You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by DavidSeanTaylor <da...@bluesunrise.com> on 2015/07/17 02:38:16 UTC
[VOTE] Release Portlet API 2.1.0 Version 1.0
Dear Jetspeed and Pluto team and community,
I have staged a release candidate for the Portlet API 2.1.0 Version 1.0project.
This release is a new version of the Portlet API, addressing a Security CVE. We are changing one method implementation,
GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it provided a default implementation that could serve any resource
in the web application. Having it serve resources without the programmer actually implementing the serveResource method was
considered to be a potential security vulnerability.
From the 2.1.0 Portlet Specification:
------
PLT.2.6 Changes Introduced with Version 2.1.0
Version 2.1.0 is a maintenance release amending the description of Resource Serving Dispatching in section PLT.5.4.5.3.
This change, along with the associated Portlet API version 2.1.0 jar file update, closes a potential security vulnerability
associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
By default the serveResource method in the GenericPortlet class does nothing.
However, if a portlet initialization parameter with the reserved name
“javax.portlet.automaticResourceDispatching” is set to true, the GenericPortlet serveResource method will attempt to forward
the request to the resource ID set on the URL triggering the resource request. If no resource ID is set, the serveResource method does nothing.
-----
Please review the release candidate of this project which is available in
the following staging repository:
https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
The source distribution is also provided through the above staging repository:
https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
Please vote on releasing:
Portlet API 2.1.0 Release 1.0
This Vote is open for the next 72 hours. I am putting this vote up for both Jetspeed and Pluto committers. Please carefully review the release prior to voting.
Please cast your vote:
[ ] +1 for Release
[ ] 0 for Don't care
[ ] -1 Don't release (do provide a reason then)
With kind regards,
David Sean Taylor
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by Randy Watler <ra...@gmail.com>.
+1
On Thu, Jul 16, 2015 at 6:38 PM, DavidSeanTaylor <da...@bluesunrise.com>
wrote:
> Dear Jetspeed and Pluto team and community,
>
> I have staged a release candidate for the Portlet API 2.1.0 Version
> 1.0project.
>
> This release is a new version of the Portlet API, addressing a Security
> CVE. We are changing one method implementation,
> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
> provided a default implementation that could serve any resource
> in the web application. Having it serve resources without the programmer
> actually implementing the serveResource method was
> considered to be a potential security vulnerability.
>
> From the 2.1.0 Portlet Specification:
>
> ------
> PLT.2.6 Changes Introduced with Version 2.1.0
>
> Version 2.1.0 is a maintenance release amending the description of
> Resource Serving Dispatching in section PLT.5.4.5.3.
> This change, along with the associated Portlet API version 2.1.0 jar file
> update, closes a potential security vulnerability
> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>
> By default the serveResource method in the GenericPortlet class does
> nothing.
>
> However, if a portlet initialization parameter with the reserved name
>
> “javax.portlet.automaticResourceDispatching” is set to true, the
> GenericPortlet serveResource method will attempt to forward
> the request to the resource ID set on the URL triggering the resource
> request. If no resource ID is set, the serveResource method does nothing.
> -----
>
> Please review the release candidate of this project which is available in
> the following staging repository:
>
>
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>
> The source distribution is also provided through the above staging
> repository:
>
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>
> Please vote on releasing:
>
> Portlet API 2.1.0 Release 1.0
>
> This Vote is open for the next 72 hours. I am putting this vote up for
> both Jetspeed and Pluto committers. Please carefully review the release
> prior to voting.
>
> Please cast your vote:
>
> [ ] +1 for Release
> [ ] 0 for Don't care
> [ ] -1 Don't release (do provide a reason then)
>
>
> With kind regards,
>
> David Sean Taylor
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>
Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by Martin Scott Nicklous <Sc...@de.ibm.com>.
+1
Looks good! Thank you David, for pushing this forward!
