Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Binary patch available for Liferay Portal 6.1 GA1 James Falkner 10 de julio de 2012 8:22
RE: Binary patch available for Liferay Portal 6.1 GA1 James Falkner 10 de julio de 2012 8:22
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 11 de julio de 2012 3:28
RE: Binary patch available for Liferay Portal 6.1 GA1 James Falkner 11 de julio de 2012 9:41
RE: Binary patch available for Liferay Portal 6.1 GA1 Michele Bendazzoli 12 de julio de 2012 1:19
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 12 de julio de 2012 1:31
RE: Binary patch available for Liferay Portal 6.1 GA1 Michele Bendazzoli 12 de julio de 2012 2:03
RE: Binary patch available for Liferay Portal 6.1 GA1 Samuel Kong 13 de julio de 2012 10:47
RE: Binary patch available for Liferay Portal 6.1 GA1 Jérôme Delzor 19 de julio de 2012 0:44
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 19 de julio de 2012 7:03
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 12 de julio de 2012 1:21
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 11 de julio de 2012 15:28
RE: Binary patch available for Liferay Portal 6.1 GA1 Ákos Gábriel 17 de julio de 2012 15:30
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 17 de julio de 2012 16:06
RE: Binary patch available for Liferay Portal 6.1 GA1 Ákos Gábriel 17 de julio de 2012 16:17
RE: Binary patch available for Liferay Portal 6.1 GA1 Drew Blessing 17 de julio de 2012 17:24
RE: Binary patch available for Liferay Portal 6.1 GA1 Denis Signoretto 10 de mayo de 2013 3:18
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 14 de marzo de 2013 6:57
James Falkner
Binary patch available for Liferay Portal 6.1 GA1
10 de julio de 2012 8:22
Respuesta

James Falkner

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1197

Fecha de incorporación: 17 de septiembre de 2010

Mensajes recientes

A cumulative binary patch has been published for Liferay Portal 6.1 GA1 which fixes all of the SEV-1 vulnerabilities listed on the Known Vulnerabilities page, and links have been updated for all listed vulnerabilities.
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
10 de julio de 2012 8:22
Respuesta

James Falkner

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1197

Fecha de incorporación: 17 de septiembre de 2010

Mensajes recientes

Going forward, this cumulative binary patch will be updated as new vulnerabilities are discovered and fixed.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
11 de julio de 2012 3:28
Respuesta

Oliver Bayer

Ranking: Liferay Master

Mensajes: 829

Fecha de incorporación: 18 de febrero de 2009

Mensajes recientes

Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
11 de julio de 2012 9:41
Respuesta

James Falkner

LIFERAY STAFF

Ranking: Liferay Legend

Mensajes: 1197

Fecha de incorporación: 17 de septiembre de 2010

Mensajes recientes

Oliver Bayer:
Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
11 de julio de 2012 15:28
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7990

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

Thank you very much! emoticonemoticonemoticon
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
12 de julio de 2012 1:19
Respuesta

Michele Bendazzoli

Ranking: New Member

Mensajes: 7

Fecha de incorporación: 24 de julio de 2010

Mensajes recientes

James Falkner:


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.


Hi James, thank you for such valuable resource!
I report some of problems occurred to me, because maybe is useful for you to make the use of this resource easier.
I tried to apply the patch to a test installation and I wonder if I have correctly understand the README file.
For example for the point 1:

11. Add ext-portal-service.jar to your application server's endorsed directory.

If I understand correctly the "application server's endorsed directory" is the <application-server> directory (i.e., for the tomcat bundle, the .../liferay-portal*/tomcat* directory). If this is true, have I to put the ext-portal-service.jar in the <application-server> directory or in <application-server>/lib directory?
I put the file in the <application-server>/lib directory because it seems more appropriate. Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly...
More interesting, is realizable a task which can be invoked periodically to get and apply the patch automatically, so that one can be sure that he doesn't make mistake?
I have no idea if such task can be made, or how to make it, but maybe someone more expert than me can.
Hope my poorly English is not too bad.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
12 de julio de 2012 1:21
Respuesta

Oliver Bayer

Ranking: Liferay Master

Mensajes: 829

Fecha de incorporación: 18 de febrero de 2009

Mensajes recientes

Hi,

thanks for the info. I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?

