Patch Details
You've downloaded the latest release of Liferay, so now what? In general, the easist thing to do is download the cumulative binary patch that the CST produces and apply it to your installation of Liferay, and you should be good to go. If you've made modifications to Liferay, or are a developer who is comfortable using the Liferay source code, you can also download the set of source patches that make up the cumulative patch, apply each individually to your copy of the Liferay source code, rebuild, and redeploy.
The CST produces source and binary patches that apply to the latest release of Liferay Portal Community Edition. The CST will not produce patches for older releases, so it is important that CE users be using the latest CE release if they want to get easy-to-apply fixes for critical security fixes. Most of the time, the process for applying patches will be straightforward.
Source patches are essentially the output of git diff
(which is itself related to the output of the unix diff
command). By virtue of the CST maintaining separate branches for each fix (along with a separate cumulative branch), generating patches using github is trivial. Each source patch can downloaded and applied to a copy of the Liferay source code from the latest released version of Liferay, using either git apply
(if you have a proper git clone of the Liferay source) or the unix patch
command if you just have a basic Liferay source tree.
Individual source patches may conflict with one another, as they may touch the same lines in the same file. If you want all of the fixes in source form, it is usually better to get the cumulative source patch (see below). The CST does not test all possible combinations of source patches.
If you use the patch command on Windows or Linux, be aware that the line ending differences between OS's might cause trouble (Mac OS X seems to handle it with no special procedures). You may need to use tools to convert line endings, such as dos2unix, before the source patches can be applied. Read below for specific instructions for your operating system.
- Linux (Ubuntu, RedHat, Solaris, Illumos, CentOS, SUSE, ...) and other Unix-based OS's other than Mac OS X
cd $LIFERAY_SRC_HOME ; git apply name-of-downloaded-patch-file
If you don't use git, and just have a basic Liferay source tree (e.g. by downloading a raw .zip file from Github), then you can use the unix patch command:
patch -p1 < name-of-downloaded-patch-file
It is recommended that you download the source from Github (from here). If you have downloaded the source code from SourceForge.net, be aware that SourceForge code sometimes contains Windows-style line endings, and you may need to first convert them to unix-style line endings using something like:
cd $LIFERAY_SRC_HOME; find . -type f -exec dos2unix {} \;
The dos2unix tool may be installed by default on your Linux distribution, or you may need to install it first (using apt-get, pkg, deb, yum, etc).
cd $LIFERAY_SRC_HOME ; git apply name-of-downloaded-patch-file
If you don't use git, see above for instructions.
Depending on which tool(s) you are using, you can either use git apply (this is the recommended method if you are using git, some tools supply a bash-like shell tool), or consult your git tool's manual on how to apply patch files. If you don't use git, and just have a basic Liferay source tree (e.g. by downloading from the Liferay distribution files), then you can use the GNU patch command for Windows:
patch.exe -p1 < name-of-downloaded-patch-file
Once the source patches have been applied, the Liferay source will need to be re-compiled to generate binaries, by following the normal development processes for Liferay.
You can also access the cumulative source patch using Github's "compare" feature. For example, you can download the cumulative security source patch for Liferay 6.1 CE GA2 (6.1.1) and apply it en masse to your Liferay 6.1 CE GA2 (6.1.1) source base, to get the same result as applying each individual source patch.
Binary Patch
To maximize ease of use, ensure quality, and to minimize maintenance, the CST will maintain a single cumulative binary patch for the latest Liferay release that contains all known vulnerabilities (you can see the 6.1 CE GA2 cumulative source patch, from which the cumulative binary patch is generated). This avoids the problem of binary patch conflicts, where one patch might clobber another patch's binary changes, resulting in a broken and potentially even more insecure system.
When new security issues are found, the fixes will be added to the existing binary patch, and a new single cumulative binary patch generated (the old patch may still be available but will not contain all of the latest fixes).
Installation of a binary patch depends on the nature of the fixes (some fixes require changes in your app server, others require changes elsewhere). Due to this, each binary patch will contain an obvious README
file that describes how to install the patch.