Mit freundlichen Grüßen, / Kind regards,
Scott Nicklous
WebSphere Portal Standardization Lead & Technology Consultant
Specification Lead, JSR 362 Portlet Specification 3.0
IBM Software Group, Application Integration Middleware
Phone: +49-7031-16-4808 / E-Mail:scott.nicklous@de.ibm.com / Schoenaicher
Str. 220, 71032 Boeblingen, Germany
IBM Deutschland Research & Development GmbH / Vorsitzender des
Aufsichtsrats: Martina Koederitz / Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart,
HRB 243294
From: DavidSeanTaylor <da...@bluesunrise.com>
To: pluto-dev@portals.apache.org, Jetspeed Developers List
<je...@portals.apache.org>
Date: 17.07.2015 02:38
Subject: [VOTE] Release Portlet API 2.1.0 Version 1.0
Dear Jetspeed and Pluto team and community,
I have staged a release candidate for the Portlet API 2.1.0 Version
1.0project.
This release is a new version of the Portlet API, addressing a Security
CVE. We are changing one method implementation,
GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
provided a default implementation that could serve any resource
in the web application. Having it serve resources without the programmer
actually implementing the serveResource method was
considered to be a potential security vulnerability.
From the 2.1.0 Portlet Specification:
------
PLT.2.6 Changes Introduced with Version 2.1.0
Version 2.1.0 is a maintenance release amending the description of Resource
Serving Dispatching in section PLT.5.4.5.3.
This change, along with the associated Portlet API version 2.1.0 jar file
update, closes a potential security vulnerability
associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
By default the serveResource method in the GenericPortlet class does
nothing.
However, if a portlet initialization parameter with the reserved name
“javax.portlet.automaticResourceDispatching” is set to true, the
GenericPortlet serveResource method will attempt to forward
the request to the resource ID set on the URL triggering the resource
request. If no resource ID is set, the serveResource method does nothing.
-----
Please review the release candidate of this project which is available in
the following staging repository:
https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
The source distribution is also provided through the above staging
repository:
https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
Please vote on releasing:
Portlet API 2.1.0 Release 1.0
This Vote is open for the next 72 hours. I am putting this vote up for both
Jetspeed and Pluto committers. Please carefully review the release prior to
voting.
Please cast your vote:
[ ] +1 for Release
[ ] 0 for Don't care
[ ] -1 Don't release (do provide a reason then)
With kind regards,
David Sean Taylor
Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by Neil Griffin <ne...@portletfaces.org>.
+1
Thanks David!
> On Jul 16, 2015, at 8:38 PM, DavidSeanTaylor <da...@bluesunrise.com> wrote:
>
> Dear Jetspeed and Pluto team and community,
>
> I have staged a release candidate for the Portlet API 2.1.0 Version 1.0project.
>
> This release is a new version of the Portlet API, addressing a Security CVE. We are changing one method implementation,
> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it provided a default implementation that could serve any resource
> in the web application. Having it serve resources without the programmer actually implementing the serveResource method was
> considered to be a potential security vulnerability.
>
> From the 2.1.0 Portlet Specification:
>
> ------
> PLT.2.6 Changes Introduced with Version 2.1.0
>
> Version 2.1.0 is a maintenance release amending the description of Resource Serving Dispatching in section PLT.5.4.5.3.
> This change, along with the associated Portlet API version 2.1.0 jar file update, closes a potential security vulnerability
> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>
> By default the serveResource method in the GenericPortlet class does nothing.
>
> However, if a portlet initialization parameter with the reserved name
>
> “javax.portlet.automaticResourceDispatching” is set to true, the GenericPortlet serveResource method will attempt to forward
> the request to the resource ID set on the URL triggering the resource request. If no resource ID is set, the serveResource method does nothing.
> -----
>
> Please review the release candidate of this project which is available in
> the following staging repository:
>
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>
> The source distribution is also provided through the above staging repository:
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>
> Please vote on releasing:
>
> Portlet API 2.1.0 Release 1.0
>
> This Vote is open for the next 72 hours. I am putting this vote up for both Jetspeed and Pluto committers. Please carefully review the release prior to voting.
>
> Please cast your vote:
>
> [ ] +1 for Release
> [ ] 0 for Don't care
> [ ] -1 Don't release (do provide a reason then)
>
>
> With kind regards,
>
> David Sean Taylor
>
[RESULT][VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by DavidSeanTaylor <da...@bluesunrise.com>.
Apache Portals Team and community,
This release is accepted with the following votes:
+1 Woonsan Ko
+1 Martin Scott Nicklous
+1 Neil Griffin
+1 Randy Watler
+1 David S Taylor
Thank you all for voting!
We will promote the release candidates to the Maven Central Repository and upload the source and binary distributions to the official download area.
