Liferay DXP 7.0 Important Fix Pack Changes

Fix Pack 81

LPS-83079 makes changes to the upgrade process to fix sharding issues when upgrading from 6.2.

LPE-16725 resolves a security vulnerability with Web Content article and folder permissions.

LPE-16717 resolves a stored cross-site scripting (XSS) vulnerability that exists in the Web Content Display widget.

Fix Pack 80

• Please backup the database before installing this fix pack.
• Please make sure that the application has the appropriate permissions to make the needed database changes implemented in this fix pack or that the changes are implemented manually by a database administrator.

LPS-92789 makes changes to velocity template to cache velocity template resource.

LPS-92256 makes changes to social upgrade process to successfully upgrade from 7.0 without losing Blog entries that contained published trackbacks.

LPS-92216 makes changes to the Site Settings portlet to check user permissions when groupID is present.

LPS-92048 makes changes to upgradeAsset and upgradeExpando classes to improve upgrade times while using Postgres.

LPS-91149 updates language.properties files to fix issues when configuring a form field as 'searchable.'

LPS-90362 updates language.properties files to fix issues when trying to configure a Web Content structure as 'not indexable.'

LPS-89365 updates language.properties files to fix issues when indexing a form field that sets a 'searchable' field property to 'disabled.'

LPS-89362 updates the UI to allow Users to choose if DDM field is indexable or not.

LPS-88240 makes changes to upgradeOrganizaion.java to successfully upgrade from 6.1/6.2 while using PostgreSQL, DB2, Oracle, or Sybase databases.

LPS-84881 updates language.properties to include a warning message about taglib usage in the cacheable templates help message.

LPS-81837 makes changes to upgradeOrganizaion.java to successfully upgrade from 6.1/6.2 without losing user avatar image.

LPS-73136 adds a new setting in Site Admin that allows users to enable custom site languages with site template propagation as well as new language keys for the configuration property.

LPS-68220 adds support for OpenAM 13+.

LPE-16721 resolves a security vulnerability with the 'com.liferay.portal.remote.cxf.common' bundle. The 'com.liferay.portal.remote.cxf.common' bundle includes Apache CXF 3.1.9 which has the following vulnerabilities: : CVE-2017-5656, CVE-2017-12624, CVE-2017-3156, CVE-2018-8039 and CVE-2017-5653.

LPE-16705 resolves a security vulnerability with the company key being exposed via templates.

LPE-16701 resolves a security vulnerability that allowed unauthorized users to view a site's Site Setting page via URL manipulation.

Fix Pack 79

LPS-91059 adds missing parser to tika.xml to fix issues with fileUtil.extractText method.

LPS-90404 upgrades the lib version for tikka and jempbox to resolve a console error that is thrown when a User tries to upload a mp3 file.

LPS-84026 adds OpenID Connect authentication support to 7.0.x. Users can find configuration settings for OpenID Connect under System Settings > Foundation. Please refer to the updated documentation and Liferay DXP Integrated Technologies Compatibility Matrix.

LPE-16714 resolves a security vulnerability with Elasticsearch. Elasticsearch has a dependency on Google Guava 18.0, which has the following security vulnerability: CVE-2018-10237.

LPE-16704 resolves a reflected cross-site scripting (XSS) vulnerability that exists in the Sign In widget and in User Management.

LPE-16692 resolves the following security vulnerabilities with Apache Tika 1.19: CVE-2018-11796 and CVE-2018-17197.

Fix Pack 78

LPS-91160 updates the French language.properties to correctly translate Blogs entry notifications in French.

LPS-91026 adds a new configuration that allows users to set duration values when editing a Password Policy.

Fix Pack 76

LPS-90155 adds the ability to configure netmask (accepting both CIDR and dot notation). Prior to this fix, only individual IPs could be configured in *hosts.allowed properties. Below are examples of valid property configurations:

atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP,192.168.1.0/24

atom.servlet.hosts.allowed=127.0.0.1,SERVER_IP,192.168.1.128/255.255.255.128

Fix Pack 75

LPS-88315 makes changes to theme _styled in order to correctly position AlloyEditor drag handles in IE11. Customers using Styled will need to use the new Styled version: 2.1.15.

LPE-16681 resolves the following security vulnerability with Apache PDFBox 2.0.9: CVE-2018-11797.

LPE-16680 resolves a security vulnerability with security antisammy. Portal securty antisammy has a dependency on Apache Batik 1.7, which has the following security vulnerabilities: CVE-2018-8013, CVE-2015-0250 and CVE-2017-5662.

LPE-16677 resolves a security vulnerability with Open ID. OpenID has a depency on Apache HttpClient 4.1 which has the following security vulnerabilities: CVE-2014-3577, CVE-2011-1498 and CVE-2013-4366.

LPE-16670 resolves the following security vulnerability with JCraft JSch 0.1.51: CVE-2016-5725.

LPE-16659 resolves the following security vulnerabilities with Spring core 4.19: CVE-2018-1271, CVE-2018-1272, CVE-2018-1270 and CVE-2016-5007.

