This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
commit 789229ac74654afe083285b3dee4839f3a10ae28
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Feb 19 19:21:23 2022 +0100
Put the message about security disclosing also in download page
---
download.html | 12 ++++++++++++
template/page/download.tpl.php | 12 ++++++++++++
2 files changed, 24 insertions(+)
diff --git a/download.html b/download.html
index d0b36f3..2e3c5c7 100644
--- a/download.html
+++ b/download.html
@@ -277,6 +277,18 @@ available <a href="security.html">here</a></p>
<a href="https://downloads.apache.org/ofbiz/KEYS";
target="external">[KEYS]</a>
<a href="release-notes-18.12.05.html">[Release Notes]</a>
+ <p><strong>We strongly encourage OfBiz users to report security
problems affecting OFBiz to the private security mailing lists (either
secur...@ofbiz.apache.org or secur...@apache.org), before disclosing them in a
public forum.</strong></p>
+
+ <p>Note that we no longer create CVEs for post-auth attacks done
using demo credentials, notably using the admin user.
+ <strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a></strong></p>
+
+ <p>One of the reason we no longer create CVEs for post-auth
attacks done using demo credentials is because
+ <a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security";
target="external"> we highly suggest to OFBiz users to not use credentials demo
in production</a>
+ and we expect OFBiz users to do so.
+ <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external"> We also warn our users on the "Keeping OFBiz secure wiki
page".</a>
+ And finally, mostly we reject post-auth vulnerabilities because we
have a solid CSRF defense.</p>
+
+
<h2>Earlier Releases</h2>
<div class="divider"><span></span></div>
<p>Older superseded releases of Apache OFBiz can be found in the
<a href="//archive.apache.org/dist/ofbiz/" target="external">Apache OFBiz
archive</a></p>
diff --git a/template/page/download.tpl.php b/template/page/download.tpl.php
index 4fc3ed3..281c20b 100644
--- a/template/page/download.tpl.php
+++ b/template/page/download.tpl.php
@@ -166,6 +166,18 @@ available <a href="security.html">here</a></p>
<a href="https://downloads.apache.org/ofbiz/KEYS";
target="external">[KEYS]</a>
<a href="release-notes-18.12.05.html">[Release Notes]</a>
+ <p><strong>We strongly encourage OfBiz users to report security
problems affecting OFBiz to the private security mailing lists (either
secur...@ofbiz.apache.org or secur...@apache.org), before disclosing them in a
public forum.</strong></p>
+
+ <p>Note that we no longer create CVEs for post-auth attacks done
using demo credentials, notably using the admin user.
+ <strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a></strong></p>
+
+ <p>One of the reason we no longer create CVEs for post-auth
attacks done using demo credentials is because
+ <a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security";
target="external"> we highly suggest to OFBiz users to not use credentials demo
in production</a>
+ and we expect OFBiz users to do so.
+ <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external"> We also warn our users on the "Keeping OFBiz secure wiki
page".</a>
+ And finally, mostly we reject post-auth vulnerabilities because we
have a solid CSRF defense.</p>
+
+
<h2>Earlier Releases</h2>
<div class="divider"><span></span></div>
<p>Older superseded releases of Apache OFBiz can be found in the
<a href="//archive.apache.org/dist/ofbiz/" target="external">Apache OFBiz
archive</a></p>
