0

Got WSO2 security updates of Security Advisory fixes and they have provided public fix url. IT would be great helpful if anybody help with instruction how to apply these public fix to my api manager server.

Ex: Current version of my API manager is 2.6.0 I got security update for wso2 is security update link

In that they have provided public fix link public fix.

Here I am not sure how this public fix should apply to server.

Sreekanth Kotagiri
  • 5
  • 4

1 Answers1

1

You can follow these steps.

  1. Clone the repository - carbon-registry
  2. Checkout to the version of v4.6.38 in the carbon-registry.

You can derive this version v4.6.38 based on the component you patch. For an example, GetTextContentUtil.java is a part of the org.wso2.carbon.registry.resource component. To find the version in the wso2am-2.6.0, navigate to repository/components/plugins folder. There you can find the org.wso2.carbon.registry.resource_4.6.38.jar. Basically we need to patch this jar.

  1. Apply the fix in the PR
  2. Build the repository and you can find the built jar in target directory (carbon-registry/components/registry/org.wso2.carbon.registry.resource/target)
  3. Replace that jar with the jar in repository/components/plugins/ folder. (Make sure you backup your jar)
  4. Without replacing you can apply this as a patch as well. To do that you can create a folder called patch9999 and add that jar to this folder. And then copy that directory to repository/components/patches directory.
Pubci
  • 3,834
  • 1
  • 13
  • 28
  • Thank you @pubci. Can you please tell me how to check weather applied patches are picked up/working in server? – Sreekanth Kotagiri Jul 20 '20 at 08:27
  • If you add this as a patch, then at the start of the server it says patches are getting applied. Also there is a patch log if I remember correctly. If you add this jar to plugins, then there is no way to check. – Pubci Jul 21 '20 at 15:59
  • Yes I see patch logs under .\repository\logs\patches.log – Sreekanth Kotagiri Jul 22 '20 at 16:17