Hi Roman, As you have mentioned, in the link [1], it lists WSO2-CARBON-PATCH-4.4.0-1665 patch and shows the applicable Identity Server version as 1.2.0. It is not correct and we will remove this entry from the web page.
[1] https://wso2.com/security-patch-releases/identity-server Thanks, Tharindu Edirisinghe On Mon, Jan 8, 2018 at 11:32 AM, Tharindu Edirisinghe <tharin...@wso2.com> wrote: > Hi Roman, > > WSO2-CARBON-PATCH-4.4.0-1665 is applicable to following WSO2 products, > which is listed in the readme file of the patch. > > DSS-3.5.1, IS-5.2.0, IS-Analytics-5.2.0, ML-1.2.0, CEP-4.2.0, DAS-3.1.0 > > So, according to above, it is applicable to Identity Server 5.2.0 version. > You have mentioned the version 1.2.0, which should be for Machine Learner > 1.2.0 version. > > You have mentioned that the security advisory > https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326 > does not list Identity Server. The reason for that is, we publicly release > security advisories and security patches only for the latest version of > WSO2 products. At the time of this advisory got released, the latest > version of WSO2 Identity Server was 5.4.0 version which was not affected by > this vulnerability. Therefore the above advisory has not listed Identity > Server. > > The publicly released security patches do not require authentication for > downloading. I double checked the following link you provided and it does > not require authentication, and simply downloads the zip file. > > http://product-dist.wso2.com/downloads/carbon/wilkes/patch09 > 91/WSO2-CARBON-PATCH-4.4.0-0991.zip > > If you need further clarifications, feel free to get back. > > Thanks, > Tharindu Edirisinghe > > <https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326> > > On Mon, Jan 8, 2018 at 10:41 AM, Roman CHRENKO <roman_chre...@tempest.sk> > wrote: > >> Hi. >> >> I tried to download security patches for WSO2 IS from >> https://wso2.com/security-patch-releases/identity-server. >> >> This pages shows that the latest security patch is >> "WSO2-CARBON-PATCH-4.4.0-1665" from Dec. 2017 and that it is for version >> 1.2.0. >> >> But is it really the correct version? Identity Server version 1.2.0? >> Isn't it a mistake? >> >> Link "Security Advisory Link" redirects to https://docs.wso2.com/display/ >> Security/Security+Advisory+WSO2-2017-0326 which shows no Identity Server >> between affected products. >> >> >> >> And I have another question to latest security updates for WSO2 IS. >> >> When I try to download any other security patch, for example >> http://product-dist.wso2.com/downloads/carbon/wilkes/patch09 >> 91/WSO2-CARBON-PATCH-4.4.0-0991.zip from Sept.2017, it asks from me SVN >> username and password. Does it mean that it is avaliable only for users >> which credentials are associated with an active WSO2 subscription? >> >> If not, how can I create SVN account for downloading security patches? >> >> >> >> Best regards, >> >> Roman >> >> >> >> >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > > Tharindu Edirisinghe > Senior Software Engineer | WSO2 Inc > Platform Security Team > Blog : http://tharindue.blogspot.com > mobile : +94 775181586 <+94%2077%20518%201586> > -- Tharindu Edirisinghe Senior Software Engineer | WSO2 Inc Platform Security Team Blog : http://tharindue.blogspot.com mobile : +94 775181586
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
