uPortal Release Wave - May 2026

uPortal
May 4, 2026
Benito Gonzalez, uPortal Community
uPortal

Hi all,
 
Wrapping up a release wave that brings the actively-maintained portlet fleet to a consistent baseline. Over the past two days, ten portlets shipped patch / minor releases, all aligned to uportal-portlet-parent v51:
 
- AnnouncementsPortlet 2.5.2
- basiclti-portlet 1.5.1
- BookmarksPortlet 1.3.1
- CalendarPortlet 2.7.1
- CoursesPortlet 2.1.1
- FeedbackPortlet 1.3.1
- JasigWidgetPortlets 2.4.1
- NewsReaderPortlet 5.1.2
- SimpleContentPortlet 3.4.1
- WebproxyPortlet 2.4.1
 
All ten are drop-in upgrades — no schema changes, no portlet-API contract changes, no portlet-preferences migrations. Earlier in the wave, NotificationPortlet 4.8.2 and uportal-portlet-parent v51 itself shipped as the dependencies the rest of the wave was built on.
 
Security: the wave closes three CVE-tracked issues across the fleet — CVE-2023-37460 (plexus-archiver symlink path traversal during WAR packaging), CVE-2025-48924 (commons-lang 2.x DoS in StringUtils.escapeJava), and CVE-2012-5783 (commons-httpclient SSL hostname verification, where the dep was still pinned). Plus per-portlet bumps for jackson, logback, bouncycastle (→ bcprov-jdk18on), xstream, hsqldb, and others.
 
Bug fixes worth calling out: an initNews NPE in NewsReaderPortlet, a double-? in proxied URLs in WebproxyPortlet, a NoopHostnameVerifier removal in JasigWidgetPortlets that was disabling outbound HTTPS hostname checks, an videos.jsp XSS fix in NewsReader, and innerHTML XSS hardening in JasigWidget.
 
Frontend: several portlets picked up jQuery / Bootstrap modernization passes from @Naenyn, including dropping bundled JavaScript in favor of the resource-server webjars.
 
What's still deferred (fleet-level, gated by Spring 6 / Jakarta EE): Hibernate ORM 7.x, pluto-taglib v3, jaxb-xjc v4, portletmvc4spring 6.x, Pluto retirement decisions. CalendarPortlet 3.0.0 is also tracked separately to drop on-prem Exchange / NTLM support and migrate to httpclient 4.x.
 
Release notes for each portlet are linked from the GitHub Releases page on the respective repo. The uportal-project.github.io developer manual's Maven release process doc was also updated with a couple of recovery scenarios encountered during the wave — see PR #99.
 
Thanks to everyone who reviewed PRs and to @Naenyn / @ChristianMurphy for the contributed cleanup work.
 
- B
 
--
Benito J. Gonzalez
Software Architect
Unicon, Inc.

Announcement Project News