Re: [uportal-dev] [VOTE] Tuyhang Ly for uPortal committer
+1 Jason Shao (CampusEAI Consortium) wrote: +1 Tuy's the best! On May 22, 2008, at 10:46 AM, Eric Dalquist wrote: I'd like to propose making Tuy a uPortal committer, she has provided several high-quality patches and enhancements to uPortal 3.0 both pre and post release and it would be good to have her committing these on her own. -Eric -- Jason Shao Director of Open Source Solutions CampusEAI Consortium 1940 East 6th Street, 11th Floor Cleveland, OH 44114 Tel: 216.589.9626x249 Fax: 216.589.9639 -- Faizan Ahmed Sr. Application Developer Enterprise Systems and Services, Rutgers University voice: 732 445-2763 | fax: 732 445-5493 |e-mail: [EMAIL PROTECTED] -- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/uportal-dev
Re: [uportal-dev] 2.5.3.1 security release versus 2.5.4 patch release
Hi, The uPortal rel-2.5.3.1 is tagged, and uPortal_rel-2-5-3-1_GA is built, and posted on the website. Thanks to Scott for helping to post the build on the website. http://www.uportal.org/download.html I will appreciate if someone can do some hypercontent magic to "add a news item to the uportal site via Hypercontent announcing the release publish that news item, the news index page, the news archive page, and the front page to make this news item available for consumption." We may want to update the download page to provide little bit more info for security release if we choose to do so. I will try to build the quick start tomorrow if I get some spare time (no promise). Thanks Faizan PS: I will not be available via email today after 3:00 EST. Faizan Ahmed wrote: Hi, I have done a quick test on rel-2-5-3-1-RC1. Things looks good to me except a minor issue. When I start the portal, the document title or page title of the welcome screen incorrectly says 2.5.1. I have made the change in the data.xml to make it say 2.5.3. I would like it to read 2.5.3.1 but it seems we do not support versioning that deep (or I am not aware of it). A stupid try to set the MICRO value to 3.1 instead of 3 did not work. I am planning to tag the GA by 12:30 EST. Please let me know if it is OK with everyone. All feedbacks are very welcomed :-). Thanks. Faizan Faizan Ahmed wrote: Hi, We have taken the route for a minimal diff 2.5.3.1 security release according to our consensus. Following things has been done 1- Created the Jira Release number 2.5.3.1 2- UP-1741 is created to document this issue (http://www.ja-sig.org/issues/browse/UP-1741) 3- Created a Branch rel-2-5-3-patches from tag rel-2-5-3-GA 4- Apply the patch that was forwarded with this message for (rel-2-5-3-1 & rel-2-5-4) 5- Tagged rel-2-5-3-1-RC1 What is Next: I will request if someone can checkout the rel-2-5-3-RC1 and test it. After the test I will tag rel-2-5-3-GA, build it and update the website. Moreover, I will create the wiki page to document this issue. Thanks for your help. Faizan Andrew Petro wrote: Faizan, +1 for a minimal diff 2.5.3.1 security release. I think an inclination to prioritize getting out the simplest possible release including this critical security fix is sound. Simplest Thing That Could Possibly Work and all that. As you note, there are a number of changes latent in 2-5-patches targetted for a 2.5.4, including a significant JSR-168 support improvement courtesy Cris Holdorph <http://support.unicon.net/node/596>. Getting a 2.5.4 release out sometime is probably therefore also a worthy goal, maybe depending on how steep the upgrade path to 2.6 is felt to be. Andrew Hi! again!! I just looked at the current rel-2-5-patches head and the rel-2-5-3-GA. A quick compare gave me a significant number of differences between both code bases. That means there have been several changes that went in on 2-5-patches branch sine the release of rel-2-5-3-GA. These changes are targeted to rel-2-5-4 as JIRA pointed out. Here is what I am thinking in present situation -Branch of from tag rel-2-5-3-GA (I will call branch name rel-2-5-3-patches) -Apply the security patch in this branch and also in the head of rel-2-5-patches. The tag "rel-2-5-3-1" will be done on the newly created branch (2-5-3-patches). I will wait till 1330 EST to wait for any negative response. If I do not get any negative response about my plan by then, then I will execute my plan as I have mentioned above. Thanks. Faizan -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Faizan Ahmed Sr. Application Developer Enterprise Systems and Services, Rutgers University voice: 732 445-2763 | fax: 732 445-5493 |e-mail: [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