Fix Pack 73

LPE-16664 resolves a security vulnerability with Google SSO. Google SSO has a dependency on guava-jdk5-17.0. guava-jdk5-17.0, which had the following security vulnerability: CVE-2018-10237.

LPE-16660 resolves the following security vulnerabilities with Netty 4.0.23: CVE-2015-2156 and CVE-2016-4970

LPE-16652 resolves a XSS vulnerability with Custom Field configurations.

LPE-16641 resolves a path traversal vulnerability with Poller.

Fix Pack 72

LPE-16653 resolves the following security vulnerabilities with Apache Tika 1.18: CVE-2018-11762, CVE-2018-11761 and CVE-2018-8017.

LPE-16555 resolves a stored XSS vulnerability with the back link in the Asset Publisher.

Fix Pack 71

LPE-16596 resolves a security path traversal vulnerability in Documents and Media.

LPE-16386 resolves a security vulnerability with anonymous message board posts being displayed incorrectly.

Fix Pack 70

This fix pack includes new API's that were added to the Search module. This fix pack can be reverted to fix pack 60 and higher.

• Please backup the database before installing this fix pack.
• Please make sure to install the correct Elasticsearch 6 and Solr5 app versions when installing fix pack 70 or reverting to a previous fix pack.
• Please refer to the knowledge base article for more information about the updated fix pack compatibility for Elasticsearch 6 and Solr5.

LPS-84451 adds a new search functionality to the workflow tasks. To ensure all current and previous workflow tasks are displayed in the search results, please reindex manually.

LPS-80931 fixes search results for non-default date formats.

LPS-79348 adds filter attribute to asset publisher and search so that expired entries are not fetched.

LPS-78857 implements a new query type from Elasticsearch's query language called Terms set query. Terms set query "returns any documents that match with at least one or more of the provided terms." - www.elastic.co

LPS-78738 changes the URL locale to use a "-" instead of a "_" as a separator between the language and the country. URL's that have the old style will be redirected to the new URL locale with a Permanent Redirect - 301 error. Users that have done some URL pre-processing in web servers may have their rules affected by this change.

LPE-16645 resolves a security vulnerability with Site edit pages being accessible to Users without permissions by checking view permissions when trying to render a view for specific groupId's.

LPE-16638 resolves a security vulnerability with the Power User or Site Administrator role being able to view page configurations without view permissions by checking view permissions for specific groupId's.

LPE-16628 resolves security vulnerabilities in jackson-databind-2.6.7.1. jackson-databind-2.6.7.1 is a dependency of petra-json-web-service-client.

LPE-16607 resolves a security vulnerability that occurs when Liferay DXP is configured with a distributed cache using JDBC_PINGS.

Fix Pack 69

LPE-16619 resolves a path traversal security vulnerability with Include tag.

LPE-16577 resolves a security vulnerability that causes User password hashes and password reminders to be displayed in the logs when database errors occur.

Fix Pack 68

LPE-16602 resolves an open direct security vulnerability with the Language widget.

LPE-16600 resolves a security vulnerability with Asset Publisher permissions.

LPE-16597 resolves a security vulnerability with application default session timeout length by decreasing the timeout session from 30 minutes to 15 minutes..

Fix Pack 67

LPE-16593 resolves a security vulnerability with Websphere configurations defaulting to serving servlets by class name.

LPE-16590 resolves a security vulnerability that caused detailed error information to be displayed to the end User.

Fix Pack 66

LPE-16558 resolves a security vulnerability that occurs with password reset token leaks and third party websites.

Fix Pack 65

LPE-16580 disables TLS 1.0 for inbound HTTPS requests. Please visit the Customer Knowledge Base page for more information about this fix.

LSV-412 resolves a security vulnerability with remote code execution via deserialization of JSON data. A portal property, "json.deserialization.whitelist.class.names" has been added to control which classes are allowed to be deserialized from a JSON request. Please refer to the 'Mitigation Notes' section on the LSV page for more information.

LSV-407 resolves a path traversal security vulnerability that occurred with Web Content templates and Application Display Templates.

Fix Pack 64

LPS-87429 removes the new upgrade logic that was added to "com.liferay.blogs.service" in 7.0 FP60. This added logic prevents customers with fix pack 60-63 installed to upgrade from 7.0.x to 7.1.x. Removing the upgrade logic allows compatibility between 7.0.x and 7.1.x Liferay versions.

LPS-86744 modifies the relative level configuration's behaviour in the navigation menu in order to achieve a correct and consistent way of working. See the expected result described in LPS-86744.

LPE-16585 resolves a security vulnerability that allowed unauthorized Users to access expired assets in the Asset Publisher.

LPE-16582 resolves a User login security vulnerability to CSRF.

LPE-16576 resolves a security vulnerability that allowed unauthorized users can download LAR files via URL manipulation.

Fix Pack 61

LPE-16523 resolves a XSS security vulnerability with data type custom fields.

Fix Pack 60

This fix pack includes a module upgrade process which executes on startup. This fix pack can be reverted to fix pack 50 and higher.

