You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/09/01 08:02:26 UTC
[ofbiz-site] branch master updated: Adds a message about post-auth
and pre-auth vulnerabilities
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
The following commit(s) were added to refs/heads/master by this push:
new 2af9d77 Adds a message about post-auth and pre-auth vulnerabilities
2af9d77 is described below
commit 2af9d77d6df4ca382eb8fe103ffb7fd2a3b4a774
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Wed Sep 1 10:02:12 2021 +0200
Adds a message about post-auth and pre-auth vulnerabilities
---
security.html | 1 +
template/page/security.tpl.php | 1 +
2 files changed, 2 insertions(+)
diff --git a/security.html b/security.html
index 332d3e6..f5c84d3 100644
--- a/security.html
+++ b/security.html
@@ -130,6 +130,7 @@
<h2><a id="security"></a>Security Vulnerabilities</h2>
<div class="divider"><span></span></div>
<p> <strong> We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+ <p>Note that we no longer create CVEs for post-auth attacks done using the credential demo, notably using the admin user. <a href="https://s.apache.org/dsj2p">Rather create bugs reports in our issue tracker (Jira) for that.</a>. The main reason why we no longer create CVEs post-auth attacks done using the credential demo is because <a href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security">we highly suggest to OFBiz users to not use credential [...]
<p>Please see the <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p>
<p>You might be interested by our <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external">Keeping OFBiz secure wiki page.</a></p>
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index 164922b..ccd1568 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -19,6 +19,7 @@
<h2><a id="security"></a>Security Vulnerabilities</h2>
<div class="divider"><span></span></div>
<p> <strong> We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+ <p>Note that we no longer create CVEs for post-auth attacks done using the credential demo, notably using the admin user. <a href="https://s.apache.org/dsj2p">Rather create bugs reports in our issue tracker (Jira) for that.</a>. The main reason why we no longer create CVEs post-auth attacks done using the credential demo is because <a href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security">we highly suggest to OFBiz users to not use credential [...]
<p>Please see the <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p>
<p>You might be interested by our <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external">Keeping OFBiz secure wiki page.</a></p>