Re: [uportal-dev] 2.5.3.1 security release versus 2.5.4 patch release
Hi, I have done a quick test on rel-2-5-3-1-RC1. Things looks good to me except a minor issue. When I start the portal, the document title or page title of the welcome screen incorrectly says 2.5.1. I have made the change in the data.xml to make it say 2.5.3. I would like it to read 2.5.3.1 but it seems we do not support versioning that deep (or I am not aware of it). A stupid try to set the MICRO value to 3.1 instead of 3 did not work. I am planning to tag the GA by 12:30 EST. Please let me know if it is OK with everyone. All feedbacks are very welcomed :-). Thanks. Faizan Faizan Ahmed wrote: Hi, We have taken the route for a minimal diff 2.5.3.1 security release according to our consensus. Following things has been done 1- Created the Jira Release number 2.5.3.1 2- UP-1741 is created to document this issue (http://www.ja-sig.org/issues/browse/UP-1741) 3- Created a Branch rel-2-5-3-patches from tag rel-2-5-3-GA 4- Apply the patch that was forwarded with this message for (rel-2-5-3-1 & rel-2-5-4) 5- Tagged rel-2-5-3-1-RC1 What is Next: I will request if someone can checkout the rel-2-5-3-RC1 and test it. After the test I will tag rel-2-5-3-GA, build it and update the website. Moreover, I will create the wiki page to document this issue. Thanks for your help. Faizan Andrew Petro wrote: Faizan, +1 for a minimal diff 2.5.3.1 security release. I think an inclination to prioritize getting out the simplest possible release including this critical security fix is sound. Simplest Thing That Could Possibly Work and all that. As you note, there are a number of changes latent in 2-5-patches targetted for a 2.5.4, including a significant JSR-168 support improvement courtesy Cris Holdorph <http://support.unicon.net/node/596>. Getting a 2.5.4 release out sometime is probably therefore also a worthy goal, maybe depending on how steep the upgrade path to 2.6 is felt to be. Andrew Hi! again!! I just looked at the current rel-2-5-patches head and the rel-2-5-3-GA. A quick compare gave me a significant number of differences between both code bases. That means there have been several changes that went in on 2-5-patches branch sine the release of rel-2-5-3-GA. These changes are targeted to rel-2-5-4 as JIRA pointed out. Here is what I am thinking in present situation -Branch of from tag rel-2-5-3-GA (I will call branch name rel-2-5-3-patches) -Apply the security patch in this branch and also in the head of rel-2-5-patches. The tag "rel-2-5-3-1" will be done on the newly created branch (2-5-3-patches). I will wait till 1330 EST to wait for any negative response. If I do not get any negative response about my plan by then, then I will execute my plan as I have mentioned above. Thanks. Faizan -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Faizan Ahmed Sr. Application Developer Enterprise Systems and Services, Rutgers University voice: 732 445-2763 | fax: 732 445-5493 |e-mail: [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
Re: [uportal-dev] 2.5.3.1 security release versus 2.5.4 patch release
Hi, We have taken the route for a minimal diff 2.5.3.1 security release according to our consensus. Following things has been done 1- Created the Jira Release number 2.5.3.1 2- UP-1741 is created to document this issue (http://www.ja-sig.org/issues/browse/UP-1741) 3- Created a Branch rel-2-5-3-patches from tag rel-2-5-3-GA 4- Apply the patch that was forwarded with this message for (rel-2-5-3-1 & rel-2-5-4) 5- Tagged rel-2-5-3-1-RC1 What is Next: I will request if someone can checkout the rel-2-5-3-RC1 and test it. After the test I will tag rel-2-5-3-GA, build it and update the website. Moreover, I will create the wiki page to document this issue. Thanks for your help. Faizan Andrew Petro wrote: Faizan, +1 for a minimal diff 2.5.3.1 security release. I think an inclination to prioritize getting out the simplest possible release including this critical security fix is sound. Simplest Thing That Could Possibly Work and all that. As you note, there are a number of changes latent in 2-5-patches targetted for a 2.5.4, including a significant JSR-168 support improvement courtesy Cris Holdorph <http://support.unicon.net/node/596>. Getting a 2.5.4 