Hi Lasindu, That is a good alternative. But anyway we will have to test our webapps thoroughly after applying kernel patches. Since Carbon user core has been patched multiple times we may have to completely test identity related features (oauth, jwt tokens, metadata service etc.) as well.
IMO, it is better to properly fix this in p2 profile by uplifting the webapp mgt feature. Also that is not the only feature I had to uplift. @All: appreciate your thoughts on this. Are we going to do this in next release? Thanks. On Tue, Aug 18, 2015 at 1:35 PM, Lasindu Charith <lasi...@wso2.com> wrote: > Hi Akila, > > Instead of uplifting the webapp.mgt.feature version, you might be able to > use security patch WSO2-CARBON-PATCH-4.2.0-1262 from [1 > <http://wso2.com/products/identity-server/#Security-Patches>] > which upgrades embedded tomcat version from 7.0.34 to 7.0.55. > > [1] http://wso2.com/products/identity-server/#Security-Patches > > Thanks, > > On Tue, Aug 18, 2015 at 9:22 AM, Akila Ravihansa Perera < > raviha...@wso2.com> wrote: > >> Hi, >> >> I've been working on applying Carbon kernel patches up to patch0011 to >> Stratos. These kernel patches provides various bug fixes and security fixes >> for Carbon which is the underlying platform of Stratos. While testing with >> the patches I observed that webapp mgt features are broken after patch0010. >> This is because patch0010 contains a upgraded Tomcat version (embedded >> Tomcat for Carbon) which was released to fix a security vulnerability [1]. >> This newer Tomcat version contains some API changes, hence webapp mgt ver. >> 4.2.2 feature currently installed in Stratos is not compatible with kernel >> patch0010. >> >> The fix would be to uplift webapp mgt feature to ver. 4.2.3 which I have >> already done and tested basic functionality in REST API and console app. >> But we will have to do extensive testing of Carbon UI and other webapps >> (api, metadata, console, mockiaas, oauth2) before we release it. I've all >> the changes done in my fork and ready to be pushed to master. Are we going >> with this for next patch release? What are your thoughts? >> >> Changes made to p2 profile: >> - uplifted org.wso2.carbon.webapp.mgt.feature to 4.2.3 >> - uplifted org.wso2.carbon.logging.mgt.feature.group to 4.2.2 >> >> [1] https://wso2.org/jira/browse/CARBON-15181 >> >> Thanks. >> >> >> -- >> Akila Ravihansa Perera >> WSO2 Inc.; http://wso2.com/ >> >> Blog: http://ravihansa3000.blogspot.com >> > > > > -- > *Lasindu Charith* > Software Engineer, WSO2 Inc. > Committer & PMC Member, Apache Stratos > Mobile: +94714427192 | Web: blog.lasindu.com > -- Akila Ravihansa Perera WSO2 Inc.; http://wso2.com/ Blog: http://ravihansa3000.blogspot.com