• Please backup the database before installing this fix pack.
• Please make sure that the application has the appropriate permissions to make the needed database changes implemented in this fix pack or that the changes are implemented manually by a database administrator.

LPS-84477 makes changes to the theme-styled module to update the CSS selector. Customers will need to use the new Styled version: 2.1.13.

LPS-83963 makes changes in the blogs-service upgrade module that allows Users to upgrade to 7.0 DXP without losing any small image data.

LPS-83629 adds new properties to portal.properties file: field.enable.com.liferay.portal.kernel.model.Layout.javascript=true and field.enable.com.liferay.portal.kernel.model.LayoutSet.javascript=true. These properties allow Users to disable JavaScript for Layout and LayoutSet.

LPS-83183 introduces two new admin tools for handling data erasure and data portability requests as required bythe GDPR. Official documentation for these two features is available here.

LPE-16498 resolves an LDAP injection vulnerability that exists with with user group names.

LPE-16485 resolves a security vulnerability with the AWS access key appears in the logs.

Fix Pack 59

LPS-85722 increases the major version of util-bridges from 2.0.0 to 4.0.0. This should not cause any negative impact for Customers that install de-59.

LPS-84223 updates the logic used when validating DL files. This will result in DL file links that were previously improperly validated to no longer pass validation. If a User tries to update a Web Content that contains a link to a non existing DL File, an error will now be thrown since the file does not exist.

LPS-83736 adds unicode.text.normalizer.form to portal.properties file. Users can utilize this property to control whether or not string values are normalized for models.

LPE-16517 resolves a XSS security vulnerability that exists with the FORWARD_URL parameter.

LPE-16459 resolves a XSS security vulnerability with Document and Media when directory indexing is enabled.

LPE-16456 resolves a security vulnerability that exists with portlet configurations not properly verifying User permissions.

Fix Pack 58

LPS-84003 moves com.liferay.product.navigation.accessibility.internal.configuration.ProductNavigationAccessibilityConfiguration from Foundation to Web Experience.

LPS-83658 fixes broken PDF previews while using PDFBox by updating the PDFBox version from 2.0.3 to 2.0.9.

LPE-16507 resolves a vulnerability found with JSON web services.

LPE-16491 resolves a XSS vulnerability with Dynamic Data List record sets.

LPE-16490 resolves a XSS vulnerability with Liferay's default sanitizer, OWASP AntiSamy.

LPE-16487 resolves a vulnerability found with Web Content templates and Application Display Templates.

LPE-16479 resolves an open direct vulnerability with Blogs RSS.

LPE-16478 resolves a XSS security vulnerability that existed with virtual instances.

LPE-16462 resolves a XSS security vulnerability that existed with page variations.

Fix Pack 57

LPS-82667 fixes improperly displayed profile images by increasing both users.image.max.height and users.image.max.width from 100 to 290 pixels in portal.properties.

Fix Pack 56

LPE-16455 resolves a critical security vulnerability found in User permissions by allowing Users without proper permissions to only have access to view the control panel layout.

LPE-16463 resolves a critical SSRF vulnerability that existed with pingbacks in Blogs by only allowing pingback access to valid IP addresses and denying restricted IP addresses with an "Access Denied" error message.

LPE-16460 resolves a critical security vulnerability found with XSL Content by enabling the secure processing by default. This fix is available by installing FP55+.

Fix Pack 54

LPS-82999 fixes the Web Content Display portlet icons to display correctly after upgrading to the latest Fix Pack by adding a new System Setting "All Available Web Content Display Actions in One Menu" under Web Experience > Web Content Display Configuration. This new setting allows Users to choose to display all the available actions in 2 different ways:

1. Under the same menu in the Web Content Display portlet topper area (default value);
2. Under separate menus. This option will display portlet actions in the portlet topper area and the Web Content actions under a second ellipsis menu located in the right-upper corner.

Fix Pack 53

LPS-83071 makes changes to the theme-styled module to make the numerical values for input fields when choosing "more colors" from the color chooser fully visible. Customers will need to use the new Styled version: 2.1.10.

LPS-82592 makes changes to the theme-styled module to correctly display the modal window footer that is opened when using the text style menu in AlloyEditor.

LPE-16453 removes the user password from showing up on the console log when a User tries to log into portal with LDAP configured.

Fix Pack 52

LPS-76719 adds support to UTF-8 encoding when compressing a folder in Documents and Media.

LPE-16443 updates referer_js.jsp to resolve a stored XSS vulnerability that existed with referer parameter.

LPE-16454 resolves a stored XSS vulnerability that existed with wiki page attachments by only allowing content types based on whitelisted extensions.

Fix Pack 51

LPS-82316 makes changes to theme _styled in order to properly display the portlet menu ellipsis while hovering over menu items. Customers using Styled will need to use the new Styled version: 2.1.8.

Fix Pack 50

This fix pack includes several module upgrade processes which execute on startup. This fix pack can be reverted to fix pack 40 and higher.

