AnnouncementsPortlet 2.5.3

Patch release — single fix on top of 2.5.2.

Fix

The obsolete ch.qos.logback.classic.selector.servlet.ContextDetachingSCL listener has been removed from WEB-INF/web.xml (#356). The class was part of Logback's J2EE selector machinery and was removed in Logback 1.3.x. With uportal-portlet-parent v51 having bumped Logback to 1.5.32 in the 2.5.2 wave, the listener was a tripwire that would fail context startup with ClassNotFoundException the moment Tomcat's listener-loading rules tightened (or any container did strict listener resolution). Caught during uPortal-start smoke testing of the 2026-05 fleet release wave; same fix is landing across uPortal core and the other affected portlets.

The listener also has no functional value — Logback's modern auto-cleanup handles classloader GC and JMX deregistration without needing this hook.

Compatibility

• Drop-in upgrade for any deployment running 2.5.2.
• No dep changes, no schema changes, no API contract changes.
• Java 11, Tomcat 8.5/9.x as before.

Follow-ups

• The same listener removal is shipping (or shipped) across uPortal core (5.17.4), Calendar (2.7.2), JasigWidget (2.4.2), NewsReader (5.1.4), SimpleContent (3.4.2), and Notification (4.8.3) as part of the same fleet sweep.

AnnouncementsPortlet 2.5.2

Tag: Announcements-2.5.2
Maven Central: https://central.sonatype.com/artifact/org.jasig.portlet/Announcements/2.5.2

The first AnnouncementsPortlet release on the new Tier-aligned baseline: parent v51, commons-lang3, notification-portlet-api 4.8.2, and the routine Renovate dep-hygiene cycle.

What's new

Parent migration: uPortal-portlet-parent 44 → 51

Five parent generations rolled up into this release. The most important pieces:

• v48 swapped the dead oss.sonatype.org distributionManagement URLs for the Central Portal staging API, added a <developers> element required by the new portal, and ended the inheritance from the unmaintained oss-parent:9.
• v49 promoted six common license-plugin excludes (target/**, release.properties, .idea/**, overlays/**, .gitignore, **/src/main/webapp/rs/**) into the parent so descendants can drop their local copies.
• v50 bumped maven-war-plugin 3.4.0 → 3.5.1 to pull in plexus-archiver 4.10.4, which patches CVE-2023-37460 (Arbitrary File Creation in AbstractUnArchiver, CVSS 8.1 HIGH). Real-world risk for portlet builds is low (we create WARs, not extract them) but the parent shouldn't ship a known-vulnerable transitive by default.
• v51 replaced commons-lang:2.6 (EOL, unfixed CVE-2025-48924) with commons-lang3:3.20.0 and added commons-text:1.15.0. This release migrates AnnouncementsPortlet's source imports from org.apache.commons.lang.* to org.apache.commons.lang3.* to match.

notification-portlet-api 4.8.0 → 4.8.2

Picks up the NotificationPortlet 4.8.2 frontend modernization (jQuery 4 / Bootstrap 5 / Fluid Infusion removed) for any Announcements UI that renders notification components or shares the modernized stack with NotificationPortlet.

Build / hygiene

• License-plugin local config shrunk to only the AnnouncementsPortlet-specific webapp asset excludes (js/, date-picker/, tinymce/, fonts/); standard excludes/mappings now inherit from parent v49+.
• Local <less>DOUBLESLASH_STYLE</less> mapping override removed; the four .less files re-headered to parent's SLASHSTAR via mvn license:format.
• NOTICE regenerated to reflect the current transitive dep set.
• jaxb2-maven-plugin → v4, maven-surefire-plugin → v3, commons-codec → 1.22.0, uPortal-spring → 5.17.3.
• spring-data → Ingalls-SR23 (security patches).
• RssFeedController migrated to Jackson 2.x API.
• GitHub Actions cycle: actions/checkout@v6, actions/setup-java@v5.

Why no 2.5.1?

A 2.5.1 release was prepared earlier today (the Announcements-2.5.1 tag exists on this repo) but the artifacts never reached Maven Central. mvn release:perform succeeded through to staging upload, but Central Portal's signature validation rejected all five .asc files:

Failed to verify the PGP signature. Please contact support for assistance.