If the patch (or an upcoming one) modifies a class or jsp file I have overridden in an ext plugin I have to get the source patch and merge the changes in the ext plugin. Is this approach correct? If so wouldn't it be more comfortable to include the source files in the binary patch zip file too so that you only have to download one file instead of having to use patch/git tools to get the source files.

Oli
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
12 de julio de 2012 1:31
Respuesta

Oliver Bayer

Ranking: Liferay Master

Mensajes: 829

Fecha de incorporación: 18 de febrero de 2009

Mensajes recientes

Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
12 de julio de 2012 2:03
Respuesta

Michele Bendazzoli

Ranking: New Member

Mensajes: 7

Fecha de incorporación: 24 de julio de 2010

Mensajes recientes

Oliver Bayer:
Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli


So both of my guesses are wrong emoticon

Thank you for the advice Oli
Samuel Kong
RE: Binary patch available for Liferay Portal 6.1 GA1
13 de julio de 2012 10:47
Respuesta

Samuel Kong

LIFERAY STAFF

Ranking: Liferay Master

Mensajes: 917

Fecha de incorporación: 10 de marzo de 2008

Mensajes recientes

Oliver Bayer:
I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?


The load order is undefined and will depend on your specific app server and the name of your ext plugin. If your ext plugin modifies the same class as the security patch, then you'll need to manually patch your system.

Michele Bendazzoli:
Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly


Thanks for the suggestion. There's currently no simple way to check, but we do want to simplify the patching process in the future.
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
17 de julio de 2012 15:30
Respuesta

Ákos Gábriel

Ranking: Junior Member

Mensajes: 33

Fecha de incorporación: 5 de octubre de 2009

Mensajes recientes

Could you please point me to the download link? Thanks!
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
17 de julio de 2012 16:06
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7990

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
17 de julio de 2012 16:17
Respuesta

Ákos Gábriel

Ranking: Junior Member

Mensajes: 33

Fecha de incorporación: 5 de octubre de 2009

Mensajes recientes

Hitoshi Ozawa:
Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process


Thanks for the links, I found these too, these are sources
Given the subject I was expecting a binary package being available.
Drew Blessing
RE: Binary patch available for Liferay Portal 6.1 GA1
17 de julio de 2012 17:24
Respuesta

Drew Blessing

Ranking: Junior Member

Mensajes: 79

Fecha de incorporación: 27 de enero de 2011

Mensajes recientes

Ákos Gábriel:
Given the subject I was expecting a binary package being available.


Binaries can be found here: https://github.com/community-security-team/liferay-portal/downloads

I don't think it's quite clear where to download the binaries but they are there.
Jérôme Delzor
RE: Binary patch available for Liferay Portal 6.1 GA1
19 de julio de 2012 0:44
Respuesta

Jérôme Delzor

Ranking: New Member

Mensajes: 1

Fecha de incorporación: 19 de julio de 2012

Mensajes recientes

Hi James and other Liferay masters,

I'm barely new to Liferay and definitively not a dev guy, so forgive me if my questions are nonsense.
I'd like to understand how corrective binaries interact with Liferay core files and ext files created by my company. My goal is to produce an almost-automated bash script in order to deploy this patch and the next to come. But if patches destroy our specific dev I have to find another process.

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?

Jérôme
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
19 de julio de 2012 7:03
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7990

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?


It's recommended to create an ext plugin instead of directly modifying liferay source unless you're willing to create your own patch.

Binary security patch may overwrite your modifications or may not work correctly with your modifications. It's recommended to test the patch before applying it to a production server.
If you colleagures know how to build liferay from source, it may be more advantageous to to use source code diff files so you'll be able to know which files are going to be changed.
Denis Signoretto
RE: Binary patch available for Liferay Portal 6.1 GA1
10 de mayo de 2013 3:18
Respuesta

Denis Signoretto

Ranking: Regular Member

Mensajes: 201

Fecha de incorporación: 21 de abril de 2009

Mensajes recientes

Hi James,

I have downloaded the latest binary cumulative patch (6.1.1-ce-ga2-security-2.0.zip).

The procedure described in README.txt it's for all application servers?
Does it apply also to WebShpere? (It seams that copying of ext-impl.jar i liferay WEB-INF\lib forlder does not overwrite original classes)

Thanks,
Denis.
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
14 de marzo de 2013 6:57
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7990

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

Liferay's binary patch should only modify liferay's files and should be application server independent.