This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
The following commit(s) were added to refs/heads/master by this push:
new 4029ee8 Upgrades the security page
4029ee8 is described below
commit 4029ee8e6659294bb2fc709f54e2f0d9de2c4acc
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Feb 10 17:30:10 2022 +0100
Upgrades the security page
---
security.html | 8 +++++---
template/page/security.tpl.php | 8 +++++---
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/security.html b/security.html
index b746533..da9e756 100644
--- a/security.html
+++ b/security.html
@@ -136,9 +136,11 @@
<p>Note that we no longer create CVEs for post-auth attacks done
using demo credentials, notably using the admin user.
<strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a></strong></p>
- <p>The main reason we no longer create CVEs for post-auth attacks
done using demo credentials is because
- <a
href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security";>
we highly suggest to OFBiz users to not use credentials demo in production</a>
- and we expect OFBiz users to do so. We also reject post-auth
vulnerabilities because we have a solid CSRF defense.</p>
+ <p>One of the reasosn we no longer create CVEs for post-auth
attacks done using demo credentials is because
+ <a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security";> we
highly suggest to OFBiz users to not use credentials demo in production</a>
+ and we expect OFBiz users to do so.</br>
+ <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure#KeepingOFBizsecure-Tomcat9&AJP";>
We also warn our users on this wiki page.</br>
+ And finally, mostly we reject post-auth vulnerabilities because we
have a solid CSRF defense.</p>
<p>You might be interested by our <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external">Keeping OFBiz secure wiki page.</a></p>
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index 8d611d2..863c9e9 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -25,9 +25,11 @@
<p>Note that we no longer create CVEs for post-auth attacks done
using demo credentials, notably using the admin user.
<strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a></strong></p>
- <p>The main reason we no longer create CVEs for post-auth attacks
done using demo credentials is because
- <a
href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security";>
we highly suggest to OFBiz users to not use credentials demo in production</a>
- and we expect OFBiz users to do so. We also reject post-auth
vulnerabilities because we have a solid CSRF defense.</p>
+ <p>One of the reasosn we no longer create CVEs for post-auth
attacks done using demo credentials is because
+ <a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security";> we
highly suggest to OFBiz users to not use credentials demo in production</a>
+ and we expect OFBiz users to do so.</br>
+ <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure#KeepingOFBizsecure-Tomcat9&AJP";>
We also warn our users on this wiki page.</br>
+ And finally, mostly we reject post-auth vulnerabilities because we
have a solid CSRF defense.</p>
<p>You might be interested by our <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external">Keeping OFBiz secure wiki page.</a></p>
