Skip to content

uPortal v5.17.9

Latest
Latest

Choose a tag to compare

View all tags
@bjagg bjagg released this 24 Jun 07:24
· 2 commits to master since this release
v5.17.9
b44ad0f
This commit was signed with the committer’s verified signature.
bjagg Benito Gonzalez
GPG key ID: 73B71777CA7F628A
Verified
Learn about vigilant mode.

Patch release on top of v5.17.8. Removes two out-of-support / vulnerability-prone transitive dependencies (log4j-core and AWS SDK v1), fixes JGroups discovery-table growth and a LESS skin path bug, and adds a Gradle release-cut script.

Security

  • Drop transitive log4j-core, bridge log4j2 to slf4j (#2999)

    grouperClient pulled org.apache.logging.log4j:log4j-core onto the runtime classpath transitively. uPortal logs through slf4j/logback, so log4j-core was unused and a standing CVE surface (the Log4Shell-family vulnerabilities all live in log4j-core). Excludes log4j-core globally and adds the log4j-to-slf4j bridge so any log4j2 API calls (e.g. from grouperClient) still route to slf4j.

  • Migrate dynamic-skin S3 storage to AWS SDK v2 (#3000)

    The dynamic-skin S3 storage backend used AWS SDK v1 (com.amazonaws:aws-java-sdk-s3), which AWS has placed out of security support. Migrates to software.amazon.awssdk:s3 2.46.7 (v2 builder API, headObject existence check, try-with-resources client) with no change to stored object layout or returned URLs.

Fixes

  • Clear JDBC_PING table on view change (#3001)

    The JGroups JDBC_PING discovery table accumulated stale rows: a node terminated abruptly (e.g. kill -9) never deregistered, so its row lingered across restarts. Sets clear_table_on_view_change="true" so the coordinator wipes the table on each view change and live members re-register.

  • Use @import (inline) for bootstrap.css in common.less (#2997)

    LESS treats @import "x.css" as a passthrough, emitting a literal CSS @import whose relative path resolves incorrectly at runtime (404). The (inline) keyword embeds the file at compile time, where the path resolves. Affects skins still on the LESS compilation path.

Tooling

  • Add release-uportal.sh (#2986)

    A Gradle release preflight + cut script at the repo root, mirroring the Maven ecosystem release process: tree/upstream sync checks, signing-key + keyserver verification, license-header scan, non-interactive version flags, and the post-release upstream tag push.

Docs

  • Trim AGENTS.md under 200 lines (#2993)

Upgrade notes

  • Drop-in for deployers on uPortal-start ≤ 5.17.8. No required action for the common case.
  • log4j2: if your deployment relied on log4j-core being on the classpath (e.g. a custom log4j2 appender config), note that log4j-core is now excluded; log4j2 API calls are routed to slf4j/logback via the bridge.
  • Dynamic-skin S3 backend (opt-in; off by default): AWS SDK v2 resolves the region strictly via the default provider chain (AWS_REGION / profile / instance metadata) and fails fast if none is set, whereas v1 sometimes defaulted to us-east-1. Deployers who enabled the S3 skin storage backend should set a region explicitly. Deployers on the default filesystem skin storage are unaffected.
Assets 2
Loading