Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
Binary patch available for Liferay Portal 6.1 GA1 James Falkner 10. Juli 2012 08:22
RE: Binary patch available for Liferay Portal 6.1 GA1 James Falkner 10. Juli 2012 08:22
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 11. Juli 2012 03:28
RE: Binary patch available for Liferay Portal 6.1 GA1 James Falkner 11. Juli 2012 09:41
RE: Binary patch available for Liferay Portal 6.1 GA1 Michele Bendazzoli 12. Juli 2012 01:19
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 12. Juli 2012 01:31
RE: Binary patch available for Liferay Portal 6.1 GA1 Michele Bendazzoli 12. Juli 2012 02:03
RE: Binary patch available for Liferay Portal 6.1 GA1 Samuel Kong 13. Juli 2012 10:47
RE: Binary patch available for Liferay Portal 6.1 GA1 Jérôme Delzor 19. Juli 2012 00:44
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 19. Juli 2012 07:03
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 12. Juli 2012 01:21
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 11. Juli 2012 15:28
RE: Binary patch available for Liferay Portal 6.1 GA1 Ákos Gábriel 17. Juli 2012 15:30
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 17. Juli 2012 16:06
RE: Binary patch available for Liferay Portal 6.1 GA1 Ákos Gábriel 17. Juli 2012 16:17
RE: Binary patch available for Liferay Portal 6.1 GA1 Drew Blessing 17. Juli 2012 17:24
RE: Binary patch available for Liferay Portal 6.1 GA1 Denis Signoretto 10. Mai 2013 03:18
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 14. März 2013 06:57
James Falkner
Binary patch available for Liferay Portal 6.1 GA1
10. Juli 2012 08:22
Antwort

James Falkner

LIFERAY STAFF

Rang: Liferay Legend

Nachrichten: 1198

Eintrittsdatum: 17. September 2010

Neue Beiträge

A cumulative binary patch has been published for Liferay Portal 6.1 GA1 which fixes all of the SEV-1 vulnerabilities listed on the Known Vulnerabilities page, and links have been updated for all listed vulnerabilities.
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
10. Juli 2012 08:22
Antwort

James Falkner

LIFERAY STAFF

Rang: Liferay Legend

Nachrichten: 1198

Eintrittsdatum: 17. September 2010

Neue Beiträge

Going forward, this cumulative binary patch will be updated as new vulnerabilities are discovered and fixed.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
11. Juli 2012 03:28
Antwort

Oliver Bayer

Rang: Liferay Master

Nachrichten: 872

Eintrittsdatum: 18. Februar 2009

Neue Beiträge

Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
11. Juli 2012 09:41
Antwort

James Falkner

LIFERAY STAFF

Rang: Liferay Legend

Nachrichten: 1198

Eintrittsdatum: 17. September 2010

Neue Beiträge

Oliver Bayer:
Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
11. Juli 2012 15:28
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7990

Eintrittsdatum: 23. März 2010

Neue Beiträge

Thank you very much! emoticonemoticonemoticon
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
12. Juli 2012 01:19
Antwort

Michele Bendazzoli

Rang: New Member

Nachrichten: 7

Eintrittsdatum: 24. Juli 2010

Neue Beiträge

James Falkner:


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.


Hi James, thank you for such valuable resource!
I report some of problems occurred to me, because maybe is useful for you to make the use of this resource easier.
I tried to apply the patch to a test installation and I wonder if I have correctly understand the README file.
For example for the point 1:

11. Add ext-portal-service.jar to your application server's endorsed directory.

If I understand correctly the "application server's endorsed directory" is the <application-server> directory (i.e., for the tomcat bundle, the .../liferay-portal*/tomcat* directory). If this is true, have I to put the ext-portal-service.jar in the <application-server> directory or in <application-server>/lib directory?
I put the file in the <application-server>/lib directory because it seems more appropriate. Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly...
More interesting, is realizable a task which can be invoked periodically to get and apply the patch automatically, so that one can be sure that he doesn't make mistake?
I have no idea if such task can be made, or how to make it, but maybe someone more expert than me can.
Hope my poorly English is not too bad.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
12. Juli 2012 01:21
Antwort

Oliver Bayer

Rang: Liferay Master

Nachrichten: 872

Eintrittsdatum: 18. Februar 2009

Neue Beiträge

Hi,

thanks for the info. I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?

If the patch (or an upcoming one) modifies a class or jsp file I have overridden in an ext plugin I have to get the source patch and merge the changes in the ext plugin. Is this approach correct? If so wouldn't it be more comfortable to include the source files in the binary patch zip file too so that you only have to download one file instead of having to use patch/git tools to get the source files.

Oli
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
12. Juli 2012 01:31
Antwort

Oliver Bayer

Rang: Liferay Master

Nachrichten: 872

Eintrittsdatum: 18. Februar 2009

Neue Beiträge

Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
12. Juli 2012 02:03
Antwort

Michele Bendazzoli

Rang: New Member

Nachrichten: 7

Eintrittsdatum: 24. Juli 2010

Neue Beiträge

Oliver Bayer:
Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli


So both of my guesses are wrong emoticon

Thank you for the advice Oli
Samuel Kong
RE: Binary patch available for Liferay Portal 6.1 GA1
13. Juli 2012 10:47
Antwort

Samuel Kong

LIFERAY STAFF

Rang: Liferay Master

Nachrichten: 949

Eintrittsdatum: 10. März 2008

Neue Beiträge

Oliver Bayer:
I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?


The load order is undefined and will depend on your specific app server and the name of your ext plugin. If your ext plugin modifies the same class as the security patch, then you'll need to manually patch your system.

Michele Bendazzoli:
Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly


Thanks for the suggestion. There's currently no simple way to check, but we do want to simplify the patching process in the future.
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
17. Juli 2012 15:30
Antwort

Ákos Gábriel

Rang: Junior Member

Nachrichten: 33

Eintrittsdatum: 5. Oktober 2009

Neue Beiträge

Could you please point me to the download link? Thanks!
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
17. Juli 2012 16:06
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7990

Eintrittsdatum: 23. März 2010

Neue Beiträge

Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
17. Juli 2012 16:17
Antwort

Ákos Gábriel

Rang: Junior Member

Nachrichten: 33

Eintrittsdatum: 5. Oktober 2009

Neue Beiträge

Hitoshi Ozawa:
Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process


Thanks for the links, I found these too, these are sources
Given the subject I was expecting a binary package being available.
Drew Blessing
RE: Binary patch available for Liferay Portal 6.1 GA1
17. Juli 2012 17:24
Antwort

Drew Blessing

Rang: Junior Member

Nachrichten: 79

Eintrittsdatum: 27. Januar 2011

Neue Beiträge

Ákos Gábriel:
Given the subject I was expecting a binary package being available.


Binaries can be found here: https://github.com/community-security-team/liferay-portal/downloads

I don't think it's quite clear where to download the binaries but they are there.
Jérôme Delzor
RE: Binary patch available for Liferay Portal 6.1 GA1
19. Juli 2012 00:44
Antwort

Jérôme Delzor

Rang: New Member

Nachrichten: 1

Eintrittsdatum: 19. Juli 2012

Neue Beiträge

Hi James and other Liferay masters,

I'm barely new to Liferay and definitively not a dev guy, so forgive me if my questions are nonsense.
I'd like to understand how corrective binaries interact with Liferay core files and ext files created by my company. My goal is to produce an almost-automated bash script in order to deploy this patch and the next to come. But if patches destroy our specific dev I have to find another process.

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?

Jérôme
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
19. Juli 2012 07:03
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7990

Eintrittsdatum: 23. März 2010

Neue Beiträge

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?


It's recommended to create an ext plugin instead of directly modifying liferay source unless you're willing to create your own patch.

Binary security patch may overwrite your modifications or may not work correctly with your modifications. It's recommended to test the patch before applying it to a production server.
If you colleagures know how to build liferay from source, it may be more advantageous to to use source code diff files so you'll be able to know which files are going to be changed.
Denis Signoretto
RE: Binary patch available for Liferay Portal 6.1 GA1
10. Mai 2013 03:18
Antwort

Denis Signoretto

Rang: Regular Member

Nachrichten: 206

Eintrittsdatum: 21. April 2009

Neue Beiträge

Hi James,

I have downloaded the latest binary cumulative patch (6.1.1-ce-ga2-security-2.0.zip).

The procedure described in README.txt it's for all application servers?
Does it apply also to WebShpere? (It seams that copying of ext-impl.jar i liferay WEB-INF\lib forlder does not overwrite original classes)

Thanks,
Denis.
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
14. März 2013 06:57
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7990

Eintrittsdatum: 23. März 2010

Neue Beiträge

Liferay's binary patch should only modify liferay's files and should be application server independent.