• Please backup the database before installing this fix pack.
• Please make sure that the application has the appropriate permissions to make the needed database changes implemented in this fix pack or that the changes are implemented manually by a database administrator.

LPS-81549 updates Japanese language properties to correctly display document details in Japanese.

LPS-81408 adds a setting that Users can configure to enable or disable comments to a portlet on a Live site when Staging is enabled. You can change this setting as a portal admin by going to Control Panel/Configuration/System Settings/Web Experience/Export/Import Service and check the "Enable comments on Live" option.

LPS-79390 removes the distinct clause from custom-sql in com.liferay.journal.service.persistence.JournalFolderFinder.findA_ByG_U_F to improve performance while accessing Web Content for Users with a large database. Users should no longer experience long loading times when navigating to the Web Content list via the Control Panel.

LPS-79188 migrates Robots.txt to be stored in both the LayoutSet and Group_ table. Storing Robots.txt in the LayoutSet table allows Robots.txt to be published on a staged site. An upgrade process was also added to the web-experience module to allow proper migration of existing robots.txt values to LayoutSets table.

Fix Pack 49

LPS-72748 introduces custom fields logic to portal-search. This logic allows Users to successfully search for text in custom fields of documents via the Documents and Media portlet.

Fix Pack 48

LPE-16434 resolves a security vulnerability that caused Blog titles to be visible to Users without the appropriate view permission. This issue is resolved so only Users with view permissions can view Blog titles.

LPE-16433 resolves a stored XSS vulnerability that was present in the Forms application.

LPE-16019 resolves a security vulnerability that caused the password of a Forms REST data providers to be disclosed. This issue is resolved so the password is now obfuscated.

Fix Pack 47

LPS-81028 removes the value.object.finder.blocking.cache=true portal property. After installation of FP47, this property will no longer be available to Users.

LPS-79799 changes the requirements of what is allowed to be passed to the Liferay persistence layer. Liferay models that have been proxied may no longer be able to pass through the persistence layer. If a User's code does not meet the new requirements, an exception will be thrown with an error message containing instructions on what to do next.

LPS-79679 changes the module version of com.liferay.portal.scheduler.quartz from 3.0.5 to 3.0.6. Since ClassLoaderPool takes into account the version, it is not possible to find serialized objects class between different nodes with different module versions.

1. Stop all nodes
2. Install the fix pack
3. Start up the nodes sequentially

LPS-79758 removes the 0-padding from the Calendar event time slot when creating an event in Japanese. Users will no longer see the "0" displayed while selecting an event time.

LPS-78519 changes the UpgradeSharding process order in the upgrade processes sequence. Any shard that has been edited from the default value will no longer throw upgrade exceptions in the upgrade.log file.

LPS-76859 makes changes to the classic-theme module in order to properly display the edit ellipsis for a Web Content in the Web Content Display Portlet. Users must update their portlet.ftl in their custom themes in order to execute this change. Please refer to the steps below (NOTE: this affects FP47 and up):

1. Go to the theme directory: THEME/templates/portlet.ftl
2. In portlet.ftl, find the following div:
   

   <div class="${portlet_content_css_class}">

3. Find the following portlet_title code in the div, if any. This code will be wrapped with the necessary code needed for the fix.
   

   <h2 class="portlet-title-text">${portlet_title}</h2>

4. Add the following code, making sure to include the portlet_title and its components, if any.
   

   <div class="autofit-row autofit-float">
   	<div class="autofit-col autofit-col-expand">
   		<#-- portlet_title and its components goes here, if any. -->
   	</div>
   
   	<div class="autofit-col autofit-col-end">
   		<div class="autofit-section">
   			<@liferay_util["dynamic-include"] key="portlet_header_${portlet_display_root_portlet_id}" />
   		</div>
   	</div>
   </div>

5. If there is no portlet_title, include the code before the 'writeContent' as shown below.
   

   <div class="autofit-row autofit-float">
   	<div class="autofit-col autofit-col-expand">
   		<#-- portlet_title and its components goes here, if any. -->
   	</div>
   
   	<div class="autofit-col autofit-col-end">
   		<div class="autofit-section">
   			<@liferay_util["dynamic-include"] key="portlet_header_${portlet_display_root_portlet_id}" />
   		</div>
   	</div>
   </div>
   
   ${portlet_display.writeContent(writer)}

With these changes,at the time of writing this, the second ellipses should be visible, but its location is wrong. This issue is being fixed by LPS-81659 in the Styled Theme. Once this issue is closed, installing the updates from Styled should fix this issue.

The following workaround will not work on IE9 or IE10. This is currently being worked on and will be updated when ready. In the meantime, adding the following css to the theme's _custom.scss and recompiling the theme should fix this issue. When receiving the fix from Styled Theme it is important to remove this code to avoid any overwriting.

