This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
The following commit(s) were added to refs/heads/master by this push:
new a57da70 Improved: remove useless information in security page
a57da70 is described below
commit a57da700d8157e7892b40dd1a3974334f4117913
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Sep 3 10:48:40 2025 +0200
Improved: remove useless information in security page
Later we will complete using more information
---
security.html | 16 ----------------
template/page/security.tpl.php | 18 +-----------------
2 files changed, 1 insertion(+), 33 deletions(-)
diff --git a/security.html b/security.html
index 62d8fa6..cb63839 100644
--- a/security.html
+++ b/security.html
@@ -121,22 +121,6 @@
<p><strong>We strongly encourage OfBiz users to report security
problems affecting OFBiz to the private security mailing lists (either
preferably [email protected] or else [email protected]),
before disclosing them in a public forum. Please don't pack
several vulnerabilities in the same report, send them one by one, thanks in
advance.</strong></p>
- <p>Note that we don't create CVEs for post-authN attacks.
- <strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a>Please don't create zero day
Jira issues for unauth (aka pre-authN) reports, thanks in advance.</strong></p>
-
- <p>One of the reason we don't create CVEs for post-authN attacks
is because
- <a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/README.html#security";
target="external"> we highly suggest to OFBiz users to not use credentials
demo in production</a>
- and we expect OFBiz users to do so.
- <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external"> We also warn our users ("Beware in production") on the
"Keeping OFBiz secure wiki page".</a>
- </p>
- <p>
- To clarify the vocabulary used above here are 2 links:
- <ul class="iconsList">
- <li><i class="icon-pin"></i><a
href="https://www.scmagazine.com/resource/what-are-post-authentication-attacks-and-how-to-protect-against-them";
target="external">pre-authN vs post-authN</a></li>
- <li><i class="icon-pin"></i><a
href="https://cwe.mitre.org/data/definitions/863.html#ocimg_863_Alternate_Terms";
target="external">authN vs authZ</a></li>
- </ul>
- </p>
-
<p>Please see the <a href="https://www.apache.org/security";
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information. </p>
<h3>List of Known Vulnerabilities</h3>
diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
index 8adb32f..70f7765 100644
--- a/template/page/security.tpl.php
+++ b/template/page/security.tpl.php
@@ -20,23 +20,7 @@
<div class="divider"><span></span></div>
<p><strong>We strongly encourage OfBiz users to report security
problems affecting OFBiz to the private security mailing lists (either
preferably [email protected] or else [email protected]),
- before disclosing them in a public forum. Please don't pack
several vulnerabilities in the same report, send them one by one, thanks in
advance.</strong></p>
-
- <p>Note that we don't create CVEs for post-authN attacks.
- <strong> <a href="https://s.apache.org/dsj2p";> Rather create bugs
reports in our issue tracker (Jira) for that.</a>Please don't create zero day
Jira issues for unauth (aka pre-authN) reports, thanks in advance.</strong></p>
-
- <p>One of the reason we don't create CVEs for post-authN attacks
is because
- <a
href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/README.html#security";
target="external"> we highly suggest to OFBiz users to not use credentials
demo in production</a>
- and we expect OFBiz users to do so.
- <a
href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure";
target="external"> We also warn our users ("Beware in production") on the
"Keeping OFBiz secure wiki page".</a>
- </p>
- <p>
- To clarify the vocabulary used above here are 2 links:
- <ul class="iconsList">
- <li><i class="icon-pin"></i><a
href="https://www.scmagazine.com/resource/what-are-post-authentication-attacks-and-how-to-protect-against-them";
target="external">pre-authN vs post-authN</a></li>
- <li><i class="icon-pin"></i><a
href="https://cwe.mitre.org/data/definitions/863.html#ocimg_863_Alternate_Terms";
target="external">authN vs authZ</a></li>
- </ul>
- </p>
+ instead of publicly disclosing them. Please don't pack several
vulnerabilities in the same report, send them one by one, thanks in
advance.</strong></p>
<p>Please see the <a href="https://www.apache.org/security";
target="external">ASF Security Team webpage</a> for further information about
reporting a security vulnerability as well as their contact information. </p>
