This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
The following commit(s) were added to refs/heads/master by this push:
new 5591d93 Improved: small changes in security page
5591d93 is described below
commit 5591d93424d9cc23ecc43a73f8105f284ff07cd3
Author: Jacques Le Roux <[email protected]>
AuthorDate: Mon Sep 1 09:16:05 2025 +0200
Improved: small changes in security page
---
security.html | 7 ++++---
template/page/security.tpl.php | 7 ++++---
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/security.html b/security.html
index 1cd2b24..6df2036 100644
--- a/security.html
+++ b/security.html
@@ -117,15 +117,14 @@
<div class="row">
<h2><a id="security"></a>Security Vulnerabilities</h2>
<div class="divider"><span></span></div>
- <p>Please see the <a href="https://www.apache.org/security";
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information. </p>
<p><strong>We strongly encourage OfBiz users to report security
problems affecting OFBiz to the private security mailing lists (either
[email protected] or [email protected]),
before disclosing them in a public forum. Please don't pack
several vulnerabilities in the same report, send them one by one, thanks in
advance.</strong></p>
- <p>Note that we no longer create CVEs for post-authN attacks done
using demo credentials, notably using the admin user.
+ <p>Note that we no longer create CVEs for post-authN attacks.
<strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a><span style="color:red">
Please don't create zero day Jira issues for unauth (aka pre-authN) reports,
thanks in advance.</span></strong></p>
- <p>One of the reason we no longer create CVEs for post-authN
attacks done using demo credentials is because
+ <p>One of the reason we no longer create CVEs for post-authN
attacks is because
<a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/README.html#security";
target="external"> we highly suggest to OFBiz users to not use credentials
demo in production</a>
and we expect OFBiz users to do so.
<a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external"> We also warn our users on the "Keeping OFBiz secure wiki
page".</a>
@@ -139,6 +138,8 @@
</ul>
</p>
+ <p>Please see the <a href="https://www.apache.org/security";
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information. </p>
+
<h3>List of Known Vulnerabilities</h3>
<ul class="iconsList">
<li><i class="icon-pin"></i> <a
href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54466"
target="external">CVE-2025-54466</a>; affected releases before 24.09.01; fixed
in 24.09.02 with commit <a
href="https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=5a35b4f84f";
target="external">5a35b4f84f</a></li>
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index dfd1675..31b56d2 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -18,15 +18,14 @@
<div class="row">
<h2><a id="security"></a>Security Vulnerabilities</h2>
<div class="divider"><span></span></div>
- <p>Please see the <a href="https://www.apache.org/security";
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information. </p>
<p><strong>We strongly encourage OfBiz users to report security
problems affecting OFBiz to the private security mailing lists (either
[email protected] or [email protected]),
before disclosing them in a public forum. Please don't pack
several vulnerabilities in the same report, send them one by one, thanks in
advance.</strong></p>
- <p>Note that we no longer create CVEs for post-authN attacks done
using demo credentials, notably using the admin user.
+ <p>Note that we no longer create CVEs for post-authN attacks.
<strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a><span style="color:red">
Please don't create zero day Jira issues for unauth (aka pre-authN) reports,
thanks in advance.</span></strong></p>
- <p>One of the reason we no longer create CVEs for post-authN
attacks done using demo credentials is because
+ <p>One of the reason we no longer create CVEs for post-authN
attacks is because
<a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/README.html#security";
target="external"> we highly suggest to OFBiz users to not use credentials
demo in production</a>
and we expect OFBiz users to do so.
<a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external"> We also warn our users on the "Keeping OFBiz secure wiki
page".</a>
@@ -40,6 +39,8 @@
</ul>
</p>
+ <p>Please see the <a href="https://www.apache.org/security";
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information. </p>
+
<h3>List of Known Vulnerabilities</h3>
<ul class="iconsList">
<li><i class="icon-pin"></i> <a
href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54466"
target="external">CVE-2025-54466</a>; affected releases before 24.09.01; fixed
in 24.09.02 with commit <a
href="https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=5a35b4f84f";
target="external">5a35b4f84f</a></li>