// Autofit Row

%autofit-row {
	display: flex;
	flex-wrap: nowrap;
	width: 100%;
}

.autofit-row {
	@extend %autofit-row;
}

// Autofit Columns

%autofit-col {
	display: flex;
	flex-direction: column;
	flex-shrink: 0;
	min-height: 0;
	position: relative;
}

.autofit-col {
	@extend %autofit-col;
}

%autofit-col-expand {
	flex-grow: 1;
	flex-shrink: 1;
	min-width: 3.125rem;
	word-wrap: break-word;
}

.autofit-col-expand {
	@extend %autofit-col-expand;
}

// Autofit Section

%autofit-section {
	max-width: 100%;
}

.autofit-section {
	@extend %autofit-section;
}

// Autofit Float
%clay-autofit-float {
	flex-wrap: wrap;

	> .autofit-col {
		max-width: 100%;
	}

	> .autofit-col-end {
		margin-left: auto;

		+ .autofit-col-end {
			margin-left: 0;
		}
	}
}

.autofit-float {
	@extend %clay-autofit-float;
}

LPS-74395 adds a new configuration entry in the Search System Settings (located under System Settings > Foundation) called Default Search Result Permission Filter. This added configuration provides the User with the ability to set the following parameters:

• Permission Filtered Search Result Returns Accurate Count Threshold: Set this number to establish a threshold of how many search results run through permission filtering during a given search. If the total number of returned search results is below this threshold, the results count after permission filtering is guaranteed to be accurate.
• Search Query Result Window Limit: Set this to limit the number of search results that can be requested from a search query.

LPS-69814 adds a new validation when uploading an image via the Item Selector. Users can configure valid extensions under System Settings > Collaboration > Documents and Media Image Item Selector View.

LPE-16436 fixes SendmailHook.java to correctly call ProcessUtil.execute by passing each arguments of the commands as separate elements to ProcessUtil.

Fix Pack 46

LPS-79404 updates GZip filter compression to be disabled by default. This will prevent BREACH attack vulnerability when using GZip filter.

LPS-79249 removes TunnelingServletAuthVerifier class from portal.properties. This class has been renamed to TunnelAuthVerifier and is now configurable via osgi/configs.

LPS-77432 fixes sun.misc.Unsafe API to be compatible with IBM JDK.

LPE-16381 is a security fix that limits Web Proxy portlets to administrators only.

Fix Pack 45

LPS-78517 allows Users to export a serialized bean by a module and use it in multiple workflow states without losing ServiceContext information.

LPS-66371 removes actions in auth.token.ignore.actions that were vulnerable to CSRF attacks. This will prevent attackers from creating/updating/deleting discussions, blogs, document library entries, message boards, and wikis.

Fix Pack 44

LPS-78858 fixes Spanish language keys for notifications-list and requests-list. These keys were incorrectly updated in LPS-77761.

LPS-77722 removes reflected XSS attack that occurs after submitting a page in api/jsonws. Alert pop-ups no longer appear after a api/jsonws page submission.

LPS-69554 fixes an uncaught TypeError that occurs when editing the editor.wysiwyg properties. Users can now edit wysiwyg properties without running into an uncaught TypeError in their browser console.

Fix Pack 43

LPS-77925 changes JournalServiceVerifyProcess.updateCreateAndModifiedDates() to be a part of an UpgrageProcess. A Users console log will now show "com.liferay.journal.internal.upgrade.v0_0_7.UpgradeJournalArticleDates" instead of "Processing #number article resources for create and modified dates".

Fix Pack 42

LPS-77803 uses the correct cache name for WebServerServletToken cache. The WebServerServletToken cache can now be configured via the clustering portal properties.

LPS-77739 changes the DDMFormValuesValidatorImpl.java to support Long variable values instead of Integer variable values. Numeric values greater than 999999999 can now be inputted into the Form text field.

LPS-77654 Fixes the duplicate key in IX_B27A301F issue that was occurring while running the com.liferay.rss.web.internal.upgrade.RSSWebUpgrade upgrade process. This will allow portal to start without exceptions. It will also prevent the Gogo console from throwing any pending upgrade processes after executing upgrade:check.

LPS-76675 due to the removal of mapping types in Elasticsearch 6, administrators are now required to execute "Reindex all spell check indexes" from the Server Administration if spell-check was enabled. This execution needs to be triggered even if you are still running on Elasticsearch 2 server.

Fix Pack 41

LPS-75649 removes User information from the asset tag if the User isn't an admin.

Fix Pack 40

This fix pack includes several module upgrade processes which execute on startup. This fix pack cannot be reverted.

• Please backup the database and document library file system before installing this fix pack.
• Please check any document and media customizations as several apis have changed.
• Please make sure that the application has the appropriate permissions to make the needed database changes implemented in this fix pack or that the changes are implemented manually by a database administrator.

LPS-65331 changes the default value of captcha.engine.simplecaptcha.gimpy.renderers portal property that is used when generating a CAPTCHA image.

LPS-71635 makes changes to the document library api file that allows developers to customize the versions and elements in the Documents and Media portlet.

LPS-53392 increases emailAddress database column size. The maximum email address length allowed is 254.

LPS-77197 increases the Description column size in the LayoutPrototype table.

LPS-73770 improves performance for the upgrade process. Groups can be upgraded without rebuilding the entire Group tree.