An announcement about the new release will be send out as soon as the Jetspeed and Pluto websites are updated and the source and binary distributions have been mirrored.
Regards,
David S Taylor
> On Jul 20, 2015, at 8:52 AM, DavidSeanTaylor <da...@gmail.com> wrote:
>
> +1
>
>> On Jul 17, 2015, at 4:34 AM, Woonsan Ko <wo...@apache.org> wrote:
>>
>> +1
>>
>> Woonsan
>> On Jul 16, 2015 8:38 PM, "DavidSeanTaylor" <da...@bluesunrise.com> wrote:
>>
>>> Dear Jetspeed and Pluto team and community,
>>>
>>> I have staged a release candidate for the Portlet API 2.1.0 Version
>>> 1.0project.
>>>
>>> This release is a new version of the Portlet API, addressing a Security
>>> CVE. We are changing one method implementation,
>>> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
>>> provided a default implementation that could serve any resource
>>> in the web application. Having it serve resources without the programmer
>>> actually implementing the serveResource method was
>>> considered to be a potential security vulnerability.
>>>
>>> From the 2.1.0 Portlet Specification:
>>>
>>> ------
>>> PLT.2.6 Changes Introduced with Version 2.1.0
>>>
>>> Version 2.1.0 is a maintenance release amending the description of
>>> Resource Serving Dispatching in section PLT.5.4.5.3.
>>> This change, along with the associated Portlet API version 2.1.0 jar file
>>> update, closes a potential security vulnerability
>>> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>>>
>>> By default the serveResource method in the GenericPortlet class does
>>> nothing.
>>>
>>> However, if a portlet initialization parameter with the reserved name
>>>
>>> “javax.portlet.automaticResourceDispatching” is set to true, the
>>> GenericPortlet serveResource method will attempt to forward
>>> the request to the resource ID set on the URL triggering the resource
>>> request. If no resource ID is set, the serveResource method does nothing.
>>> -----
>>>
>>> Please review the release candidate of this project which is available in
>>> the following staging repository:
>>>
>>>
>>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>>>
>>> The source distribution is also provided through the above staging
>>> repository:
>>>
>>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>>>
>>> Please vote on releasing:
>>>
>>> Portlet API 2.1.0 Release 1.0
>>>
>>> This Vote is open for the next 72 hours. I am putting this vote up for
>>> both Jetspeed and Pluto committers. Please carefully review the release
>>> prior to voting.
>>>
>>> Please cast your vote:
>>>
>>> [ ] +1 for Release
>>> [ ] 0 for Don't care
>>> [ ] -1 Don't release (do provide a reason then)
>>>
>>>
>>> With kind regards,
>>>
>>> David Sean Taylor
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>>
>>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[RESULT][VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by DavidSeanTaylor <da...@bluesunrise.com>.
Apache Portals Team and community,
This release is accepted with the following votes:
+1 Woonsan Ko
+1 Martin Scott Nicklous
+1 Neil Griffin
+1 Randy Watler
+1 David S Taylor
Thank you all for voting!
We will promote the release candidates to the Maven Central Repository and upload the source and binary distributions to the official download area.
An announcement about the new release will be send out as soon as the Jetspeed and Pluto websites are updated and the source and binary distributions have been mirrored.
Regards,
David S Taylor
> On Jul 20, 2015, at 8:52 AM, DavidSeanTaylor <da...@gmail.com> wrote:
>
> +1
>
>> On Jul 17, 2015, at 4:34 AM, Woonsan Ko <wo...@apache.org> wrote:
>>
>> +1
>>
>> Woonsan
>> On Jul 16, 2015 8:38 PM, "DavidSeanTaylor" <da...@bluesunrise.com> wrote:
>>
>>> Dear Jetspeed and Pluto team and community,
>>>
>>> I have staged a release candidate for the Portlet API 2.1.0 Version
>>> 1.0project.
>>>
>>> This release is a new version of the Portlet API, addressing a Security
>>> CVE. We are changing one method implementation,
>>> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
>>> provided a default implementation that could serve any resource
>>> in the web application. Having it serve resources without the programmer
>>> actually implementing the serveResource method was
>>> considered to be a potential security vulnerability.