Root cause: the signing key was on keyserver.ubuntu.com but not on keys.openpgp.org, which Central Portal queries first. Other releases on the same key earlier in the day (uportal-portlet-parent 51, NotificationPortlet 4.8.2) had passed — Central Portal's keyserver lookup appears to fall through inconsistently when the key isn't on its primary source. Resolution: the key was uploaded to keys.openpgp.org (with email confirmation) and the release was retried as 2.5.2.

The orphan Announcements-2.5.1 tag remains as historical record of the prepared-but-never-published attempt. Adopters with a 2.5.1 pin somewhere should bump straight to 2.5.2.

Compatibility

• Java: 11 (source/target, fleet floor)
• Spring Framework: 4.3.30.RELEASE
• Hibernate: 5.6.15.Final
• uPortal-spring: 5.17.3
• Tomcat: 8.5/9 runtime (provided by uPortal-start)
• commons-lang3: 3.20.0 (replacing commons-lang 2.6)
• notification-portlet-api: 4.8.2

Migrating from 2.5.0

Bump your org.jasig.portlet:Announcements pin from 2.5.0 to 2.5.2. If you've forked AnnouncementsPortlet and import org.apache.commons.lang.* in custom code on top of it, also rename those imports to org.apache.commons.lang3.*.

Known issues / deferred

• Spring 4.3.x → 5+ migration (Spring 5.x CVEs without 5.x fixes, Spring 6+ requires Java 17 + Jakarta EE) is on the fleet roadmap, not in this release.
• Hibernate 5.6.x carries CVE-2026-0603 with no 5.x fix; Hibernate 6+ has the same Java 17 / Jakarta gate as Spring 6.

Thanks

Thanks to the maintainers for the parent v48 → v51 cascade that made this release possible, and to Renovate for the dep-hygiene cycle.