LPS-37417: Proper handling of orphan data in ExpandoRow.

LPS-74532 increases the hostname column size in the VirtualHost table. The maximum hostname length allowed is 200.

LPS-78134 changes Read-Write Database settings. If you are using this functionality, please change your portal-ext.properties configuration:

• Add dynamic-data-source-spring.xml to the property "spring.configs"
• Add dynamic-data-source-infrastructure-spring.xml to the property "spring.infrastructure.configs"
• For more information, please navigate to the Customer Documentation.

Fix Pack 36

LPS-72169 includes a new upgrade process in the module com.liferay.portal.upgrade which will modify the schema version. This will prevent customers from rolling back to a previous Fix Pack.

Fix Pack 35

LPS-76672 introduces a major version change that prevents importing older LAR files into DE-35+. This will affect any LAR file created from DE-34 and below.

Solution: The LAR files will need to be re-exported in DE-35 to be imported into DE-35+.

LPS-76771 introduces a change that causes events to not be processed when a portlet issues a redirect during an action request. This does not occur if the portlet is specifically designed to send redirects during action requests.

Workaround: 

1. Add the property  com.liferay.portlet.action-url-redirect=true to the @Component annotation of the custom portlet.

2. Rebuild the portlet

3. If the customer has non-default log levels, they will see the following warning message in the log when making this modification and redeploying the portlet: Invalid property com.liferay.portlet.action-url-redirect for portlet. This WARN message can be ignored and will be resolved in LPS-77869.

Fix Pack 39

LPS-77562 makes changes in SchedulerResponse which will change the serialVersionUID. This can cause issues applying fix packs in a clustered environment.

Workaround: Stop all nodes, install the fixpack and start them sequentially.

Fix Pack 14

LPS-71501 causes an exception in the asset publisher ADT. These changes implement Freemarker language and allows Liferay to wrap any implementations of list and map so that they are useable within LiferayObjectWrapper.

Workaround: 

Users should make the following changes in any Freemarker code (.ftl files or other embedded areas):

•  Replace all instances of .get(0) with [0]
•  Replace all instances of .size() with ?size
•  Remove all instances of .iterator()

Fix Pack 33

LPS-74946 - fixes LiferayOjectWrapper.java in the portal-template-freemarker module to run the correct logic when running a freemarker script. This change in logic may affect customer freemarker scripts and customers will need to update their script to properly run.

LPE-16252 - Some changes were introduced in the management of the Xuggler libraries and will require Xuggler to be re-enabled. Users who had Xuggler previously enabled should follow the instructions below.

Resolution:

1. Go to Control Panel > Server adminstration > External services > Install Xuggler library
2. Restart the server
3. Go to Control Panel > Server adminstration > External services > Enable Xuggler

Wildfly OOM Error - OOM error is displayed when installing Fix Pack 33 on the Liferay Digital Enterprise 7.0 Wildfly bundle and publishing web content.

Resolution:

1. In the /bin folder, set the -XX:MaxMetaspaceSize in standalone.conf and standalone.conf.bat  or standalone.conf.sh (Mac/Linux) to at least 512m
2. In portal-ext, make sure the index.on.startup portal property is set to false (default for that property)

Fix Pack 30

This fix pack includes several module upgrade processes which execute on startup. This fix pack cannot be reverted.

• Please backup the database and document library file system before installing this fix pack.
• Please check any custom authentication implementations and settings such as pre and post login hooks or SSO implementations.
• Please check any theme implementations especially if they override or deal with elements of the notifications portlet.
• Please make sure that the application has the appropriate permissions to make the needed database changes implemented in this fix pack or that the changes are implemented manually by a database administrator.

LPS-56589 - Changes the size of the smallImageUrl column in the image table in order to accommodate longer URLs.

LPS-72541 - Allows portal property configuration from operating system environment variables. Please see official documentation for more information.

LPS-72839 - Properly deletes duplicate index IX_C3AA93B8.

LPS-72996 - Properly removes DDM Templates associated with journal articles upgraded from previous versions.

LPS-73034 - Removes the VIEW and PERMISSIONS permission from the Guest role for CalendarResources entries.

LPS-73385 - Changes the size of the smallImageUrl column in the image table in order to accommodate longer URLs.

LPS-73461 - Creates a new OSGi bundle which will be deployed by default that leverages NPM support to provide shims for Node.js globals and modules. Makes shims for Node.js globals and modules available for use in Javascript.

LPS-73670 - Changes notifications-portlet.user-notifications.archived} to notifications-portlet.user-notifications.unread.

LPS-73691 - Changes "NotificationsPortlet.markAllAsRead()" to "markAllNotificationsAsRead()". Changes class "MarkAsReadPortletConfigurationIcon" to "MarkAllNotificationsAsReadPortletConfigurationIcon". Removes protected method "NotificationsPortlet.updateArchived(UserNotificationEvent userNotificationEvent)". For more information on managing notifications please see official documentation.

