Combination View Flat View Tree View
Threads [ Previous | Next ]
James Falkner
Binary patch available for Liferay Portal 6.1 GA1
July 10, 2012 8:22 AM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1190

Join Date: September 17, 2010

Recent Posts

A cumulative binary patch has been published for Liferay Portal 6.1 GA1 which fixes all of the SEV-1 vulnerabilities listed on the Known Vulnerabilities page, and links have been updated for all listed vulnerabilities.
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
July 10, 2012 8:22 AM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1190

Join Date: September 17, 2010

Recent Posts

Going forward, this cumulative binary patch will be updated as new vulnerabilities are discovered and fixed.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
July 11, 2012 3:28 AM
Answer

Oliver Bayer

Rank: Liferay Master

Posts: 867

Join Date: February 18, 2009

Recent Posts

Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
July 11, 2012 9:41 AM
Answer

James Falkner

LIFERAY STAFF

Rank: Liferay Legend

Posts: 1190

Join Date: September 17, 2010

Recent Posts

Oliver Bayer:
Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
July 12, 2012 1:19 AM
Answer

Michele Bendazzoli

Rank: New Member

Posts: 7

Join Date: July 24, 2010

Recent Posts

James Falkner:


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.


Hi James, thank you for such valuable resource!
I report some of problems occurred to me, because maybe is useful for you to make the use of this resource easier.
I tried to apply the patch to a test installation and I wonder if I have correctly understand the README file.
For example for the point 1:

11. Add ext-portal-service.jar to your application server's endorsed directory.

If I understand correctly the "application server's endorsed directory" is the <application-server> directory (i.e., for the tomcat bundle, the .../liferay-portal*/tomcat* directory). If this is true, have I to put the ext-portal-service.jar in the <application-server> directory or in <application-server>/lib directory?
I put the file in the <application-server>/lib directory because it seems more appropriate. Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly...
More interesting, is realizable a task which can be invoked periodically to get and apply the patch automatically, so that one can be sure that he doesn't make mistake?
I have no idea if such task can be made, or how to make it, but maybe someone more expert than me can.
Hope my poorly English is not too bad.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
July 12, 2012 1:31 AM
Answer

Oliver Bayer

Rank: Liferay Master

Posts: 867

Join Date: February 18, 2009

Recent Posts

Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
July 12, 2012 2:03 AM
Answer

Michele Bendazzoli

Rank: New Member

Posts: 7

Join Date: July 24, 2010

Recent Posts

Oliver Bayer:
Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli


So both of my guesses are wrong emoticon

Thank you for the advice Oli
Samuel Kong
RE: Binary patch available for Liferay Portal 6.1 GA1
July 13, 2012 10:47 AM
Answer

Samuel Kong

LIFERAY STAFF

Rank: Liferay Master

Posts: 935

Join Date: March 10, 2008

Recent Posts

Oliver Bayer:
I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?


The load order is undefined and will depend on your specific app server and the name of your ext plugin. If your ext plugin modifies the same class as the security patch, then you'll need to manually patch your system.

Michele Bendazzoli:
Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly


Thanks for the suggestion. There's currently no simple way to check, but we do want to simplify the patching process in the future.
Jérôme Delzor
RE: Binary patch available for Liferay Portal 6.1 GA1
July 19, 2012 12:44 AM
Answer

Jérôme Delzor

Rank: New Member

Posts: 1

Join Date: July 19, 2012

Recent Posts

Hi James and other Liferay masters,

I'm barely new to Liferay and definitively not a dev guy, so forgive me if my questions are nonsense.
I'd like to understand how corrective binaries interact with Liferay core files and ext files created by my company. My goal is to produce an almost-automated bash script in order to deploy this patch and the next to come. But if patches destroy our specific dev I have to find another process.

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?

Jérôme
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
July 19, 2012 7:03 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?


It's recommended to create an ext plugin instead of directly modifying liferay source unless you're willing to create your own patch.

Binary security patch may overwrite your modifications or may not work correctly with your modifications. It's recommended to test the patch before applying it to a production server.
If you colleagures know how to build liferay from source, it may be more advantageous to to use source code diff files so you'll be able to know which files are going to be changed.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
July 12, 2012 1:21 AM
Answer

Oliver Bayer

Rank: Liferay Master

Posts: 867

Join Date: February 18, 2009

Recent Posts

Hi,

thanks for the info. I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?

If the patch (or an upcoming one) modifies a class or jsp file I have overridden in an ext plugin I have to get the source patch and merge the changes in the ext plugin. Is this approach correct? If so wouldn't it be more comfortable to include the source files in the binary patch zip file too so that you only have to download one file instead of having to use patch/git tools to get the source files.

Oli
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
July 11, 2012 3:28 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Thank you very much! emoticonemoticonemoticon
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
July 17, 2012 3:30 PM
Answer

Ákos Gábriel

Rank: Junior Member

Posts: 33

Join Date: October 5, 2009

Recent Posts

Could you please point me to the download link? Thanks!
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
July 17, 2012 4:06 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
July 17, 2012 4:17 PM
Answer

Ákos Gábriel

Rank: Junior Member

Posts: 33

Join Date: October 5, 2009

Recent Posts

Hitoshi Ozawa:
Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process


Thanks for the links, I found these too, these are sources
Given the subject I was expecting a binary package being available.
Drew Blessing
RE: Binary patch available for Liferay Portal 6.1 GA1
July 17, 2012 5:24 PM
Answer

Drew Blessing

Rank: Junior Member

Posts: 79

Join Date: January 27, 2011

Recent Posts

Ákos Gábriel:
Given the subject I was expecting a binary package being available.


Binaries can be found here: https://github.com/community-security-team/liferay-portal/downloads

I don't think it's quite clear where to download the binaries but they are there.
Denis Signoretto
RE: Binary patch available for Liferay Portal 6.1 GA1
May 10, 2013 3:18 AM
Answer

Denis Signoretto

Rank: Regular Member

Posts: 204

Join Date: April 21, 2009

Recent Posts

Hi James,

I have downloaded the latest binary cumulative patch (6.1.1-ce-ga2-security-2.0.zip).

The procedure described in README.txt it's for all application servers?
Does it apply also to WebShpere? (It seams that copying of ext-impl.jar i liferay WEB-INF\lib forlder does not overwrite original classes)

Thanks,
Denis.
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
March 14, 2013 6:57 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7990

Join Date: March 23, 2010

Recent Posts

Liferay's binary patch should only modify liferay's files and should be application server independent.