June 2020 Security patches for Liferay Portal 7.1 and 7.2

Downloads:

All vulnerabilities fixed in these patches have already been fixed in Liferay Portal 7.3 GA3. Please refer to the readme file for a list of issues addressed in each patch. For more information on working with patches, please see Patching Liferay Portal .

Blogs

Hey Liferay,

please provide binary patches for 7.1 GA4 and 7.2 GA2 to help the community out with the pain generating them by ourself (and we can't be sure if generating binaries was complete / successful) Any help would be really appreciated!

We are supposed to apply this patch to the already patched version (Security Patch March) of Liferay 7.1.3 GA4, right?

So the process would be:

 

1. Get Source of 7.1.3 GA4 /master ?

2. Apply Security Patch of March to 7.1.3 GA4 /master/ ?

3. Apply Security Patch of June to the now patched version of 7.1.3 GA4 ?

 

Is this correct? @Wu Yuxing

 Any chance to atleast provide us an already "march-patched" version of 7.1.3 GA4?

Hi Fredi B,

You're right. We need to apply June 2020 Security patch to  the already patched version (Security Patch March) of Liferay 7.1.3 GA4.

Hello Arun,

Thank you for the binary patches. I want to add a link to your patches in my post.

Is that ok with you?

Hello Wu Yuxing and Arun Das,

 

Arun has a list of jars that have to be replaced in specific folders in an existing liferay installation.  I want to get to this too but:

If I compile from https://github.com/community-security-team/liferay-portal/tree/7.1.3-cumulative I get a whole bundles folder. How can I determine which JAR Files changed so I can only replace the patched ones that have changed instead of the whole bundles folder? 

And of course the files from tomcat\webapps\ROOT\html which are not JAR files.

hey marvin,

 

I found the changed files from the following commit (7.2.1-cumulative branch)

https://github.com/community-security-team/liferay-portal/commit/064e6b01afa1e087e4c6bbaf7f71c97ee33f3ee9

 

You need to check which all files been changed and then apply those

 

 

Sorry that I am asking again:

 

What is the fastest and easiest way to get from a .java, .jsp or .property file to the corresponding built compiled .jar file?

And how will I know if I have to put them into the osgi\marketplace\override folder?

Because after compiling my osgi\marketplace\override is empty.

Hi Marvin,

Usually I find the corresponding built compiled .jar file by checking the path of the changed file.

For example:

We changed AMAuthVerifierFilter.java (https://github.com/community-security-team/liferay-portal/commit/afda58bf8a7b6c6cc840646d756e90cf01639b35#diff-0a945d22792294a95b45ac724265c37eR30).

Find the path of AMAuthVerifierFilter.java is "modules/apps/adaptive-media/adaptive-media-web/src/main/java/com/liferay/adaptive/media/web/internal/servlet/filter/AMAuthVerifierFilter.java", so I know it's in adaptive-media-web module.

And then I  see the bnd file of  adaptive-media-web module to get the jar info (https://github.com/community-security-team/liferay-portal/blob/master/modules/apps/adaptive-media/adaptive-media-web/bnd.bnd)

 

By the way,  there is readme file in the osgi\marketplace\override, it may be helpful to you 

Hey there, Sorry for late reply, I was testing out the patch. When I try to install the patches, I get following errors

 

ERROR [Framework Event Dispatcher: Equinox Container: e1c9b7c0-87aa-483f-9beb-e76cb5dff9d1][Framework:93] FrameworkEvent ERROR org.osgi.framework.BundleException: Could not resolve module: com.liferay.portal.template.freemarker [1054]_  Unresolved requirement: Import-Package: com.liferay.portal.template; version="[2.2.0,3.0.0)"_ [Sanitized]

at org.eclipse.osgi.container.Module.start(Module.java:444) .........................................

......................................... ERROR [Framework Event Dispatcher: Equinox Container: e1c9b7c0-87aa-483f-9beb-e76cb5dff9d1][Framework:93] FrameworkEvent ERROR org.osgi.framework.BundleException: Could not resolve module: com.liferay.portal.template.velocity [1055]_  Unresolved requirement: Import-Package: com.liferay.portal.template; version="[2.2.0,3.0.0)"_ [Sanitized]

at org.eclipse.osgi.container.Module.start(Module.java:444)

When I check the header for the system bundle  using gogo shell (headers 0), noticed this

com.liferay.portal.template;version="2.1.1",

which means the new version not loaded.

Then I open up the portal-impl.jar and check the manifest which shows the correct version com.liferay.portal.template;version="2.2.0". I direct run from the bundle, rather than appy fix to the 7.2.1GA2 and it works well without any errors.

 

Any idea what would be wrong? Better to link after fixing this issue

 

Hi Arun,

I did a test, I applied the source patch to the 7.2.1GA2, and then I built a new bundle, I can start the new bundle successfully without any errors.

Are you applying your binary patches to the 7.2.1GA2 ? If it is, do you clear the <liferay-home>\osgi\state folder?

Hi Yuxing,

As I built from the source, I can run successfully. But, when I apply the binary patch to Liferay 7.2.1 GA bundle, then only the error show up and yes, I clear the osgi\state folder before starting up. Below are the steps I did for testing the binary patch,

 

1. Unzip the liferay-ce-portal-tomcat-7.2.1-ga2-20191111141448326.tar.gz bundle and setup the portal (start, setup database and verify the portal is running).

 

2. Shutdown the portal and clear up <liferay-home>/tomcat/temp,  <liferay-home>/tomcat/work and  <liferay-home>/osgi/state folders

 

3. Copy the binary patches to the respective folders

 

4. Start the portal.

 

and the errors showup. When I check the headers for the system bundle(gogo shell > headers 0), it still shows the old version com.liferay.portal.template;version="2.1.1". But inside the MANIFEST file for portal-impl.jar, the version is portal.template;version="2.  2.0".

 

 

Hi Yuxing,

 

I was able to fix the issue. Please find the latest binary patches for 7.2.1 GA2 from the following link

https://1drv.ms/u/s!AtN9b49hmJkTiIg6Gu4Px9AUkGmpEQ?e=reDlZ4

 

SHA256 Checksum : 11544f279d1451ee5daab7490dc20b5c024b089bed7de430157a5624fdbdc9ea

 

 

Also, please help delete my previous comment containing the link for the old patches as I've removed those.

 

Regards,

Arun

 

I have created a binary patch for Liferay 7.1.3 GA4 from the sources. https://nextcloud.convotis.com/s/JSnQtJTB5e23psj

 

The patch is a cumulative patch, so it contains the March 2020 Security fixes, too. You should be able to apply it to an unpatched Liferay as well as to a Liferay 7.1.3 GA4 with the March patch.

 

As I wrote on my blog post (https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches) just copy the files to your Liferay installation and overwrite every file found. Afterwards you have to delete the following folders to avoid any issues with cached files:  

* bundles\osgi\state

* bundles\tomcat-9.0.17\temp

* bundles\tomcat-9.0.17\work

* bundles\work

 

Known Issues: After patching the portal reports "Liferay 7.1.2 GA4" as version. This is due to that the version number is wrong in the original Liferay 7.1.3 branch (see discussion here: https://liferay.dev/blogs/-/blogs/creating-liferay-security-binary-patches#dlki_messageScroll119140117). Feel free to test it and add it to this blog post. Disclaimer: I do not gurantee that creating the patches will work for you. I do not take any responsibility if the patches do not work, for any data loss or for a non-working or destroyed Liferay installation. Create backups first!