構造的に表示 平面上に表示 ツリー上に表示
スレッド [ 前へ | 次へ ]
toggle
Binary patch available for Liferay Portal 6.1 GA1 James Falkner 2012/07/10 8:22
RE: Binary patch available for Liferay Portal 6.1 GA1 James Falkner 2012/07/10 8:22
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 2012/07/11 3:28
RE: Binary patch available for Liferay Portal 6.1 GA1 James Falkner 2012/07/11 9:41
RE: Binary patch available for Liferay Portal 6.1 GA1 Michele Bendazzoli 2012/07/12 1:19
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 2012/07/12 1:31
RE: Binary patch available for Liferay Portal 6.1 GA1 Michele Bendazzoli 2012/07/12 2:03
RE: Binary patch available for Liferay Portal 6.1 GA1 Samuel Kong 2012/07/13 10:47
RE: Binary patch available for Liferay Portal 6.1 GA1 Jérôme Delzor 2012/07/19 0:44
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 2012/07/19 7:03
RE: Binary patch available for Liferay Portal 6.1 GA1 Oliver Bayer 2012/07/12 1:21
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 2012/07/11 15:28
RE: Binary patch available for Liferay Portal 6.1 GA1 Ákos Gábriel 2012/07/17 15:30
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 2012/07/17 16:06
RE: Binary patch available for Liferay Portal 6.1 GA1 Ákos Gábriel 2012/07/17 16:17
RE: Binary patch available for Liferay Portal 6.1 GA1 Drew Blessing 2012/07/17 17:24
RE: Binary patch available for Liferay Portal 6.1 GA1 Denis Signoretto 2013/05/10 3:18
RE: Binary patch available for Liferay Portal 6.1 GA1 Hitoshi Ozawa 2013/03/14 6:57
James Falkner
Binary patch available for Liferay Portal 6.1 GA1
2012/07/10 8:22
答え

James Falkner

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1216

参加年月日: 2010/09/17

最近の投稿

A cumulative binary patch has been published for Liferay Portal 6.1 GA1 which fixes all of the SEV-1 vulnerabilities listed on the Known Vulnerabilities page, and links have been updated for all listed vulnerabilities.
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/10 8:22
答え

James Falkner

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1216

参加年月日: 2010/09/17

最近の投稿

Going forward, this cumulative binary patch will be updated as new vulnerabilities are discovered and fixed.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/11 3:28
答え

Oliver Bayer

ランク: Liferay Master

投稿: 875

参加年月日: 2009/02/18

最近の投稿

Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli
James Falkner
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/11 9:41
答え

James Falkner

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1216

参加年月日: 2010/09/17

最近の投稿

Oliver Bayer:
Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/11 15:28
答え

Hitoshi Ozawa

ランク: Liferay Legend

投稿: 7990

参加年月日: 2010/03/23

最近の投稿

Thank you very much! emoticonemoticonemoticon
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/12 1:19
答え

Michele Bendazzoli

ランク: New Member

投稿: 7

参加年月日: 2010/07/24

最近の投稿

James Falkner:


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.


Hi James, thank you for such valuable resource!
I report some of problems occurred to me, because maybe is useful for you to make the use of this resource easier.
I tried to apply the patch to a test installation and I wonder if I have correctly understand the README file.
For example for the point 1:

11. Add ext-portal-service.jar to your application server's endorsed directory.

If I understand correctly the "application server's endorsed directory" is the <application-server> directory (i.e., for the tomcat bundle, the .../liferay-portal*/tomcat* directory). If this is true, have I to put the ext-portal-service.jar in the <application-server> directory or in <application-server>/lib directory?
I put the file in the <application-server>/lib directory because it seems more appropriate. Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly...
More interesting, is realizable a task which can be invoked periodically to get and apply the patch automatically, so that one can be sure that he doesn't make mistake?
I have no idea if such task can be made, or how to make it, but maybe someone more expert than me can.
Hope my poorly English is not too bad.
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/12 1:21
答え

Oliver Bayer

ランク: Liferay Master

投稿: 875

参加年月日: 2009/02/18

最近の投稿

Hi,

thanks for the info. I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?

