uPortal 4.1.1

uPortal 4.1.1 is a patch release of uPortal 4.1 cut to release a couple important security fixes and to ship some minor fixes that had accumulated in the 4.1-patches maintenance branch.

See also

• The 4.1.1 wiki page, which includes macros listing known defects in this release and the issues resolved for this release.

Important security fixes in this release

Prior to this release, uPortal CAS integration was bugged such that

• CVE-2014-5059 a user logging in via CAS can log in as any user account in the typical uPortal CAS login configuration, and
• CVE-2014-4172 the Java CAS client library shipping in uPortal was vulnerable to an illicit proxy attack.

This release addresses these vulnerabilities by

• Shipping a corrected default, example security.properties configuration, and
• Shipping a fixed CAS-integration uPortal SecurityContext implementation that fails safe even when the incorrect security.properties configuration is applied, and
• Fronting the vulnerable Java CAS Client with a new Filter that blocks CVE-2014-4172.

Other fixes in this release

• Ant targets in the build process do less needless work
• The Statistics Portlet no longer fails under Respondr
• The Google Analytics integration no longer generates stack trace noise when the guest user accesses the portal
• The GoogleAnalytics init.jsp is no longer missing an important semicolon
• The Activity portlet now uses the uPortal-provided jQuery