---

Diff: Announcements-2.5.0...Announcements-2.5.2

Announcements-2.5.0

What's Changed

• Update dependency com.fasterxml.jackson.core:jackson-databind to v2.9.10 [SECURITY] by @renovate in #176
• Update jackson.version to v2.10.0 by @renovate in #178
• Update dependency org.jasig.portal:uPortal-spring to v5.8.1 by @renovate in #177
• Update dependency org.projectlombok:lombok to v1.18.10 by @renovate in #174
• Update dependency com.rometools:rome to v1.12.2 by @renovate in #175
• Update slf4j.version to v1.7.29 by @renovate in #179
• Update jackson.version to v2.10.1 by @renovate in #180
• Update slf4j.version to v1.7.30 by @renovate in #182
• Update dependency junit:junit to v4.13 by @renovate in #183
• Update jackson.version to v2.10.2 by @renovate in #184
• Update dependency org.projectlombok:lombok to v1.18.12 by @renovate in #186
• Update jackson.version to v2.10.3 by @renovate in #188
• Update jackson.version to v2.11.0 by @renovate in #192
• Update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.1.1 by @renovate in #187
• Update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.2.0 by @renovate in #191
• Update spring core to v4.3.26.RELEASE by @renovate in #185
• Update spring core to v4.3.27.RELEASE by @renovate in #193
• Update dependency com.rometools:rome to v1.14.1 by @renovate in #194
• Update jackson.version to v2.11.1 by @renovate in #195
• Update spring core to v4.3.28.RELEASE by @renovate in #198
• Update dependency com.rometools:rome to v1.15.0 by @renovate in #196
• Update dependency org.jasig.portal:uPortal-spring to v5.8.2 by @renovate in #200
• Update jackson.version to v2.11.2 by @renovate in #199
• Update spring core to v4.3.29.RELEASE by @renovate in #206
• Update dependency junit:junit to v4.13.1 by @renovate in #210
• Update dependency org.projectlombok:lombok to v1.18.14 by @renovate in #209
• Update dependency org.projectlombok:lombok to v1.18.16 by @renovate in #212
• Update jackson.version to v2.11.3 by @renovate in #208
• Update spring core to v4.3.30.RELEASE by @renovate in #215
• Update jackson.version to v2.12.0 by @renovate in #214
• Update dependency org.jasig.portal:uPortal-spring to v5.9.0 by @renovate in #217
• Update jackson.version to v2.12.1 by @renovate in #216
• Update dependency org.apache.maven.plugins:maven-checkstyle-plugin to v3.1.2 by @renovate in #220
• Update dependency org.projectlombok:lombok to v1.18.18 by @renovate in #219
• Update dependency junit:junit to v4.13.2 by @renovate in #221
• fix: change GET to POST for removing users from roles by @bjagg in #223
• fix: correct JavaDocs by @bjagg in #225
• chore(deps): update dependency org.projectlombok:lombok to v1.18.20 by @ChristianMurphy in #228
• chore(deps): update jackson.version to v2.12.3 by @ChristianMurphy in #229
• chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.3.0 by @ChristianMurphy in #230
• fix: correct adding specific user as member by @bjagg in #226
• ci: remove disabled travis ci and appveyor configs, update build badge by @ChristianMurphy in #233
• chore(deps): update slf4j.version to v1.7.31 by @ChristianMurphy in #232
• chore(deps): update dependency org.jasig.portal:uportal-spring to v5.10.0 by @ChristianMurphy in #235
• chore(deps): update dependency com.rometools:rome to v1.16.0 by @ChristianMurphy in #236
• chore(deps): update jackson.version to v2.12.4 by @ChristianMurphy in #237
• chore(deps): update dependency ch.qos.logback:logback-classic to v1.2.5 by @ChristianMurphy in #238
• chore(deps): update slf4j.version to v1.7.32 by @ChristianMurphy in #239
• chore(deps): update dependency org.jasig.portal:uportal-spring to v5.11.0 by @renovate in #240
• chore(deps): update dependency org.apache.maven.scm:maven-scm-provider-gitexe to v1.11.3 by @renovate in #243
• chore(deps): update dependency org.apache.maven.scm:maven-scm-api to v1.11.3 by @renovate in #242
• chore(deps): update actions/setup-java action to v2 by @renovate in #241
• chore(deps): update dependency ch.qos.logback:logback-classic to v1.2.6 by @renovate in #250
• chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.3.1 by @renovate in #249
• chore(deps): update jackson.version to v2.12.5 by @renovate in #247
• chore(deps): update dependency org.apache.maven.scm:maven-scm-api to v1.12.0 by @renovate in #251
• chore(deps): update dependency org.apache.maven.scm:maven-scm-provider-gitexe to v1.12.0 by @renovate in #252
• chore(deps): update jackson.version to v2.13.0 by @renovate in #253
• chore(deps): update dependency org.projectlombok:lombok to v1.18.22 by @renovate in #254
• chore(deps): update dependency ch.qos.logback:logback-classic to v1.2.7 by @renovate in #255
• chore(deps): update dependency ch.qos.logback:logback-classic to v1.2.8 by @renovate in #256
• chore(deps): update dependency ch.qos.logback:logback-classic to v1.2.9 by @renovate in #257
• chore(deps): update jackson.version to v2.13.1 by @renovate in #258
• chore(deps): update dependency ch.qos.logback:logback-classic to v1.2.10 by @renovate in #259
• chore(deps): update dependency com.rometools:rome to v1.18.0 by @renovate in #260
• chore(deps): update dependency org.apache.maven.scm:maven-scm-api to v1.12.2 by @renovate in #261
• chore(deps): update dependency org.apache.maven.scm:maven-scm-provider-gitexe to v1.12.2 by @renovate in #263
• fix(deps): update dependency org.projectlombok:lombok to v1.18.24 by @renovate in #273
• fix(deps): update slf4j.version to v1.7.36 by @renovate in #274
• chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.4.0 by @renovate in #275
• chore(deps): update dependency org.apache.maven.scm:maven-scm-api to v1.13.0 by @renovate in https://github.com/uPortal-Project/Announ...

