Please read about the following important changes in Liferay Portal 6.2 EE Fix Packs before installing.
- July 21, 2020: Portal-173
- February 11, 2020: Portal-172
- October 15, 2019: Portal-171
- June 25, 2019: Portal-170
- May 19, 2017: Portal-149
- February 27, 2017: Portal-137
- February 17, 2017: Portal-136
- August 5, 2016: Portal-113
- June 17, 2016: Portal-108
Please note: This fix pack requires Java 8.
LSV-636 resolves a critical security vulnerability with
Please note: This fix pack requires Java 8.
LSV-600 resolves a critical security vulnerability with LDAP credentials.
Please note: Due to the fixes made under LSV-399, this fix pack requires Java 8.
LSV-545 resolves a critical remote code execution (RCE) vulnerability via JSON web services (JSONWS).
LSV-535 resolves a critical security SQL injection vulnerability that exists in the asset framework.
LSV-399 resolves a critical security vulnerability with Apache Tika.
LPE-16655 resolves a critical security vulnerability with remote code execution via deserialization of JSON data.
LPE-16614 resolves a critical security vulnerability with Workflow definitions being used to gain access to information in a different site or virtual instance as well as the operating system.
LPE-16514 resolves a critical security vulnerability with remote code execution using Web Content/DDM templates by updating the following portal.properties:
freemarker.engine.restricted.classes=\ java.lang.Class,\ java.lang.ClassLoader,\ java.lang.Compiler,\ java.lang.Package,\ java.lang.Process,\ java.lang.Runtime,\ java.lang.RuntimePermission,\ java.lang.SecurityManager,\ java.lang.System,\ java.lang.Thread,\ java.lang.ThreadGroup,\ java.lang.ThreadLocal velocity.engine.restricted.classes=\ java.lang.Class,\ java.lang.ClassLoader,\ java.lang.Compiler,\ java.lang.Package,\ java.lang.Process,\ java.lang.Runtime,\ java.lang.RuntimePermission,\ java.lang.SecurityManager,\ java.lang.System,\ java.lang.Thread,\ java.lang.ThreadGroup,\ java.lang.ThreadLocal
LPE-15645 removes the
utilities swfupload and
video_player. This change removes outdated code no longer being used in the platform and avoids future security issues from outdated flash movies. Anyone who is using the
swfupload AlloyUI module or any of the associated
mpw_player.swf flash movies will be affected.
We recommend users switch to new standard ways of uploading media such as AlloyUI's own A.Uploader to manage uploads consistently across browsers. For audio/video reproduction, use AlloyUI's A.Audio and A.Video.
LPE-11551 deprecates the method
com.liferay.portlet.asset.model.BaseAssetRenderer.getSummary(Locale) and changes its logic.
As suggested in the Javadoc documentation,
getSummary(PortletRequest,_ _PortletResponse) should be used instead. If a new class is created to extend
BaseAssetRenderer, it might be necessary to overwrite
com.liferay.portlet.asset.model.BaseAssetRenderer.getSummary(PortletRequest, PortletResponse) because the formerly referenced deprecated method will be called. This will result in an
LPS-71163 reverts changes made in LPS-67445 to resolve a security vulnerability found with permissions. Please note that this revert changes the error message to be shown in the UI as "Not Found" instead of "Forbidden".
LPE-14846 changes the way that Liferay stores and renders DDM date fields. The DDM date fields will now be stored and rendered using UTC timezone regardless of the configured timezone in user.timezone JVM parameter. In order to update the old templates and ensure that all dates are rendered in UTC, a Verify process should be executed. If the user.timezone has been changed to a non GMT value, a Groovy script must be executed to update those values to UTC.
Please navigate to this Knowledge Base article for further instructions.
LPE-14929 changes the table mapper cache from "explicit excluding" to "explicit including", which means the cache is disabled for mapping tables by default. This may cause a large performance impact for some users.
In order to avoid this, please manually set the property "table.mapper.cache.mapping.table.names" to include mapping table names in portal-ext.properties file.
table.mapper.cache.mapping.table.names=\ AssetEntries_AssetCategories,\ AssetEntries_AssetTags,\ DLFileEntryTypes_DDMStructures,\ DLFileEntryTypes_DLFolders,\ Groups_Orgs,\ Groups_Roles,\ Groups_UserGroups,\ JournalFolders_DDMStructures,\ SCFrameworkVersi_SCProductVers,\ SCLicenses_SCProductEntries,\ Users_Groups,\ Users_Orgs,\ Users_Roles,\ Users_Teams,\ Users_UserGroups
* If you continue to experience performance degradation, please remove the "Users_Roles,\" from the mapping table names.