+1 > On Jul 17, 2015, at 4:34 AM, Woonsan Ko <woon...@apache.org> wrote: > > +1 > > Woonsan > On Jul 16, 2015 8:38 PM, "DavidSeanTaylor" <da...@bluesunrise.com> wrote: > >> Dear Jetspeed and Pluto team and community, >> >> I have staged a release candidate for the Portlet API 2.1.0 Version >> 1.0project. >> >> This release is a new version of the Portlet API, addressing a Security >> CVE. We are changing one method implementation, >> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it >> provided a default implementation that could serve any resource >> in the web application. Having it serve resources without the programmer >> actually implementing the serveResource method was >> considered to be a potential security vulnerability. >> >> From the 2.1.0 Portlet Specification: >> >> ------ >> PLT.2.6 Changes Introduced with Version 2.1.0 >> >> Version 2.1.0 is a maintenance release amending the description of >> Resource Serving Dispatching in section PLT.5.4.5.3. >> This change, along with the associated Portlet API version 2.1.0 jar file >> update, closes a potential security vulnerability >> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926. >> >> By default the serveResource method in the GenericPortlet class does >> nothing. >> >> However, if a portlet initialization parameter with the reserved name >> >> “javax.portlet.automaticResourceDispatching” is set to true, the >> GenericPortlet serveResource method will attempt to forward >> the request to the resource ID set on the URL triggering the resource >> request. If no resource ID is set, the serveResource method does nothing. >> ----- >> >> Please review the release candidate of this project which is available in >> the following staging repository: >> >> >> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/ >> >> The source distribution is also provided through the above staging >> repository: >> >> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip >> >> Please vote on releasing: >> >> Portlet API 2.1.0 Release 1.0 >> >> This Vote is open for the next 72 hours. I am putting this vote up for >> both Jetspeed and Pluto committers. Please carefully review the release >> prior to voting. >> >> Please cast your vote: >> >> [ ] +1 for Release >> [ ] 0 for Don't care >> [ ] -1 Don't release (do provide a reason then) >> >> >> With kind regards, >> >> David Sean Taylor >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org >> For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org >> >>
--------------------------------------------------------------------- To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org
