You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Pierre Smits <pi...@gmail.com> on 2012/04/16 12:47:48 UTC
Re: Vulnerability in OFBiz?
So if I understand it correctly the vulnerability issue is regarding
10.04.01 and has been fixed with 10.04.02. That's why we urge end users to
upgrade.
Op 16 april 2012 12:31 schreef Adrian Crum <
adrian.crum@sandglass-software.com> het volgende:
> Michele likes to claim credit for reporting all current and future OFBiz
> vulnerabilities based on a very old Jira issue that was fixed long ago.
> He/she can be ignored.
>
> -Adrian
>
>
> On 4/16/2012 11:16 AM, Jacques Le Roux wrote:
>
>> It's not quite clear if it's only a joke or not.
>>
>> Because actually http://archives.neohapsis.com/**
>> archives/fulldisclosure/2012-**04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>were new vulnerabilites discovered by Matias Madou (
>> mmadouhp.com) of Fortify/HP Security Research Group.
>> Matias helped us to track them by giving precise URLs and ways of
>> reproducing when Michele Orru' never answered precisely to our questions
>> in this issue.
>>
>> The only way to be sure would be to reproduce what described Michelle in
>> this issue...
>>
>> Jacques
>>
>> Pierre Smits wrote:
>>
>>> I saw this tweeted:
>>>
>>> *Michele Orru'* @antisnatchor <https://twitter.com/#!/**antisnatchor<https://twitter.com/#!/antisnatchor>
>>> >
>>>
>>> - Reply Retweet Favorite ·
>>> Open<https://twitter.com/#!/**antisnatchor/status/**191823272214659072<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>> >
>>>
>>> New XSSs on Apache OFBiz
>>> http://archives.neohapsis.com/**archives/fulldisclosure/2012-**
>>> 04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>
>>> <http://t.co/**8OV2iHcr <http://t.co/8OV2iHcr>>=>
>>> after my recommendations years ago
>>> https://issues.apache.org/**jira/browse/OFBIZ-1959<https://issues.apache.org/jira/browse/OFBIZ-1959>
>>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>>
>>>
>>> How do we address this?
>>>
>>> Regards,
>>>
>>> Pierre
>>>
>>
>>
Re: Vulnerability in OFBiz?
Posted by Adrian Crum <ad...@sandglass-software.com>.
Correct. In addition, users of the release branches and trunk should
update their local copies to the latest revisions.
-Adrian
On 4/16/2012 11:47 AM, Pierre Smits wrote:
> So if I understand it correctly the vulnerability issue is regarding
> 10.04.01 and has been fixed with 10.04.02. That's why we urge end users to
> upgrade.
>
>
> Op 16 april 2012 12:31 schreef Adrian Crum<
> adrian.crum@sandglass-software.com> het volgende:
>
>> Michele likes to claim credit for reporting all current and future OFBiz
>> vulnerabilities based on a very old Jira issue that was fixed long ago.
>> He/she can be ignored.
>>
>> -Adrian
>>
>>
>> On 4/16/2012 11:16 AM, Jacques Le Roux wrote:
>>
>>> It's not quite clear if it's only a joke or not.
>>>
>>> Because actually http://archives.neohapsis.com/**
>>> archives/fulldisclosure/2012-**04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>were new vulnerabilites discovered by Matias Madou (
>>> mmadouhp.com) of Fortify/HP Security Research Group.
>>> Matias helped us to track them by giving precise URLs and ways of
>>> reproducing when Michele Orru' never answered precisely to our questions
>>> in this issue.
>>>
>>> The only way to be sure would be to reproduce what described Michelle in
>>> this issue...
>>>
>>> Jacques
>>>
>>> Pierre Smits wrote:
>>>
>>>> I saw this tweeted:
>>>>
>>>> *Michele Orru'* @antisnatchor<https://twitter.com/#!/**antisnatchor<https://twitter.com/#!/antisnatchor>
>>>> - Reply Retweet Favorite ·
>>>> Open<https://twitter.com/#!/**antisnatchor/status/**191823272214659072<https://twitter.com/#!/antisnatchor/status/191823272214659072>
>>>> New XSSs on Apache OFBiz
>>>> http://archives.neohapsis.com/**archives/fulldisclosure/2012-**
>>>> 04/0171.html<http://archives.neohapsis.com/archives/fulldisclosure/2012-04/0171.html>
>>>> <http://t.co/**8OV2iHcr<http://t.co/8OV2iHcr>>=>
>>>> after my recommendations years ago
>>>> https://issues.apache.org/**jira/browse/OFBIZ-1959<https://issues.apache.org/jira/browse/OFBIZ-1959>
>>>> <https://t.co/RHyVfSy6>they are still vulnerable :D LOL
>>>>
>>>>
>>>> How do we address this?
>>>>
>>>> Regards,
>>>>
>>>> Pierre
>>>>
>>>