We Keep Coding

Vulnerability fix for Apache Commons Text with wso2 carbon libraries

I am looking out for suggestions on the recent vulnerability(https://blogs.apache.org/security/entry/cve-2022-42889) which is also coming from the wso2 IS 5.11 binary downloaded from(https://github.com/wso2/product-is/releases/tag/v5.11.0) and the carbon libraries we are using in custom plugins like:
<groupId>org.wso2.carbon.identity.framework</groupId><artifactId>org.wso2.carbon.identity.mgt</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.application.authentication.framework</artifactId>
<version>5.18.187</version>
<groupId>org.wso2.carbon.identity.framework</groupId>
<artifactId>org.wso2.carbon.identity.provisioning</artifactId>
<version>5.18.187</version>
As there any upgrades to these which is compatible with wso2 IS v5.11?

From wso2 advisories, it is mentioned that the vulnerability has no impact on the products [1] since the preconditions are not met and the team promises of fixing the vulnerable versions and (paid) customers will be able to obtain it through their security update once it is available. Along with this effort, the public fix will be done for the current public branch and will be available if you build the product-is from the repository. The timeline for the public fix is yet to be known.
And the suggested upgrade would be to 1.10.0 of Apache Commons Text library for 5.11.0.
This library comes to Identity server 5.11 pack mainly through Forget me tool. And in the latest release (wso2is-6.0.0), forget me tool has been externalized[2] which could be used in the product on demand.
Refer:
[1] https://docs.wso2.com/display/Security/CVE-2022-42889
[2] https://is.docs.wso2.com/en/latest/deploy/remove-references-to-deleted-user-identities/#building-the-identity-anonymization-tool

WSO2 APIM: Configuration variables

(I know that this sounds as a newbie questions, but, you know, really, I don't finde the answer in docs)
In WSO2 products, and specifically in API Manager (2.1.0), we have to modify a lot of configuration files just to start.
We have seen that some configuration files (api-manager.xml, carbon.xml) use configurations variables. E.g., ${admin.username} to substitute by admin user.
We have found an old post (2016) explaining the use of configuration variables in WSO2 products
https://medium.com/#shan1024/overriding-configurations-in-wso2-products-using-deployment-properties-file-f096e96f782d
But we are not able to find the deployment.properties files referenced in that post, neither and official documentation.
Do you know if this works in APIM? Where have I to install this file?

As far as I know, deployment.yaml was introduced in Carbon kernel 5.2 onwards. But WSO2 APIM 2.x is based on Carbon kernel 4.4.X. Therefore APIM 2.x doesn't support that.
WSO2 APIM 3.X will support this feature.

Where is the build for wso2 1.10.1?

I'm trying to upgrade a wso2 install from 1.9.0 to 1.10.0 to support HTTP PATCH, however, the bug here: https://wso2.org/jira/browse/APIMANAGER-4504 has broken JWT generation. I see the bug is fixed in 1.10.1, but I cannot find any reference to this version in documentation or in the release downloads for wso2.
Is this version released? Is it available, or does it have to be build manually? If so, could you provide instructions on how to do this?

There isn't any release with 1.10.1 version, next released version is API Manager 2.0.
You can find the components here: https://github.com/wso2/carbon-apimgt/tree/v6.0.4
Produce distribution here: https://github.com/wso2/product-apim/tree/v2.0.0

XCART 4.3.0 download link

can anybody send XCART 4.3.0 download link
I cant find it on its website
https://www.google.co.in/search?q=xcart+4.3.0+download&oq=xcart&aqs=chrome.5.69i59j0j69i60l3j69i59.4898j0j4&sourceid=chrome&espv=210&es_sm=122&ie=UTF-8
but none of it works

Please download from below Link.
http://www.torrentsmafia.biz/scripts/88485-x-cart-430.html
Thanks,
Jaymin

If you own a license, the distributional package can be downloaded in the File Area of the corresponding HelpDesk account (https://secure.x-cart.com/). You may also request the package of older versions contacting X-Cart support (http://www.x-cart.com/contact-us.html).
PS: Normally the packages of older versions are requested when the store is being upgraded. If you're upgrading the store of indeed, you may want to consider X-Cart 5 - a new generation platform where the upgrades are done in a couple of clicks. Please check it out: http://blog.x-cart.com/x-cart-5-downloadable-released.html

Session Timeout in WSO2 4.1.1

We are using WSO2 4.1.1 for user management. Is there a way to do a session time out in WSO2 4.1.1?
(I am looking if there is a fix for this in WSO2 4.1.1. Currently, I am not looking at migrating to WSO2 4.5
where this is mentioned as a supported feature).
I am referring to the following link where it says the WSO2 4.1.1.code has been changed to handle session time out.
https://wso2.org/jira/browse/IDENTITY-1030
Are these changes available as a new version of jar compatible with the WSO2 4.1.1 version?
Thanks in advance for the help

You won't be able to get a new version of the jar and use it with the WSO2 IS 4.1.1. AFAIK, IS 4.1.1 was never released, I think you are using a build shared via dev# list.
Anyway, you can try following.
Checkout the source for the corresponding jars in WSO2 IS 4.1.1. Try to checkout from branch. For example: https://svn.wso2.org/repos/wso2/carbon/platform/branches/4.1.0/components/identity/org.wso2.carbon.identity.base/
Fix the issue and do 'mvn clean install'
Copy the target jar as a patch.
Run server with -DapplyPatches
In this way, you can try to fix this issue.
If we discover issues with any product after it has been released, you will be able to get the fix only in a newer version. Otherwise, you need to patch the existing jar versions.
I hope this helps.