Announcements-2.4.6

Changes since v2.4.5:

Credit to @ChristianMurphy, @cbeach47, @jonathanmtran, and @bjagg for the commits / merges

Fixes

• Added empty overridesContext.xml (#173)
• Comment out debug logging (#169)

Chores

• Updated the following dependencies:
  • Update dependency org.jasig.portal:uPortal-spring to v5.8.0 (#159)
  • Update dependency org.lesscss:lesscss-maven-plugin to v1.7.0.1.1 (#106)
  • Update slf4j.version to v1.7.28 (#171)
  • Update slf4j.version to v1.7.27 (#170)
  • Update spring core to v4.3.25.RELEASE (#168)
  • Update dependency org.codehaus.mojo:jaxb2-maven-plugin to v2.5.0 (#164)

Announcements-2.4.5

Changes since v2.4.4:

Credit to @ChristianMurphy, @cbeach47, @jonathanmtran, @drewwills, and @bjagg for the commits / merges

Fixes

• Converted delete "button" from a link to a real button ( #84 )
• Added MIME type for PNG images ( #152 )

Chores

• Move uportal dependency to type jar ( #139 )
• configure renovate bot ( #93 )
• Updated the following dependencies:
  • ch.qos.logback:logback-classic to v1.2.3 ( #113 )
  • com.fasterxml.jackson.core:jackson-core to v2.9.9 ( #148 )
  • com.fasterxml.jackson.core:jackson-databind to v2.9.9 ( #149 )
  • com.rometools:rome to v1.12.1 ( #156 )
  • javax.servlet:javax.servlet-api to v3.1.0 ( #115 )
  • javax.xml.bind:jaxb-api to v2.3.1 ( #96 )
  • net.sf.ehcache:ehcache to v2.10.6 ( #97 )
  • org.apache.maven.plugins:maven-checkstyle-plugin to v3.1.0 ( #150 )
  • org.apache.maven.plugins:maven-javadoc-plugin to v3.1.1 ( #159 )
  • org.apache.maven.plugins:maven-release-plugin to v2.5.3 ( #99 )
  • org.apache.maven.plugins:maven-surefire-plugin to v2.22.2 ( #145)
  • org.apache.maven.scm:maven-scm-provider-gitexe to v1.11.2 ( #142 )
  • org.codehaus.mojo:jaxb2-maven-plugin to v2.4 ( #102)
  • org.hsqldb:hsqldb to v2.5.0 ( #154 )
  • org.jasig.portal:uportal-spring to v5.7.0 ( #160 )
  • org.jasig.portal.maven:uportal-maven-plugin to v1.0.1 ( #103 )
  • org.jasig.portlet.notification:notification-portlet-api to v2.1.2 ( #105 )
  • org.jasig.resourceserver:resource-server-content to v1.3.1 ( #117 )
  • org.jasypt:jasypt-spring31 to v1.9.3 ( #153 )
  • org.projectlombok:lombok to v1.18.8 ( #146 )
  • org.slf4j:jcl-over-slf4j to v1.7.26 ( #133 )
  • org.slf4j:jul-to-slf4j to v1.7.26 ( #134 )
  • org.springframework:spring-beans to v4.3.22.release ( #120 )
  • org.springframework:spring-context-support to v4.3.22.release ( #121 )
  • org.springframework:spring-core to v4.3.22.release ( #122 )
  • org.springframework:spring-orm to v4.3.22.release ( #123 )
  • org.springframework:spring-test to v4.3.22.release ( #124 )
  • org.springframework:spring-web to v4.3.22.release ( #125 )
  • org.springframework:spring-webmvc to v4.3.22.release ( #126 )
  • rhino:js to v1.7r2 ( #107 )
  • spring core to v4.3.24.release ( #147 )

Announcements-2.4.1

[maven-release-plugin]  copy for tag Announcements-2.4.1

Announcements-2.4.0

• Replace Log4j logging with Logback #70
• Add JSON Resource endpoints for emergencies and normal messages #73

Announcements-2.3.6

Resolves a bug where database connections were not appropriately released (#67, #68)

Announcements-2.3.5

Fixes an exception where a user with role USER. would prevent a topic from appearing. (#66)

Announcements-2.3.4

Refactors styles to inherit Bootstrap provided by uPortal.
This allows for high contrast fixes and skin modifications to be inherited by Announcements portlet without special customization.