Hi Roman, WSO2-CARBON-PATCH-4.4.0-1665 is applicable to following WSO2 products, which is listed in the readme file of the patch.
DSS-3.5.1, IS-5.2.0, IS-Analytics-5.2.0, ML-1.2.0, CEP-4.2.0, DAS-3.1.0 So, according to above, it is applicable to Identity Server 5.2.0 version. You have mentioned the version 1.2.0, which should be for Machine Learner 1.2.0 version. You have mentioned that the security advisory https://docs.wso2.com/display/ Security/Security+Advisory+WSO2-2017-0326 does not list Identity Server. The reason for that is, we publicly release security advisories and security patches only for the latest version of WSO2 products. At the time of this advisory got released, the latest version of WSO2 Identity Server was 5.4.0 version which was not affected by this vulnerability. Therefore the above advisory has not listed Identity Server. The publicly released security patches do not require authentication for downloading. I double checked the following link you provided and it does not require authentication, and simply downloads the zip file. http://product-dist.wso2.com/downloads/carbon/wilkes/ patch0991/WSO2-CARBON-PATCH-4.4.0-0991.zip If you need further clarifications, feel free to get back. Thanks, Tharindu Edirisinghe <https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2017-0326> On Mon, Jan 8, 2018 at 10:41 AM, Roman CHRENKO <[email protected]> wrote: > Hi. > > I tried to download security patches for WSO2 IS from > https://wso2.com/security-patch-releases/identity-server. > > This pages shows that the latest security patch is > "WSO2-CARBON-PATCH-4.4.0-1665" from Dec. 2017 and that it is for version > 1.2.0. > > But is it really the correct version? Identity Server version 1.2.0? Isn't > it a mistake? > > Link "Security Advisory Link" redirects to https://docs.wso2.com/display/ > Security/Security+Advisory+WSO2-2017-0326 which shows no Identity Server > between affected products. > > > > And I have another question to latest security updates for WSO2 IS. > > When I try to download any other security patch, for example > http://product-dist.wso2.com/downloads/carbon/wilkes/ > patch0991/WSO2-CARBON-PATCH-4.4.0-0991.zip from Sept.2017, it asks from > me SVN username and password. Does it mean that it is avaliable only for > users which credentials are associated with an active WSO2 subscription? > > If not, how can I create SVN account for downloading security patches? > > > > Best regards, > > Roman > > > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Tharindu Edirisinghe Senior Software Engineer | WSO2 Inc Platform Security Team Blog : http://tharindue.blogspot.com mobile : +94 775181586
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