release out sometime is probably therefore also a worthy goal, maybe depending on how steep the upgrade path to 2.6 is felt to be. Andrew Hi! again!! I just looked at the current rel-2-5-patches head and the rel-2-5-3-GA. A quick compare gave me a significant number of differences between both code bases. That means there have been several changes that went in on 2-5-patches branch sine the release of rel-2-5-3-GA. These changes are targeted to rel-2-5-4 as JIRA pointed out. Here is what I am thinking in present situation -Branch of from tag rel-2-5-3-GA (I will call branch name rel-2-5-3-patches) -Apply the security patch in this branch and also in the head of rel-2-5-patches. The tag "rel-2-5-3-1" will be done on the newly created branch (2-5-3-patches). I will wait till 1330 EST to wait for any negative response. If I do not get any negative response about my plan by then, then I will execute my plan as I have mentioned above. Thanks. Faizan -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Faizan Ahmed Sr. Application Developer Enterprise Systems and Services, Rutgers University voice: 732 445-2763 | fax: 732 445-5493 |e-mail: [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
Re: [uportal-dev] uPortal Security Notice: RemoteUserSecurityContext exploit
Hi! again!! I just looked at the current rel-2-5-patches head and the rel-2-5-3-GA. A quick compare gave me a significant number of differences between both code bases. That means there have been several changes that went in on 2-5-patches branch sine the release of rel-2-5-3-GA. These changes are targeted to rel-2-5-4 as JIRA pointed out. Here is what I am thinking in present situation -Branch of from tag rel-2-5-3-GA (I will call branch name rel-2-5-3-patches) -Apply the security patch in this branch and also in the head of rel-2-5-patches. The tag "rel-2-5-3-1" will be done on the newly created branch (2-5-3-patches). I will wait till 1330 EST to wait for any negative response. If I do not get any negative response about my plan by then, then I will execute my plan as I have mentioned above. Thanks. Faizan Faizan Ahmed wrote: Hi, As Bill has mentioned I will be taking care of 2.5 branch that includes 1- Create Jira issue for this issue 2- Apply the patch on rel-2-5-patches tag 2-5-3-1-RC1 and request to test it. 3- Tag 2-5-3-1-GA after successful test reports. 4- Post the security notice and patch somewhere appropriate on the uPortal wiki. (Suggestions are welcome for the appropriate place) 5- Build the uPortal-only and quick start for 2-5-3-1-GA (Since this is a critical bug I think we should do this step). 6- update the website 7- Announce the availability of 2-5-3-1-GA on the user list. Note: I have not created the quick start and never updated the website before, I will be very happy to get any to do task list or any advice. Thanks every one. Faizan William G. Thompson, Jr. wrote: Folks, Faizan will be working up a SECURITY release for the 2.5 branch this week and Andrew is taking care of the 2.6 branch. Bill William G. Thompson, Jr. wrote: This is a public notification of an identified uPortal security vulnerability and workaround. All uPortal adopters are encouraged to review the following notice immediately and take appropriate action as necessary. --- *Title:* RemoteUserSecurityContext exploit *Summary:* RemoteUserSecurityContext may allow an authenticated user to authenticate as another user knowing only that user's account name. A patch for this vulnerability is attached to this message. *Issue:* The vulnerability is exposed when the RemoteUserSecurityContextFactory is used in conjunction with another security context factory under the UnionSecurityContextFactory. The result of this configuration is any user that can access uPortal with REMOTE_USER set can become any other portal user. If authentication is attempted with the other security context the provided user id will be set on the principal, when the RemoteUserSecurityContext executes it attempts to set the user id of the principal to the REMOTE_USER and returns that the principal is authenticated. Since the principal already has a user id set the setting by RemoteUserSecurityContext fails silently, resulting in an authenticated principal with the user id provided by the attacker, not the value specified in the REMOTE_USER field. An example vulnerable configuration from security.properties: root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory *Versions Affected:* All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5) *Resolution:* The resolution involves adding a check to RemoteUserSecurityContext to verify the setting of the REMOTE_USER user id was successful for the principal. If it was not the RemoteUserSecurityContext will not mark the principal as authenticated. *Patching:* The attached patch should be applied to the file /uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java After application of the patch compile and deploy the file to the application server. --- -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]
