Child pages
  • ESUP-2008-AVI-001 - Vulnérabilité dans uPortal

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


uPortal adopters,
As you've likely seen on the JASIG announcement email list, uPortal 3.0.1 is now released.  This release includes many improvements and Eric Dalquist and others are to be heartily congratulated.
It also includes a specific critical security fix for a vulnerability in HttpProxyServlet, which affects both uPortal 3.0.0 and uPortal 2.6.1 and earlier.
A patch is now available to fix this vulnerability in uPortal 2.6.
If you are running the HttpProxyServlet (i.e., it is declared in web.xml), it is important that you apply this patch to secure from the risk of illicit proxies and cross-site-scripting through the vulnerability.
Thanks are especially due to Dustin Schultz, Eric Dalquist, and others for their efforts in identifying and resolving this vulnerability.
A uPortal release (2.6.1 with this patch pre-applied) will be available for download shortly.
Best wishes,