>>>
>>> From the 2.1.0 Portlet Specification:
>>>
>>> ------
>>> PLT.2.6 Changes Introduced with Version 2.1.0
>>>
>>> Version 2.1.0 is a maintenance release amending the description of
>>> Resource Serving Dispatching in section PLT.5.4.5.3.
>>> This change, along with the associated Portlet API version 2.1.0 jar file
>>> update, closes a potential security vulnerability
>>> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>>>
>>> By default the serveResource method in the GenericPortlet class does
>>> nothing.
>>>
>>> However, if a portlet initialization parameter with the reserved name
>>>
>>> “javax.portlet.automaticResourceDispatching” is set to true, the
>>> GenericPortlet serveResource method will attempt to forward
>>> the request to the resource ID set on the URL triggering the resource
>>> request. If no resource ID is set, the serveResource method does nothing.
>>> -----
>>>
>>> Please review the release candidate of this project which is available in
>>> the following staging repository:
>>>
>>>
>>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>>>
>>> The source distribution is also provided through the above staging
>>> repository:
>>>
>>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>>>
>>> Please vote on releasing:
>>>
>>> Portlet API 2.1.0 Release 1.0
>>>
>>> This Vote is open for the next 72 hours. I am putting this vote up for
>>> both Jetspeed and Pluto committers. Please carefully review the release
>>> prior to voting.
>>>
>>> Please cast your vote:
>>>
>>> [ ] +1 for Release
>>> [ ] 0 for Don't care
>>> [ ] -1 Don't release (do provide a reason then)
>>>
>>>
>>> With kind regards,
>>>
>>> David Sean Taylor
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>>
>>>
>
Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by DavidSeanTaylor <da...@bluesunrise.com>.
+1
> On Jul 17, 2015, at 4:34 AM, Woonsan Ko <wo...@apache.org> wrote:
>
> +1
>
> Woonsan
> On Jul 16, 2015 8:38 PM, "DavidSeanTaylor" <da...@bluesunrise.com> wrote:
>
>> Dear Jetspeed and Pluto team and community,
>>
>> I have staged a release candidate for the Portlet API 2.1.0 Version
>> 1.0project.
>>
>> This release is a new version of the Portlet API, addressing a Security
>> CVE. We are changing one method implementation,
>> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
>> provided a default implementation that could serve any resource
>> in the web application. Having it serve resources without the programmer
>> actually implementing the serveResource method was
>> considered to be a potential security vulnerability.
>>
>> From the 2.1.0 Portlet Specification:
>>
>> ------
>> PLT.2.6 Changes Introduced with Version 2.1.0
>>
>> Version 2.1.0 is a maintenance release amending the description of
>> Resource Serving Dispatching in section PLT.5.4.5.3.
>> This change, along with the associated Portlet API version 2.1.0 jar file
>> update, closes a potential security vulnerability
>> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>>
>> By default the serveResource method in the GenericPortlet class does
>> nothing.
>>
>> However, if a portlet initialization parameter with the reserved name
>>
>> “javax.portlet.automaticResourceDispatching” is set to true, the
>> GenericPortlet serveResource method will attempt to forward
>> the request to the resource ID set on the URL triggering the resource
>> request. If no resource ID is set, the serveResource method does nothing.
>> -----
>>
>> Please review the release candidate of this project which is available in
>> the following staging repository:
>>
>>
>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>>
>> The source distribution is also provided through the above staging
>> repository:
>>
>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>>
>> Please vote on releasing:
>>
>> Portlet API 2.1.0 Release 1.0
>>
>> This Vote is open for the next 72 hours. I am putting this vote up for
>> both Jetspeed and Pluto committers. Please carefully review the release
>> prior to voting.
>>
>> Please cast your vote:
>>
>> [ ] +1 for Release
>> [ ] 0 for Don't care
>> [ ] -1 Don't release (do provide a reason then)
>>
>>
>> With kind regards,
>>
>> David Sean Taylor
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>
>>
Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by DavidSeanTaylor <da...@bluesunrise.com>.
+1
> On Jul 17, 2015, at 4:34 AM, Woonsan Ko <wo...@apache.org> wrote:
>
> +1
>
> Woonsan
> On Jul 16, 2015 8:38 PM, "DavidSeanTaylor" <da...@bluesunrise.com> wrote:
>
>> Dear Jetspeed and Pluto team and community,
>>
>> I have staged a release candidate for the Portlet API 2.1.0 Version
>> 1.0project.