Re: [uportal-dev] uPortal Security Notice: RemoteUserSecurityContext exploit
Hi, As Bill has mentioned I will be taking care of 2.5 branch that includes 1- Create Jira issue for this issue 2- Apply the patch on rel-2-5-patches tag 2-5-3-1-RC1 and request to test it. 3- Tag 2-5-3-1-GA after successful test reports. 4- Post the security notice and patch somewhere appropriate on the uPortal wiki. (Suggestions are welcome for the appropriate place) 5- Build the uPortal-only and quick start for 2-5-3-1-GA (Since this is a critical bug I think we should do this step). 6- update the website 7- Announce the availability of 2-5-3-1-GA on the user list. Note: I have not created the quick start and never updated the website before, I will be very happy to get any to do task list or any advice. Thanks every one. Faizan William G. Thompson, Jr. wrote: Folks, Faizan will be working up a SECURITY release for the 2.5 branch this week and Andrew is taking care of the 2.6 branch. Bill William G. Thompson, Jr. wrote: This is a public notification of an identified uPortal security vulnerability and workaround. All uPortal adopters are encouraged to review the following notice immediately and take appropriate action as necessary. --- *Title:* RemoteUserSecurityContext exploit *Summary:* RemoteUserSecurityContext may allow an authenticated user to authenticate as another user knowing only that user's account name. A patch for this vulnerability is attached to this message. *Issue:* The vulnerability is exposed when the RemoteUserSecurityContextFactory is used in conjunction with another security context factory under the UnionSecurityContextFactory. The result of this configuration is any user that can access uPortal with REMOTE_USER set can become any other portal user. If authentication is attempted with the other security context the provided user id will be set on the principal, when the RemoteUserSecurityContext executes it attempts to set the user id of the principal to the REMOTE_USER and returns that the principal is authenticated. Since the principal already has a user id set the setting by RemoteUserSecurityContext fails silently, resulting in an authenticated principal with the user id provided by the attacker, not the value specified in the REMOTE_USER field. An example vulnerable configuration from security.properties: root=org.jasig.portal.security.provider.UnionSecurityContextFactory root.a=org.jasig.portal.security.provider.RemoteUserSecurityContextFactory root.b=org.jasig.portal.security.provider.SimpleSecurityContextFactory *Versions Affected:* All (2.0, 2.1, 2.2, 2.3, 2.4, 2.5) *Resolution:* The resolution involves adding a check to RemoteUserSecurityContext to verify the setting of the REMOTE_USER user id was successful for the principal. If it was not the RemoteUserSecurityContext will not mark the principal as authenticated. *Patching:* The attached patch should be applied to the file /uPortal/source/org/jasig/portal/security/provider/RemoteUserSecurityContext.java After application of the patch compile and deploy the file to the application server. --- -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] -- Faizan Ahmed Sr. Application Developer Enterprise Systems and Services, Rutgers University voice: 732 445-2763 | fax: 732 445-5493 |e-mail: [EMAIL PROTECTED] -- Join your friends and colleagues at JA-SIG with Altitude: June 24-27, 2007 in Denver, CO USA. Featuring keynotes by: Phil Windley, Matt Raible, Matt Asay Sessions on topics including: CAS, uPortal, Portlets, Sakai, Identity Management, and Open Source For more information & registration visit: http://www.ja-sig.org/conferences/07summer/index.html --- You are currently subscribed to uportal-dev@lists.ja-sig.org as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED]