Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
James Falkner
Security Advisory: Multiple Advisories for Liferay Portal 6.1 CE GA2
2. April 2013 12:57
Antwort

James Falkner

LIFERAY STAFF

Rang: Liferay Legend

Nachrichten: 1236

Eintrittsdatum: 17. September 2010

Neue Beiträge

The following security advisories have been announced for Liferay Portal 6.1 CE GA2 (6.1.1):
  • CST-SA: LPS-33764 Various XSS Issues in Liferay 6.1.1
  • CST-SA: LPS-31750 Non-secure cookie LFR_SESSION_STATE_XXXXXX is created when connected over HTTPS
  • CST-SA: LPS-31090 DLFileVersionServiceImpl.getLatestFileVersion(long) doesn't have permission check
  • CST-SA: LPS-31063 XSS vulnerability with swfuploader
  • CST-SA: LPS-30940 cdn_host parameter allows JS injection (XSS)
  • CST-SA: LPS-29872 Organization admin of sub organization can export users of parent organization
  • CST-SA: LPS-29341 Posting messages in foreign Message Boards
  • CST-SA: LPS-29268 Simple DOS attack on PortletPreferences
As always, a source patch for each vulnerability is now available through the Known Vulnerabilities page. In addition, a cumulative source and binary patch are available. Please see the Security Patch Information page for details on how to apply these patches.

Liferay Portal CE users are strongly advised to keep abreast of all new security advisories and apply associated fixes to your Liferay deployments.
Denis Signoretto
RE: Security Advisory: Multiple Advisories for Liferay Portal 6.1 CE GA2
3. April 2013 06:20
Antwort

Denis Signoretto

Rang: Regular Member

Nachrichten: 204

Eintrittsdatum: 21. April 2009

Neue Beiträge

Hi James,

thanks for your advisory.
Do you know if Liferay 6.1 GA3 will include these patches and when it will be released?

Thanks,
Denis.
James Falkner
RE: Security Advisory: Multiple Advisories for Liferay Portal 6.1 CE GA2
3. April 2013 06:51
Antwort

James Falkner

LIFERAY STAFF

Rang: Liferay Legend

Nachrichten: 1236

Eintrittsdatum: 17. September 2010

Neue Beiträge

Denis Signoretto:
Hi James,

thanks for your advisory.
Do you know if Liferay 6.1 GA3 will include these patches and when it will be released?

Thanks,
Denis.


Yep, it will! The GA3 build is to incorporate all security fixes from the CST, and fix the PACL/Marketplace issues. I do not know when it will be released. We were originally targeting Q1 2013 but missed it. I can tell you the work is complete on the master (6.2) and is in the process of being backported to 6.1.