LPS-73692 - Changes UserNotificationEventComparator constructor signature from (String orderByCol, String orderByType) to (boolean ascending). Changes method signature of "NotificationsUtil.populateResults(long userId, boolean actionRequired, String filterBy, String orderByCol, String orderByType, SearchContainersearchContainer)" to "NotificationsUtil.populateResults(long userId, boolean actionRequired, String navigation, String orderByType,SearchContainer searchContainer)". Changes class "UserNotificationEventComparator.java" to "UserNotificationEventTimestampComparator.java".

LPS-73695 - Allows users to delete notifications, mark as read, and mark as unread. Please see official documentation for more information.

LPS-73787 - Removes notifications-portlet.user-notifications.unread.checkbox. Only affects clients whom have modifed this element.

LPS-73996 - Deprecates BasePortalSettingsFormMVCActionCommand. Changes class "PortalSettingsCASFormMVCActionCommand" to "CASPortalSettingsFormContributor". Changes class "PortalSettingsFacebookConnectFormMVCActionCommand to "FacebookConnectPortalSettingsFormContributor". Changes class "PortalSettingsGoogleFormMVCActionCommand" to "GooglePortalSettingsFormContributor". Changes class "PortalSettingsNtlmFormMVCActionCommand" to "NtlmPortalSettingsFormContributor". Changes class "PortalSettingsOpenIdConnectFormMVCActionCommand" to "OpenIdConnectPortalSettingsFormContributor". Changes class "PortalSettingsOpenIdFormMVCActionCommand" to "OpenIdPortalSettingsFormContributor". Changes class "PortalSettingsOpenSSOFormMVCActionCommand" to "OpenSSOPortalSettingsFormContributor".

LPS-74244 - Creates a new field named Multiple Selection will be added to the Forms Portlet and it'll allow the creation of several check-boxes through this single field. Please see official documentation for more information.

Fix Pack 28

LPS-73967 - This change reintroduces Build Auto Upgrade which lets you apply schema changes while developing. It is enabled by a new global property schema.module.build.auto.upgrade in the [Liferay_Home]/portal-developer.properties file. Please see the Breaking Changes for more information.

Fix Pack 24, 25, 26, 27

The WeDeploy Auth Admin portlet will appear in the Control Panel. WeDeploy is currently a beta product. The addition of this portlet will have no impact or security risk.

Resolution: The WeDeploy Auth Admin portlet has been removed from the Liferay Digital Enterprise 7.0 Fix Pack 28. Customers who have applied Fix Pack 24, 25, 26, or 27 and wish to remove the WeDeploy Auth Admin portlet can navigate to the Customer Knowledge Base for further instructions.

Please note that Fix Pack 27 includes a module upgrade process and cannot be reverted.

Fix Pack 13

LPE-15776 - Tomcat users will receive the following warning message at startup:

WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/opt/liferay/master/bundles/tomcat-8.0.32/lib/ext/global], exists: [false], isDirectory: [false], canRead: [false]

Resolution: Append a new line with "org.apache.catalina.startup.ClassLoaderFactory.level=SEVERE" in the Tomcat logging.properties file ($tomcat_home/conf/logging.properties).

LPE-15725 - The Tika and PDFBox Libraries have been upgraded to Tika 1.14 and PDFBox 2.0.3 in order to fix severe issues with the libraries, including improvements to localization support. Customizations should not be affected by this change.

LPS-58672 - The Web Content Service configuration has been moved from portlet.properties to System Settings, allowing Admin Users to change the configuration through System Admin UI.

If you were using a Web Content Service fragment to add custom configuration for any of the next properties you should remove the fragment module and apply your config through System Admin > Web Content Service.

Removed Properties

#
# Specify characters that are not allowed in journal folder names.
#
char.blacklist=&,\',@,\\,],},:,=,>,/,<,[,{,%,|,+,#,`,?,\",;,*,~

#
# Configure email notification settings.
#

email.article.added.body=com/liferay/journal/dependencies/email_article_added_body.tmpl
email.article.added.enabled=true
email.article.added.subject=com/liferay/journal/dependencies/email_article_added_subject.tmpl

email.article.approval.denied.body=com/liferay/journal/dependencies/email_article_approval_denied_body.tmpl
email.article.approval.denied.enabled=false
email.article.approval.denied.subject=com/liferay/journal/dependencies/email_article_approval_denied_subject.tmpl

email.article.approval.granted.body=com/liferay/journal/dependencies/email_article_approval_granted_body.tmpl
email.article.approval.granted.enabled=false
email.article.approval.granted.subject=com/liferay/journal/dependencies/email_article_approval_granted_subject.tmpl

email.article.approval.requested.body=com/liferay/journal/dependencies/email_article_approval_requested_body.tmpl
email.article.approval.requested.enabled=false
email.article.approval.requested.subject=com/liferay/journal/dependencies/email_article_approval_requested_subject.tmpl

email.article.moved.from.folder.body=com/liferay/journal/dependencies/email_article_moved_from_folder_body.tmpl
email.article.moved.from.folder.enabled=true
email.article.moved.from.folder.subject=com/liferay/journal/dependencies/email_article_moved_from_folder_subject.tmpl

