Liferay Portal 6.2 EE Important Fix Pack Changes

Please read about the following important changes in Liferay Portal 6.2 EE Fix Packs before installing.

Changelog

Portal-173 Fix Pack 

Please note: This fix pack requires Java 8.

LSV-636 resolves a critical security vulnerability with portlet.resource.id.banned.paths.regexp.

Portal-172 Fix Pack 

Please note: This fix pack requires Java 8.

LSV-600 resolves a critical security vulnerability with LDAP credentials.

Portal-171 Fix Pack 

Please note: Due to the fixes made under LSV-399, this fix pack requires Java 8.

LSV-545 resolves a critical remote code execution (RCE) vulnerability via JSON web services (JSONWS).

LSV-535 resolves a critical security SQL injection vulnerability that exists in the asset framework.

LSV-399 resolves a critical security vulnerability with Apache Tika. 

Portal-170 Fix Pack 

LPE-16655 resolves a critical security vulnerability with remote code execution via deserialization of JSON data.

LPE-16614 resolves a critical security vulnerability with Workflow definitions being used to gain access to information in a different site or virtual instance as well as the operating system.

LPE-16514 resolves a critical security vulnerability with remote code execution using Web Content/DDM templates by updating the following portal.properties:

freemarker.engine.restricted.classes=\
        java.lang.Class,\
        java.lang.ClassLoader,\
        java.lang.Compiler,\
        java.lang.Package,\
        java.lang.Process,\
        java.lang.Runtime,\
        java.lang.RuntimePermission,\
        java.lang.SecurityManager,\
        java.lang.System,\
        java.lang.Thread,\
        java.lang.ThreadGroup,\
        java.lang.ThreadLocal

    velocity.engine.restricted.classes=\
        java.lang.Class,\
        java.lang.ClassLoader,\
        java.lang.Compiler,\
        java.lang.Package,\
        java.lang.Process,\
        java.lang.Runtime,\
        java.lang.RuntimePermission,\
        java.lang.SecurityManager,\
        java.lang.System,\
        java.lang.Thread,\
        java.lang.ThreadGroup,\
        java.lang.ThreadLocal

 

Portal-149 Fix Pack 

LPE-15645 removes the utilities swfupload and video_player. This change removes outdated code no longer being used in the platform and avoids future security issues from outdated flash movies. Anyone who is using the swfupload AlloyUI module or any of the associated swfupload_f*.swf and mpw_player.swf flash movies will be affected.

We recommend users switch to new standard ways of uploading media such as AlloyUI's own A.Uploader to manage uploads consistently across browsers. For audio/video reproduction, use AlloyUI's A.Audio and A.Video.

Portal-137 Fix Pack 

LPE-11551 deprecates the method com.liferay.portlet.asset.model.BaseAssetRenderer.getSummary(Locale) and changes its logic.

As suggested in the Javadoc documentation, getSummary(PortletRequest,_ _PortletResponse) should be used instead. If a new class is created to extend BaseAssetRenderer, it might be necessary to overwrite com.liferay.portlet.asset.model.BaseAssetRenderer.getSummary(PortletRequest, PortletResponse) because the formerly referenced deprecated method will be called. This will result in an UnsupportedOperationException.

Portal-136 Fix Pack 

LPS-71163 reverts changes made in LPS-67445 to resolve a security vulnerability found with permissions. Please note that this revert changes the error message to be shown in the UI as "Not Found" instead of "Forbidden".

 

Portal-113 Fix Pack 

LPE-14846 changes the way that Liferay stores and renders DDM date fields. The DDM date fields will now be stored and rendered using UTC timezone regardless of the configured timezone in user.timezone JVM parameter. In order to update the old templates and ensure that all dates are rendered in UTC, a Verify process should be executed. If the user.timezone has been changed to a non GMT value, a Groovy script must be executed to update those values to UTC.

Please navigate to this Knowledge Base article for further instructions.

Portal-108 Fix Pack

LPE-14929 changes the table mapper cache from "explicit excluding" to "explicit including", which means the cache is disabled for mapping tables by default. This may cause a large performance impact for some users.

In order to avoid this, please manually set the property "table.mapper.cache.mapping.table.names" to include mapping table names in portal-ext.properties file.

For example: 

table.mapper.cache.mapping.table.names=\
	AssetEntries_AssetCategories,\
	AssetEntries_AssetTags,\
	DLFileEntryTypes_DDMStructures,\
	DLFileEntryTypes_DLFolders,\
	Groups_Orgs,\
	Groups_Roles,\
	Groups_UserGroups,\
	JournalFolders_DDMStructures,\
	SCFrameworkVersi_SCProductVers,\
	SCLicenses_SCProductEntries,\
	Users_Groups,\
	Users_Orgs,\
	Users_Roles,\
	Users_Teams,\
	Users_UserGroups

* If you continue to experience performance degradation, please remove the "Users_Roles,\" from the mapping table names.

Was this article helpful?
2 out of 2 found this helpful