WSO2 Carbon core security hotfix

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

WSO2 Carbon core security hotfix

Afkham Azeez-2
Important Security Hot Fix
--------------------------
Applies to: Carbon 1.5 & 1.5.1

Download hot fix: http://wso2.org/downloads/carbon/security_hot_fix

This fixes the security issue described
in https://issues.apache.org/jira/browse/AXIS2-4279

In summary, any file within an Axis2 AAR's META-INF directory could be
viewed
by navigating to the
http://<ip>:<port>/services/<service-name>?xsd=<filename> URL.
e.g. http://localhost:9763/service/HelloService?xsd=services.xml will
reveal the
services.xml descriptor to outsiders, if this patch isnot applied.

How to Apply the Patch
----------------------
0. Stop the Carbon instance
1. Copy the wso2carbon-core-1.5.1.jar to
$CARBON_HOME/webapps/ROOT/WEB-INF/patches
2. Delete directory $CARBON_HOME/lib/tomcat/work
3. Restart the Carbon instance

Reverting the Patch
--------------------
In case you need to revert this patch, please do the following

0. Stop the Carbon instance
1. Delete
$CARBON_HOME/webapps/ROOT/WEB-INF/patches/wso2carbon-core-1.5.1.jar
2. Delete directory $CARBON_HOME/lib/tomcat/work
3. Restart the Carbon instance



_______________________________________________
Wsas-java-user mailing list
[hidden email]
https://wso2.org/cgi-bin/mailman/listinfo/wsas-java-user

signature.asc (356 bytes) Download Attachment
signature.asc (268 bytes) Download Attachment