Re: Close an open redirect vulnerability in the Login servlet issue in 4.1.2

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Close an open redirect vulnerability in the Login servlet issue in 4.1.2

ramaprasadm
Thanks Julien for getting back. How do I apply the patch to my current version? Could not find the details of what exactly was changed to fix this issue.

Thanks
Malini

On Monday, June 15, 2020 at 11:47:12 PM UTC-7, Julien Gribonvald wrote:

Hi,

The fix was applied and a new release was done, so upgrade at least to the version 4.1.3 or apply the patch on your version !

I would sugggest that you watch to move on uP 5.x with uPortal-start, on which upgrading to a new version is really really easy !

Thanks,

Julien

Le 16/06/2020 à 00:18, Malini Ramaprasad a écrit :
Hi

Looks like the issue <a href="https://apereo.atlassian.net/browse/UP-4737" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FUP-4737\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkH_GB2UQh4WRFTiZvt9kysX5IiA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FUP-4737\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkH_GB2UQh4WRFTiZvt9kysX5IiA&#39;;return true;">https://apereo.atlassian.net/browse/UP-4737 has not been fixed in portal 4.1.2.  What should be done to fix this in 4.1.2? Any help is appreciated.

Thanks
Malini
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="k6XooTCkBAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">uport...@apereo.org.
To view this discussion on the web visit <a href="https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/ca4d5c6e-625c-4ad7-86f2-c73b7c4600c2o%40apereo.org.
Reply | Threaded
Open this post in threaded view
|

Re: Close an open redirect vulnerability in the Login servlet issue in 4.1.2

ramaprasadm
I think I found the link. Will give it a try.

Thank you!

On Tuesday, June 16, 2020 at 4:03:23 PM UTC-7, Malini Ramaprasad wrote:
Thanks Julien for getting back. How do I apply the patch to my current version? Could not find the details of what exactly was changed to fix this issue.

Thanks
Malini

On Monday, June 15, 2020 at 11:47:12 PM UTC-7, Julien Gribonvald wrote:

Hi,

The fix was applied and a new release was done, so upgrade at least to the version 4.1.3 or apply the patch on your version !

I would sugggest that you watch to move on uP 5.x with uPortal-start, on which upgrading to a new version is really really easy !

Thanks,

Julien

Le 16/06/2020 à 00:18, Malini Ramaprasad a écrit :
Hi

Looks like the issue <a href="https://apereo.atlassian.net/browse/UP-4737" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FUP-4737\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkH_GB2UQh4WRFTiZvt9kysX5IiA&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FUP-4737\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkH_GB2UQh4WRFTiZvt9kysX5IiA&#39;;return true;">https://apereo.atlassian.net/browse/UP-4737 has not been fixed in portal 4.1.2.  What should be done to fix this in 4.1.2? Any help is appreciated.

Thanks
Malini
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit <a href="https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium=email&amp;utm_source=footer" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/01ee5693-4055-4825-b6de-07095d01e70do%40apereo.org.
Reply | Threaded
Open this post in threaded view
|

Re: Close an open redirect vulnerability in the Login servlet issue in 4.1.2

Julien Gribonvald
In reply to this post by ramaprasadm

Malini you have several ways with git to merge change or rebase the source. Also you can apply a patch file if you didn't use git.

To see all change between v4.1.2 and 4.1.3 your have this link : https://github.com/Jasig/uPortal/compare/uportal-4.1.2...uportal-4.1.3

I would suggest that you apply all change from 4.1.2 to 4.1.3 as there are several fix and with dependencies security (like with commons collection to upgrade to 3.2.2 version).

The change that you are looking for is here : https://github.com/Jasig/uPortal/commit/b4d15875391f94564dbcd15c58857fdd464d0d7c

To apply a such commit with git you can do a `git cherry-pick b4d15875391f94564dbcd15c58857fdd464d0d7c`.

But know that all 4.x uPortal version aren't anymore maintained, so moving to 5.x would be recommanded, and it shouldn't be a big effort even true with uPortal-start, but it's depending on your customizations (we can provide some guidance to help).

Thanks,

Julien


Le 17/06/2020 à 01:03, Malini Ramaprasad a écrit :
Thanks Julien for getting back. How do I apply the patch to my current version? Could not find the details of what exactly was changed to fix this issue.

Thanks
Malini

On Monday, June 15, 2020 at 11:47:12 PM UTC-7, Julien Gribonvald wrote:

Hi,

The fix was applied and a new release was done, so upgrade at least to the version 4.1.3 or apply the patch on your version !

I would sugggest that you watch to move on uP 5.x with uPortal-start, on which upgrading to a new version is really really easy !

Thanks,

Julien

Le 16/06/2020 à 00:18, Malini Ramaprasad a écrit :
Hi

Looks like the issue <a href="https://apereo.atlassian.net/browse/UP-4737" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FUP-4737\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkH_GB2UQh4WRFTiZvt9kysX5IiA';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Fapereo.atlassian.net%2Fbrowse%2FUP-4737\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFkH_GB2UQh4WRFTiZvt9kysX5IiA';return true;" moz-do-not-send="true">https://apereo.atlassian.net/browse/UP-4737 has not been fixed in portal 4.1.2.  What should be done to fix this in 4.1.2? Any help is appreciated.

Thanks
Malini
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="k6XooTCkBAAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;" moz-do-not-send="true">uport...@apereo.org.
To view this discussion on the web visit <a href="https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href='https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium\x3demail\x26utm_source\x3dfooter';return true;" onclick="this.href='https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org?utm_medium\x3demail\x26utm_source\x3dfooter';return true;" moz-do-not-send="true">https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/176f7a22-cffa-4c15-ac81-5389563aed88o%40apereo.org.
--
Julien Gribonvald
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/ca4d5c6e-625c-4ad7-86f2-c73b7c4600c2o%40apereo.org.
--
Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/4744f527-197b-4084-534a-19dc644c810a%40recia.fr.