>>
>> This release is a new version of the Portlet API, addressing a Security
>> CVE. We are changing one method implementation,
>> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
>> provided a default implementation that could serve any resource
>> in the web application. Having it serve resources without the programmer
>> actually implementing the serveResource method was
>> considered to be a potential security vulnerability.
>>
>> From the 2.1.0 Portlet Specification:
>>
>> ------
>> PLT.2.6 Changes Introduced with Version 2.1.0
>>
>> Version 2.1.0 is a maintenance release amending the description of
>> Resource Serving Dispatching in section PLT.5.4.5.3.
>> This change, along with the associated Portlet API version 2.1.0 jar file
>> update, closes a potential security vulnerability
>> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>>
>> By default the serveResource method in the GenericPortlet class does
>> nothing.
>>
>> However, if a portlet initialization parameter with the reserved name
>>
>> “javax.portlet.automaticResourceDispatching” is set to true, the
>> GenericPortlet serveResource method will attempt to forward
>> the request to the resource ID set on the URL triggering the resource
>> request. If no resource ID is set, the serveResource method does nothing.
>> -----
>>
>> Please review the release candidate of this project which is available in
>> the following staging repository:
>>
>>
>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>>
>> The source distribution is also provided through the above staging
>> repository:
>>
>> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>>
>> Please vote on releasing:
>>
>> Portlet API 2.1.0 Release 1.0
>>
>> This Vote is open for the next 72 hours. I am putting this vote up for
>> both Jetspeed and Pluto committers. Please carefully review the release
>> prior to voting.
>>
>> Please cast your vote:
>>
>> [ ] +1 for Release
>> [ ] 0 for Don't care
>> [ ] -1 Don't release (do provide a reason then)
>>
>>
>> With kind regards,
>>
>> David Sean Taylor
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
>> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: [VOTE] Release Portlet API 2.1.0 Version 1.0
Posted by Woonsan Ko <wo...@apache.org>.
+1
Woonsan
On Jul 16, 2015 8:38 PM, "DavidSeanTaylor" <da...@bluesunrise.com> wrote:
> Dear Jetspeed and Pluto team and community,
>
> I have staged a release candidate for the Portlet API 2.1.0 Version
> 1.0project.
>
> This release is a new version of the Portlet API, addressing a Security
> CVE. We are changing one method implementation,
> GenericPortlet.serveResource, to be a no-op out of the box. In 2.0, it
> provided a default implementation that could serve any resource
> in the web application. Having it serve resources without the programmer
> actually implementing the serveResource method was
> considered to be a potential security vulnerability.
>
> From the 2.1.0 Portlet Specification:
>
> ------
> PLT.2.6 Changes Introduced with Version 2.1.0
>
> Version 2.1.0 is a maintenance release amending the description of
> Resource Serving Dispatching in section PLT.5.4.5.3.
> This change, along with the associated Portlet API version 2.1.0 jar file
> update, closes a potential security vulnerability
> associated with Common Vulnerabilities and Exposures ID CVE-2015-1926.
>
> By default the serveResource method in the GenericPortlet class does
> nothing.
>
> However, if a portlet initialization parameter with the reserved name
>
> “javax.portlet.automaticResourceDispatching” is set to true, the
> GenericPortlet serveResource method will attempt to forward
> the request to the resource ID set on the URL triggering the resource
> request. If no resource ID is set, the serveResource method does nothing.
> -----
>
> Please review the release candidate of this project which is available in
> the following staging repository:
>
>
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/
>
> The source distribution is also provided through the above staging
> repository:
>
> https://repository.apache.org/content/repositories/orgapacheportals-1007/org/apache/portals/portlet-api_2.1.0_spec/1.0/portlet-api_2.1.0_spec-1.0-source-release.zip
>
> Please vote on releasing:
>
> Portlet API 2.1.0 Release 1.0
>
> This Vote is open for the next 72 hours. I am putting this vote up for
> both Jetspeed and Pluto committers. Please carefully review the release
> prior to voting.
>
> Please cast your vote:
>
> [ ] +1 for Release
> [ ] 0 for Don't care
> [ ] -1 Don't release (do provide a reason then)
>
>
> With kind regards,
>
> David Sean Taylor
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
> For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
>
>