'Info required regarding Security+Advisory+WSO2-2021-1603
For the advisory Security+Advisory+WSO2-2021-1603, https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1603 the fix mentioned is to use the public fix at: https://github.com/wso2/carbon-kernel/pull/3145
The major change at the same is in login.jsp file in org.wso2.carbon.ui . As these changes are mentioned in compiled up carbon jar hence we cannot apply the change drectly. My question is if we can go ahead with using the following direct dependency:
<dependency>
<groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.ui</artifactId>
<version>4.6.3</version>
</dependency>
Would this resolve the issue or is there any other fix to be followed? Has WSO2 released a patch version for wso2is v5.11 for the same?
Solution 1:[1]
I would suggest to checkount to v4.6.1 (which is the release tag for IS 5.11.0 in carbon-kernel) and build the org.wso2.carbon.ui component along with the fix. Then apply it as a patch [1].
Changing the dependency version to 4.6.3 could cause unexpected issues since there might be incompatibilities with other components.
https://docs.wso2.com/display/ADMIN44x/WSO2+Patch+Application+Process
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Sajith |