+1 On Thu, Jul 16, 2015 at 6:38 PM, DavidSeanTaylor <da...@bluesunrise.com> wrote:
> Dear Jetspeed and Pluto team and community, > > I have staged a release candidate for the Portlet API 2.1.0 Version > 1.0project. > > This release is a new version of the Portlet API, addressing a Security > CVE. We are changing one method implementation, > GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it > provided a default implementation that could serve any resource > in the web application. Having it serve resources without the programmer > actually implementing the serveResource method was > considered to be a potential security vulnerability. > > From the 2.1.0 Portlet Specification: > > ------ > PLT.2.6 Changes Introduced with Version 2.1.0 > > Version 2.1.0 is a maintenance release amending the description of > Resource Serving Dispatching in section PLT.5.4.5.3. > This change, along with the associated Portlet API version 2.1.0 jar file > update, closes a potential security vulnerability > associated with Common Vulnerabilities and Exposures ID CVE-2015-1926. > > By default the serveResource method in the GenericPortlet class does > nothing. > > However, if a portlet initialization parameter with the reserved name > > “javax.portlet.automaticResourceDispatching” is set to true, the > GenericPortlet serveResource method will attempt to forward > the request to the resource ID set on the URL triggering the resource > request. If no resource ID is set, the serveResource method does nothing. > ----- > > Please review the release candidate of this project which is available in > the following staging repository: > > > https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/ > > The source distribution is also provided through the above staging > repository: > > https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip > > Please vote on releasing: > > Portlet API 2.1.0 Release 1.0 > > This Vote is open for the next 72 hours. I am putting this vote up for > both Jetspeed and Pluto committers. Please carefully review the release > prior to voting. > > Please cast your vote: > > [ ] +1 for Release > [ ] 0 for Don't care > [ ] -1 Don't release (do provide a reason then) > > > With kind regards, > > David Sean Taylor > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org > For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org > >
