You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/19 18:26:29 UTC
[ofbiz-site] branch master updated (5e18318 -> 73b9e9e)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git.
from 5e18318 Update the security page, better formatting
new 789229a Put the message about security disclosing also in download page
new 73b9e9e Adds a mention about sending vulerabilities reports one by one and not packed
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
download.html | 14 ++++++++++++++
security.html | 3 ++-
template/page/download.tpl.php | 14 ++++++++++++++
template/page/security.tpl.php | 3 ++-
4 files changed, 32 insertions(+), 2 deletions(-)
[ofbiz-site] 02/02: Adds a mention about sending vulerabilities reports one by one and not packed
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
commit 73b9e9ec17bcba48fa3e6f8f1efd3d9b5dd56c95
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Feb 19 19:26:09 2022 +0100
Adds a mention about sending vulerabilities reports one by one and not packed
---
download.html | 4 +++-
security.html | 3 ++-
template/page/download.tpl.php | 4 +++-
template/page/security.tpl.php | 3 ++-
4 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/download.html b/download.html
index 2e3c5c7..3223c7a 100644
--- a/download.html
+++ b/download.html
@@ -277,7 +277,9 @@ available <a href="security.html">here</a></p>
<a href="https://downloads.apache.org/ofbiz/KEYS" target="external">[KEYS]</a>
<a href="release-notes-18.12.05.html">[Release Notes]</a>
- <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+ <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org),
+ before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.</strong></p>
+
<p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user.
<strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a></strong></p>
diff --git a/security.html b/security.html
index 89717e4..5e3e608 100644
--- a/security.html
+++ b/security.html
@@ -131,7 +131,8 @@
<div class="divider"><span></span></div>
<p>Please see the <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p>
- <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+ <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org),
+ before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.</strong></p>
<p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user.
<strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a></strong></p>
diff --git a/template/page/download.tpl.php b/template/page/download.tpl.php
index 281c20b..5affad8 100644
--- a/template/page/download.tpl.php
+++ b/template/page/download.tpl.php
@@ -166,7 +166,9 @@ available <a href="security.html">here</a></p>
<a href="https://downloads.apache.org/ofbiz/KEYS" target="external">[KEYS]</a>
<a href="release-notes-18.12.05.html">[Release Notes]</a>
- <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+ <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org),
+ before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.</strong></p>
+
<p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user.
<strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a></strong></p>
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index 15a855c..33d20ce 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -20,7 +20,8 @@
<div class="divider"><span></span></div>
<p>Please see the <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p>
- <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+ <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org),
+ before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.</strong></p>
<p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user.
<strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a></strong></p>
[ofbiz-site] 01/02: Put the message about security disclosing also in download page
Posted by jl...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
commit 789229ac74654afe083285b3dee4839f3a10ae28
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Sat Feb 19 19:21:23 2022 +0100
Put the message about security disclosing also in download page
---
download.html | 12 ++++++++++++
template/page/download.tpl.php | 12 ++++++++++++
2 files changed, 24 insertions(+)
diff --git a/download.html b/download.html
index d0b36f3..2e3c5c7 100644
--- a/download.html
+++ b/download.html
@@ -277,6 +277,18 @@ available <a href="security.html">here</a></p>
<a href="https://downloads.apache.org/ofbiz/KEYS" target="external">[KEYS]</a>
<a href="release-notes-18.12.05.html">[Release Notes]</a>
+ <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+
+ <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user.
+ <strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a></strong></p>
+
+ <p>One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because
+ <a href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security" target="external"> we highly suggest to OFBiz users to not use credentials demo in production</a>
+ and we expect OFBiz users to do so.
+ <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external"> We also warn our users on the "Keeping OFBiz secure wiki page".</a>
+ And finally, mostly we reject post-auth vulnerabilities because we have a solid CSRF defense.</p>
+
+
<h2>Earlier Releases</h2>
<div class="divider"><span></span></div>
<p>Older superseded releases of Apache OFBiz can be found in the <a href="//archive.apache.org/dist/ofbiz/" target="external">Apache OFBiz archive</a></p>
diff --git a/template/page/download.tpl.php b/template/page/download.tpl.php
index 4fc3ed3..281c20b 100644
--- a/template/page/download.tpl.php
+++ b/template/page/download.tpl.php
@@ -166,6 +166,18 @@ available <a href="security.html">here</a></p>
<a href="https://downloads.apache.org/ofbiz/KEYS" target="external">[KEYS]</a>
<a href="release-notes-18.12.05.html">[Release Notes]</a>
+ <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either security@ofbiz.apache.org or security@apache.org), before disclosing them in a public forum.</strong></p>
+
+ <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user.
+ <strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a></strong></p>
+
+ <p>One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because
+ <a href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security" target="external"> we highly suggest to OFBiz users to not use credentials demo in production</a>
+ and we expect OFBiz users to do so.
+ <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external"> We also warn our users on the "Keeping OFBiz secure wiki page".</a>
+ And finally, mostly we reject post-auth vulnerabilities because we have a solid CSRF defense.</p>
+
+
<h2>Earlier Releases</h2>
<div class="divider"><span></span></div>
<p>Older superseded releases of Apache OFBiz can be found in the <a href="//archive.apache.org/dist/ofbiz/" target="external">Apache OFBiz archive</a></p>