掲示板

Binary patch available for Liferay Portal 6.1 GA1

thumbnail
11年前 に James Falkner によって更新されました。

Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 1399 参加年月日: 10/09/17 最新の投稿
A cumulative binary patch has been published for Liferay Portal 6.1 GA1 which fixes all of the SEV-1 vulnerabilities listed on the Known Vulnerabilities page, and links have been updated for all listed vulnerabilities.
thumbnail
11年前 に James Falkner によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 1399 参加年月日: 10/09/17 最新の投稿
Going forward, this cumulative binary patch will be updated as new vulnerabilities are discovered and fixed.
11年前 に Oliver Bayer によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Master 投稿: 894 参加年月日: 09/02/18 最新の投稿
Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli
thumbnail
11年前 に James Falkner によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 1399 参加年月日: 10/09/17 最新の投稿
Oliver Bayer:
Hi James,

it's good to see that threads like GA2 Release have have such valuable outcomes.

One question:
As far as I know you're able to deploy only one ext plugin at a time. Is this cumulative patch an ext plugin or can it be deployed beside an already existing ext plugin?

Greets Oli


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.
thumbnail
11年前 に Michele Bendazzoli によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

New Member 投稿: 7 参加年月日: 10/07/24 最新の投稿
James Falkner:


Nope, the cumulative patch is not a plugin at all - it requires you to manually copy files into your Liferay installation (some go into the classpath, others are portal-ext.properties file overrides, etc). Check out the README inside of the patch for specific details on what you have to do in order to install the patch.


Hi James, thank you for such valuable resource!
I report some of problems occurred to me, because maybe is useful for you to make the use of this resource easier.
I tried to apply the patch to a test installation and I wonder if I have correctly understand the README file.
For example for the point 1:

1. Add ext-portal-service.jar to your application server's endorsed directory.

If I understand correctly the "application server's endorsed directory" is the <application-server> directory (i.e., for the tomcat bundle, the .../liferay-portal*/tomcat* directory). If this is true, have I to put the ext-portal-service.jar in the <application-server> directory or in <application-server>/lib directory?
I put the file in the <application-server>/lib directory because it seems more appropriate. Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly...
More interesting, is realizable a task which can be invoked periodically to get and apply the patch automatically, so that one can be sure that he doesn't make mistake?
I have no idea if such task can be made, or how to make it, but maybe someone more expert than me can.
Hope my poorly English is not too bad.
11年前 に Oliver Bayer によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Master 投稿: 894 参加年月日: 09/02/18 最新の投稿
Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli
thumbnail
11年前 に Michele Bendazzoli によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

New Member 投稿: 7 参加年月日: 10/07/24 最新の投稿
Oliver Bayer:
Hi Michele,

afaik you can put the jar files as a rule of thumb into the same directories the original ones are in. So using your example the ext-portal-service.jar should be placed inside <tomcat-dir> / lib /ext.

I like your idea to have some sort of attribute to check if a patch is applied correctly.

@James:
If there isn't a funcion for this already maybe you can override the ReleaseInfo class in a patch and output the patch version during server startup.

HTH Oli


So both of my guesses are wrong emoticon

Thank you for the advice Oli
thumbnail
11年前 に Samuel Kong によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 1902 参加年月日: 08/03/10 最新の投稿
Oliver Bayer:
I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?


The load order is undefined and will depend on your specific app server and the name of your ext plugin. If your ext plugin modifies the same class as the security patch, then you'll need to manually patch your system.

Michele Bendazzoli:
Now maybe this is correct or maybe it is not and I wonder if there is a method that I can use to test if the patch is applied correctly


Thanks for the suggestion. There's currently no simple way to check, but we do want to simplify the patching process in the future.
thumbnail
11年前 に Jérôme Delzor によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

New Member 投稿: 1 参加年月日: 12/07/19 最新の投稿
Hi James and other Liferay masters,

I'm barely new to Liferay and definitively not a dev guy, so forgive me if my questions are nonsense.
I'd like to understand how corrective binaries interact with Liferay core files and ext files created by my company. My goal is to produce an almost-automated bash script in order to deploy this patch and the next to come. But if patches destroy our specific dev I have to find another process.

Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?

Jérôme
thumbnail
11年前 に Hitoshi Ozawa によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 7942 参加年月日: 10/03/24 最新の投稿
Also, my colleagues produce some modification (behaviour changes or bug backports) directly into Liferay core files, is this the right way to process? Must they do like you and create an ext-<core_file_to_change>.jar file?


It's recommended to create an ext plugin instead of directly modifying liferay source unless you're willing to create your own patch.

Binary security patch may overwrite your modifications or may not work correctly with your modifications. It's recommended to test the patch before applying it to a production server.
If you colleagures know how to build liferay from source, it may be more advantageous to to use source code diff files so you'll be able to know which files are going to be changed.
11年前 に Oliver Bayer によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Master 投稿: 894 参加年月日: 09/02/18 最新の投稿
Hi,

thanks for the info. I was just curious because the naming of the jars seems to be (at least in a way) similar to an ext plugin. So the loading order is: original files -> patch files -> ext plugin files, right?

If the patch (or an upcoming one) modifies a class or jsp file I have overridden in an ext plugin I have to get the source patch and merge the changes in the ext plugin. Is this approach correct? If so wouldn't it be more comfortable to include the source files in the binary patch zip file too so that you only have to download one file instead of having to use patch/git tools to get the source files.

Oli
thumbnail
11年前 に Hitoshi Ozawa によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 7942 参加年月日: 10/03/24 最新の投稿
Thank you very much! emoticonemoticonemoticon
thumbnail
11年前 に Ákos Gábriel によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Junior Member 投稿: 33 参加年月日: 09/10/05 最新の投稿
Could you please point me to the download link? Thanks!
thumbnail
11年前 に Hitoshi Ozawa によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 7942 参加年月日: 10/03/24 最新の投稿
Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process
thumbnail
11年前 に Ákos Gábriel によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Junior Member 投稿: 33 参加年月日: 09/10/05 最新の投稿
Hitoshi Ozawa:
Downloads: http://www.liferay.com/community/security-team/known-vulnerabilities

Information: http://www.liferay.com/community/security-team/cst-process


Thanks for the links, I found these too, these are sources
Given the subject I was expecting a binary package being available.
thumbnail
11年前 に Drew Blessing によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Junior Member 投稿: 78 参加年月日: 11/01/27 最新の投稿
Ákos Gábriel:
Given the subject I was expecting a binary package being available.


Binaries can be found here: https://github.com/community-security-team/liferay-portal/downloads

I don't think it's quite clear where to download the binaries but they are there.
thumbnail
11年前 に Denis Signoretto によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Expert 投稿: 375 参加年月日: 09/04/21 最新の投稿
Hi James,

I have downloaded the latest binary cumulative patch (6.1.1-ce-ga2-security-2.0.zip).

The procedure described in README.txt it's for all application servers?
Does it apply also to WebShpere? (It seams that copying of ext-impl.jar i liferay WEB-INF\lib forlder does not overwrite original classes)

Thanks,
Denis.
thumbnail
11年前 に Hitoshi Ozawa によって更新されました。

RE: Binary patch available for Liferay Portal 6.1 GA1

Liferay Legend 投稿: 7942 参加年月日: 10/03/24 最新の投稿
Liferay's binary patch should only modify liferay's files and should be application server independent.