API 2.1.0 Version 1.0
Date Fri, 17 Jul 2015 00:38:16 GMT
Dear Jetspeed and Pluto team and community,

I have staged a release candidate for the Portlet API 2.1.0  Version 1.0project. 

This release is a new version of the Portlet API, addressing a Security CVE. We are changing
one method implementation, 
GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it provided a default
implementation that could serve any resource 
in the web application. Having it serve resources without the programmer actually implementing
the serveResource method was
 considered to be a potential security vulnerability.  

From the 2.1.0 Portlet Specification:

------
PLT.2.6 Changes Introduced with Version 2.1.0

Version 2.1.0 is a maintenance release amending the description of Resource Serving Dispatching
in section PLT.5.4.5.3. 
This change, along with the associated Portlet API version 2.1.0 jar file update, closes a
potential security vulnerability
 associated with Common Vulnerabilities and Exposures ID CVE-2015-1926. 

By default the serveResource method in the GenericPortlet class does nothing.

However, if a portlet initialization parameter with the reserved name

“javax.portlet.automaticResourceDispatching” is set to true, the GenericPortlet serveResource
method will attempt to forward 
the request to the resource ID set on the URL triggering the resource request. If no resource
ID is set, the serveResource method does nothing. 
-----

Please review the release candidate of this project which is available in 
the following staging repository:

https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/

The source distribution is also provided through the above staging repository:
https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip

Please vote on releasing:

Portlet API 2.1.0 Release 1.0

This Vote is open for the next 72 hours. I am putting this vote up for both Jetspeed and Pluto
committers. Please carefully review the release prior to voting.

Please cast your vote:

[ ] +1 for Release
[ ]  0  for Don't care
[ ] -1 Don't release (do provide a reason then)


With kind regards,

David Sean Taylor


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message