Hi Shenavi, As a practice, we announce security fixes to customer via a support ticket and then provide it publicly for each product [1].
[1] - http://wso2.com/security-patch-releases/ Regards, Nira On Wed, Nov 30, 2016 at 7:42 AM, Prakhash Sivakumar <[email protected]> wrote: > Hi Shenavi, > > We have issued a patch to prevent CSRF attacks in all the products based > on carbon 4.2.0. Please apply the patch [1] . > > [1] WSO2-CARBON-PATCH-4.2.0-1464 - http://product-dist.wso2. > com/downloads/carbon/4.2.0/WSO2-CARBON-PATCH-4.2.0-1464. > zip?utm_source=pagedirect&utm_medium=product&utm_campaign= > sp_page_4.2.0-1464 > > On Tue, Nov 29, 2016 at 9:57 PM, Shenavi de Mel <[email protected]> wrote: > >> Hi All >> >> In an attempt to mitigate the CSRF attacks from jaggery apps using >> application server 5.2.1 it was reccomended to use the CSRF attacks >> following the guide to Implement CSRF prevention based on OWASP CSRFGuard >> [1]. But it was mentioned that this is supported for products with kernal >> version 4.4.6 and after and also jaggery version should be 0.12.6. >> >> Are there any patches issued to prevent these attacks for jaggery apps >> using application server 5.2.1? Or what is the best approach to follow to >> avoid these attacks with the versions I am using? Your input on this would >> be highly appreciated. >> >> [1] https://docs.wso2.com/display/ADMIN44x/Mitigating+Cross+ >> Site+Request+Forgery+Attacks >> >> >> Thanks and Regards >> Shenavi >> >> *Shenavi de Mel* >> Software Engineer >> WSO2 Inc: http://wso2.com >> email: [email protected] >> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Prakhash Sivakumar > Software Engineer | WSO2 Inc > Platform Security Team > Mobile : +94771510080 <+94%2077%20151%200080> > Blog : https://medium.com/@PrakhashS > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Niranjan Karunanandham* Associate Technical Lead - WSO2 Inc. WSO2 Inc.: http://www.wso2.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