If the patch (or an upcoming one) modifies a class or jsp file I have overridden in an ext plugin I have to get the source patch and merge the changes in the ext plugin. Is this approach correct? If so wouldn't it be more comfortable to include the source files in the binary patch zip file too so that you only have to download one file instead of having to use patch/git tools to get the source files.

Oli
Oliver Bayer
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/12 1:31
答え

Oliver Bayer

ランク: Liferay Master

投稿: 875

参加年月日: 2009/02/18

最近の投稿

Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli
Michele Bendazzoli
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/12 2:03
答え

Michele Bendazzoli

ランク: New Member

投稿: 7

参加年月日: 2010/07/24

最近の投稿

Oliver Bayer:
Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli


So both of my guesses are wrong emoticon

Thank you for the advice Oli
Samuel Kong
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/13 10:47
答え

Samuel Kong

LIFERAY STAFF

ランク: Liferay Master

投稿: 959

参加年月日: 2008/03/10

最近の投稿

Oliver Bayer:
I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?


The load order is undefined and will depend on your specific app server and the name of your ext plugin. If your ext plugin modifies the same class as the security patch, then you'll need to manually patch your system.

Michele Bendazzoli:
Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly


Thanks for the suggestion. There's currently no simple way to check, but we do want to simplify the patching process in the future.
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/17 15:30
答え

Ákos Gábriel

ランク: Junior Member

投稿: 33

参加年月日: 2009/10/05

最近の投稿

Could you please point me to the download link? Thanks!
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/17 16:06
答え

Hitoshi Ozawa

ランク: Liferay Legend

投稿: 7990

参加年月日: 2010/03/23

最近の投稿

Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process
Ákos Gábriel
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/17 16:17
答え

Ákos Gábriel

ランク: Junior Member

投稿: 33

参加年月日: 2009/10/05

最近の投稿

Hitoshi Ozawa:
Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process


Thanks for the links, I found these too, these are sources
Given the subject I was expecting a binary package being available.
Drew Blessing
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/17 17:24
答え

Drew Blessing

ランク: Junior Member

投稿: 79

参加年月日: 2011/01/27

最近の投稿

Ákos Gábriel:
Given the subject I was expecting a binary package being available.


Binaries can be found here: https://github.com/community-security-team/liferay-portal/downloads

I don't think it's quite clear where to download the binaries but they are there.
Jérôme Delzor
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/19 0:44
答え

Jérôme Delzor

ランク: New Member

投稿: 1

参加年月日: 2012/07/19

最近の投稿

Hi James and other Liferay masters,

I'm barely new to Liferay and definitively not a dev guy, so forgive me if my questions are nonsense.
I'd like to understand how corrective binaries interact with Liferay core files and ext files created by my company. My goal is to produce an almost-automated bash script in order to deploy this patch and the next to come. But if patches destroy our specific dev I have to find another process.

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?

Jérôme
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
2012/07/19 7:03
答え

Hitoshi Ozawa

ランク: Liferay Legend

投稿: 7990

参加年月日: 2010/03/23

最近の投稿

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?


It's recommended to create an ext plugin instead of directly modifying liferay source unless you're willing to create your own patch.

Binary security patch may overwrite your modifications or may not work correctly with your modifications. It's recommended to test the patch before applying it to a production server.
If you colleagures know how to build liferay from source, it may be more advantageous to to use source code diff files so you'll be able to know which files are going to be changed.
Denis Signoretto
RE: Binary patch available for Liferay Portal 6.1 GA1
2013/05/10 3:18
答え

Denis Signoretto

ランク: Regular Member

投稿: 214

参加年月日: 2009/04/21

最近の投稿

Hi James,

I have downloaded the latest binary cumulative patch (6.1.1-ce-ga2-security-2.0.zip).

The procedure described in README.txt it's for all application servers?
Does it apply also to WebShpere? (It seams that copying of ext-impl.jar i liferay WEB-INF\lib forlder does not overwrite original classes)

Thanks,
Denis.
Hitoshi Ozawa
RE: Binary patch available for Liferay Portal 6.1 GA1
2013/03/14 6:57
答え

Hitoshi Ozawa

ランク: Liferay Legend

投稿: 7990

参加年月日: 2010/03/23

最近の投稿

Liferay's binary patch should only modify liferay's files and should be application server independent.