email.article.moved.to.folder.body=com/liferay/journal/dependencies/email_article_moved_to_folder_body.tmpl
email.article.moved.to.folder.enabled=true
email.article.moved.to.folder.subject=com/liferay/journal/dependencies/email_article_moved_to_folder_subject.tmpl

email.article.review.body=com/liferay/journal/dependencies/email_article_review_body.tmpl
email.article.review.enabled=true
email.article.review.subject=com/liferay/journal/dependencies/email_article_review_subject.tmpl

email.article.updated.body=com/liferay/journal/dependencies/email_article_updated_body.tmpl
email.article.updated.enabled=true
email.article.updated.subject=com/liferay/journal/dependencies/email_article_updated_subject.tmpl

email.from.address=
email.from.name=

#
# Set the location of the default error content for each language type.
#
error.template[ftl]=com/liferay/journal/dependencies/error.ftl
error.template[vm]=com/liferay/journal/dependencies/error.vm
error.template[xsl]=com/liferay/journal/dependencies/error.xsl

#
# Set the search engine for each indexer implementation by assigning the search
# engine ID. The search engine IDs are defined in the spring configuration
# files. The default engine ID is SYSTEM_ENGINE and will be used as the default
# for all indexers unless configured to use something else.
#
#index.search.engine.id[com.liferay.journal.util.JournalArticleIndexerIndexer]=SYSTEM_ENGINE

#
# Set this to true to enable comments for journal articles.
#
journal.article.comments.enabled=true

#
# Set a list of custom tokens that will be replaced when article content is
# rendered. For example, if set to "custom_token_1", then "@custom_token_1@"
# will be replaced with its token value before an article is displayed.
#
#journal.article.custom.tokens=custom_token_1,custom_token_2
#journal.article.custom.token.value[custom_token_1]=This is the first custom token.
journal.article.custom.token.value[custom_token_2]=This is the second custom token.

#
# Set this to false to ignore article content when performing keyword searches
# on the database for journal articles.
#
journal.article.database.keyword.search.content=true

#
# Set this to true to expire all article versions when expiring an article. Set
# this to false to only expire the latest approved article version when expiring
# an article.
#
journal.article.expire.all.versions=true

#
# Set the storage type that will be used to store the Journal articles.
#
journal.article.storage.type=json

#
# Set the token used when inserting simple page breaks in articles.
#
journal.article.token.page.break=@page_break

#
# Set this to true to check that a user has the VIEW permission on a Journal
# article when its content is rendered.
#
journal.article.view.permission.check.enabled=false

#
# Set this to true to index all article versions. Set this to false to index
# only the last indexable version.
#
journal.articles.index.all.versions=true

#
# Set this to true to check whether folders are empty or not and display an
# empty or full icon. Setting it to false disables the check and will always
# display an empty icon to speed up performance.
#
journal.folder.icon.check.count=true

#
# Set this to true if journal articles should be published to live by default.
#
publish.to.live.by.default=true

#
# Set this to false if only the latest approved version of journal articles
# should be published by default.
#
publish.version.history.by.default=true

#
# Input a list of comma delimited resource action configurations that will be
# read from the class path.
#
 resource.actions.configs=META-INF/resource-actions/default.xml

service.configurator.portlet.ids=com_liferay_journal_web_portlet_JournalPortlet

#
# Set whether to synchronize content searches when the server starts.
#
sync.content.search.on.startup=false

#
# Specify the group ID and the article ID of the Journal article that will be
# displayed as the terms of use. The default text will be used if no Journal
# article is specified.
#
terms.of.use.journal.article.group.id=
terms.of.use.journal.article.id=

#
# Enter a list of regular expression patterns and replacements that will be
# applied to outputted Journal content. The list of properties must end with a
# subsequent integer (0, 1, etc.) and it is assumed that the list has reached
# an end when the pattern or replacement is not set. See
# com.liferay.journal.util.RegexTransformerListener for implementation details.
#
#transformer.regex.pattern.0=beta.sample.com
#transformer.regex.replacement.0=production.sample.com
#transformer.regex.pattern.1=staging.sample.com
#transformer.regex.replacement.1=production.sample.com

#
# You can add a listener for a specific class by setting the property
# "value.object.listener" with a list of comma delimited class names that
# implement com.liferay.portal.kernel.model.ModelListener. These classes are
# pooled and reused and must be thread safe.
#
# This property is not read by the portal except for portal properties
# overridden by liferay-hook.xml. It remains here only as a reference.
#
#value.object.listener.com.liferay.journal.model.JournalArticle=com.liferay.journal.model.listener.JournalArticleModelListener

Fix Pack 3+

LPS-67469 extracts the Private Messaging portlet from the Liferay Collaboration suite and converts the portlet into a standalone app. Those who would like to continue to use the Private Messaging portlet will need to install the portlet manually.

Liferay Private Messaging can now be downloaded from Marketplace. The standalone portlet is needed for users on Fix Pack 3 and above.

Please note that the Private Messaging portlet is a Lab application and will not be supported by the Liferay Subscription Services team.