latest security updates for WSO2 IS

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

latest security updates for WSO2 IS

Roman CHRENKO

Hi.

I tried to download security patches for WSO2 IS from https://wso2.com/security-patch-releases/identity-server.

This pages shows that the latest security patch is "WSO2-CARBON-PATCH-4.4.0-1665" from Dec. 2017 and that it is for version 1.2.0.

But is it really the correct version? Identity Server version 1.2.0? Isn't it a mistake?

Link "Security Advisory Link" redirects to <a href="https://docs.wso2.com/display/Security/Security&#43;Advisory&#43;WSO2-2017-0326"> https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326 which shows no Identity Server between affected products.

 

And I have another question to latest security updates for WSO2 IS.

When I try to download any other security patch, for example http://product-dist.wso2.com/downloads/carbon/wilkes/patch0991/WSO2-CARBON-PATCH-4.4.0-0991.zip from Sept.2017, it asks from me SVN username and password. Does it mean that it is avaliable only for users which credentials are associated with an active WSO2 subscription?

If not, how can I create SVN account for downloading security patches?

 

Best regards,

Roman

 

 


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: latest security updates for WSO2 IS

Pubudu Gunatilaka-2
+ Adding Tharindu and Prakhash

On Mon, Jan 8, 2018 at 9:11 PM, Roman CHRENKO <[hidden email]> wrote:

Hi.

I tried to download security patches for WSO2 IS from https://wso2.com/security-patch-releases/identity-server.

This pages shows that the latest security patch is "WSO2-CARBON-PATCH-4.4.0-1665" from Dec. 2017 and that it is for version 1.2.0.

But is it really the correct version? Identity Server version 1.2.0? Isn't it a mistake?

Link "Security Advisory Link" redirects to https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326 which shows no Identity Server between affected products.

 

And I have another question to latest security updates for WSO2 IS.

When I try to download any other security patch, for example http://product-dist.wso2.com/downloads/carbon/wilkes/patch0991/WSO2-CARBON-PATCH-4.4.0-0991.zip from Sept.2017, it asks from me SVN username and password. Does it mean that it is avaliable only for users which credentials are associated with an active WSO2 subscription?

If not, how can I create SVN account for downloading security patches?

 

Best regards,

Roman

 

 


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Pubudu Gunatilaka
Committer and PMC Member - Apache Stratos
Senior Software Engineer 
WSO2, Inc.: http://wso2.com
mobile : <a href="tel:%2B94772207163" value="+94772207163" style="font-size:x-small;color:rgb(17,85,204)" target="_blank">+94774078049


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: latest security updates for WSO2 IS

tharindue
In reply to this post by Roman CHRENKO
Hi Roman,

WSO2-CARBON-PATCH-4.4.0-1665 is applicable to following WSO2 products, which is listed in the readme file of the patch.

DSS-3.5.1, IS-5.2.0, IS-Analytics-5.2.0, ML-1.2.0, CEP-4.2.0, DAS-3.1.0

So, according to above, it is applicable to Identity Server 5.2.0 version. You have mentioned the version 1.2.0, which should be for Machine Learner 1.2.0 version.

You have mentioned that the security advisory https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326 does not list Identity Server. The reason for that is, we publicly release security advisories and security patches only for the latest version of WSO2 products. At the time of this advisory got released, the latest version of WSO2 Identity Server was 5.4.0 version which was not affected by this vulnerability. Therefore the above advisory has not listed Identity Server.

The publicly released security patches do not require authentication for downloading. I double checked the following link you provided and it does not require authentication, and simply downloads the zip file.
If you need further clarifications, feel free to get back.

Thanks,
Tharindu Edirisinghe


On Mon, Jan 8, 2018 at 10:41 AM, Roman CHRENKO <[hidden email]> wrote:

Hi.

I tried to download security patches for WSO2 IS from https://wso2.com/security-patch-releases/identity-server.

This pages shows that the latest security patch is "WSO2-CARBON-PATCH-4.4.0-1665" from Dec. 2017 and that it is for version 1.2.0.

But is it really the correct version? Identity Server version 1.2.0? Isn't it a mistake?

Link "Security Advisory Link" redirects to https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326 which shows no Identity Server between affected products.

 

And I have another question to latest security updates for WSO2 IS.

When I try to download any other security patch, for example http://product-dist.wso2.com/downloads/carbon/wilkes/patch0991/WSO2-CARBON-PATCH-4.4.0-0991.zip from Sept.2017, it asks from me SVN username and password. Does it mean that it is avaliable only for users which credentials are associated with an active WSO2 subscription?

If not, how can I create SVN account for downloading security patches?

 

Best regards,

Roman

 

 


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: latest security updates for WSO2 IS

tharindue
Hi Roman,

As you have mentioned, in the link [1], it lists WSO2-CARBON-PATCH-4.4.0-1665 patch and shows the applicable Identity Server version as 1.2.0. It is not correct and we will remove this entry from the web page.

[1] https://wso2.com/security-patch-releases/identity-server

Thanks,
Tharindu Edirisinghe

On Mon, Jan 8, 2018 at 11:32 AM, Tharindu Edirisinghe <[hidden email]> wrote:
Hi Roman,

WSO2-CARBON-PATCH-4.4.0-1665 is applicable to following WSO2 products, which is listed in the readme file of the patch.

DSS-3.5.1, IS-5.2.0, IS-Analytics-5.2.0, ML-1.2.0, CEP-4.2.0, DAS-3.1.0

So, according to above, it is applicable to Identity Server 5.2.0 version. You have mentioned the version 1.2.0, which should be for Machine Learner 1.2.0 version.

You have mentioned that the security advisory https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326 does not list Identity Server. The reason for that is, we publicly release security advisories and security patches only for the latest version of WSO2 products. At the time of this advisory got released, the latest version of WSO2 Identity Server was 5.4.0 version which was not affected by this vulnerability. Therefore the above advisory has not listed Identity Server.

The publicly released security patches do not require authentication for downloading. I double checked the following link you provided and it does not require authentication, and simply downloads the zip file.
If you need further clarifications, feel free to get back.

Thanks,
Tharindu Edirisinghe


On Mon, Jan 8, 2018 at 10:41 AM, Roman CHRENKO <[hidden email]> wrote:

Hi.

I tried to download security patches for WSO2 IS from https://wso2.com/security-patch-releases/identity-server.

This pages shows that the latest security patch is "WSO2-CARBON-PATCH-4.4.0-1665" from Dec. 2017 and that it is for version 1.2.0.

But is it really the correct version? Identity Server version 1.2.0? Isn't it a mistake?

Link "Security Advisory Link" redirects to https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326 which shows no Identity Server between affected products.

 

And I have another question to latest security updates for WSO2 IS.

When I try to download any other security patch, for example http://product-dist.wso2.com/downloads/carbon/wilkes/patch0991/WSO2-CARBON-PATCH-4.4.0-0991.zip from Sept.2017, it asks from me SVN username and password. Does it mean that it is avaliable only for users which credentials are associated with an active WSO2 subscription?

If not, how can I create SVN account for downloading security patches?

 

Best regards,

Roman

 

 


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : <a href="tel:+94%2077%20518%201586" value="+94775181586" target="_blank">+94 775181586




--

Tharindu Edirisinghe
Senior Software Engineer | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture