This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
The following commit(s) were added to refs/heads/master by this push: new ac554c3 Fixed: fixes a documentation link ac554c3 is described below commit ac554c35de0a322a50717cb67525f3f023815a1c Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri May 26 10:49:56 2023 +0200 Fixed: fixes a documentation link The "we highly suggest to OFBiz users to not use credentials demo in production" link --- security.html | 46 +++++++++++++++++++++--------------------- template/page/security.tpl.php | 18 ++++++++--------- 2 files changed, 32 insertions(+), 32 deletions(-) diff --git a/security.html b/security.html index d2abe77..eb9778a 100644 --- a/security.html +++ b/security.html @@ -82,7 +82,7 @@ </li> <li><a href="#" class="firstLevel">Community</a> <ul> - <li><a href="getting-involved.html">Getting Involved</a></li> + <li><a href="getting-involved.html">Getting Involved</a></li> <li><a href="mailing-lists.html">Mailing Lists</a></li> <li><a href="source-repositories.html">Source Repository</a></li> <li><a href="download.html">Downloads</a></li> @@ -91,18 +91,18 @@ </ul> </li> <li><a href="ofbiz-demos.html" class="firstLevel">Demos</a></li> - <li> - <a href="//twitter.com/ApacheOfbiz" class="icon-twitter-bird socialIcon tips" - target="external" title="follow us on Twitter"><span>twitter</span></a> - </li> - <li><a href="//www.linkedin.com/company/apache-ofbiz/" target="external" class="icon-linkedin socialIcon tips" title="follow us on Linkedin"><span>linkedin</span></a></li> - <li><a href="//www.facebook.com/Apache-OFBiz-1478219232210477/?ref=page_internal" target="external" class="icon-facebook socialIcon tips" title="follow us on Facebook"><span>facebook</span></a></li> - <li><a href="//www.youtube.com/user/ofbiz" class="icon-play socialIcon tips" target="external" title="follow us on Youtube"><span>Youtube</span></a></li> - <!--<li><a href="#" class="icon-rss socialIcon tips" title="Our rss feed"><span>rss feed</span></a></li> - <li><a href="#" class="icon-gplus socialIcon tips" title="follow us on Google +"><span>google +</span></a></li> - <li><a href="#" class="icon-instagram socialIcon tips" title="follow us on Instagram"><span>instagram</span></a></li> - <li><a href="#" class="icon-linkedin socialIcon tips" title="follow us on Linkedin"><span>linkedin</span></a></li> - <li><a href="#" class="icon-pinterest-circled socialIcon tips" title="follow us on Pinterest"><span>Pinterest</span></a></li>--> + <li> + <a href="//twitter.com/ApacheOfbiz" class="icon-twitter-bird socialIcon tips" + target="external" title="follow us on Twitter"><span>twitter</span></a> + </li> + <li><a href="//www.linkedin.com/company/apache-ofbiz/" target="external" class="icon-linkedin socialIcon tips" title="follow us on Linkedin"><span>linkedin</span></a></li> + <li><a href="//www.facebook.com/Apache-OFBiz-1478219232210477/?ref=page_internal" target="external" class="icon-facebook socialIcon tips" title="follow us on Facebook"><span>facebook</span></a></li> + <li><a href="//www.youtube.com/user/ofbiz" class="icon-play socialIcon tips" target="external" title="follow us on Youtube"><span>Youtube</span></a></li> + <!--<li><a href="#" class="icon-rss socialIcon tips" title="Our rss feed"><span>rss feed</span></a></li> + <li><a href="#" class="icon-gplus socialIcon tips" title="follow us on Google +"><span>google +</span></a></li> + <li><a href="#" class="icon-instagram socialIcon tips" title="follow us on Instagram"><span>instagram</span></a></li> + <li><a href="#" class="icon-linkedin socialIcon tips" title="follow us on Linkedin"><span>linkedin</span></a></li> + <li><a href="#" class="icon-pinterest-circled socialIcon tips" title="follow us on Pinterest"><span>Pinterest</span></a></li>--> </ul> </nav> </div> @@ -130,23 +130,23 @@ <h2><a id="security"></a>Security Vulnerabilities</h2> <div class="divider"><span></span></div> <p>Please see the <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p> - + <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either secur...@ofbiz.apache.org or secur...@apache.org), before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.</strong></p> - - <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. + + <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. <strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a><span style="color:red"> Please don't create Jira issues for unauth (aka pre-auth) reports, thanks in advance.</span></strong></p> - - <p>One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because - <a href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security" target="external"> we highly suggest to OFBiz users to not use credentials demo in production</a> + + <p>One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because + <a href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/README.html#security" target="external"> we highly suggest to OFBiz users to not use credentials demo in production</a> and we expect OFBiz users to do so. - <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external"> We also warn our users on the "Keeping OFBiz secure wiki page".</a> + <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external"> We also warn our users on the "Keeping OFBiz secure wiki page".</a> And finally, mostly we reject post-auth vulnerabilities because we have a solid CSRF defense.</p> - + <h3>List of Known Vulnerabilities</h3> <ul class="iconsList"> - <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47501" target="external">CVE-2022-47501</a>; affected releases before 18.12.07; fixed in 18.12.07 with commit <a href="https://github.com/apache/ofbiz-plugins/commit/582add7d3" target="external">582add7d3</a></li> + <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47501" target="external">CVE-2022-47501</a>; affected releases before 18.12.07; fixed in 18.12.07 with commit <a href="https://github.com/apache/ofbiz-plugins/commit/582add7d3" target="external">582add7d3</a></li> <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25813" target="external">CVE-2022-25813</a>; affected releases before 18.12.06; fixed in 18.12.06 with commits <a href="https://github.com/apache/ofbiz-framework/commit/843b1c7e71" target="external">843b1c7e71</a>, <a href="https://github.com/apache/ofbiz-framework/commit/3797e60375" target="external">3797e60375</a>, <a href="https://github.com/apache/ofbiz-framework/commit/b24dcff344" [...] <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29063" target="external">CVE-2022-29063</a>; affected releases before 18.12.06; fixed in 18.12.06 with commit <a href="https://github.com/apache/ofbiz-plugins/commit/061252a80" target="external">061252a80</a></li> <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29158" target="external">CVE-2022-29158</a>; affected releases before 18.12.06; fixed in 18.12.06 with commit <a href="https://github.com/apache/ofbiz-framework/commit/ff92c4bc9" target="external">ff92c4bc9</a></li> @@ -244,7 +244,7 @@ <li><a href="https://privacy.apache.org/policies/privacy-policy-public.html" target="external">Privacy Policy</a></li> <li><a href="https://www.apache.org/events/current-event" target="external">Events</a></li> <li><a href="https://www.apache.org/foundation/sponsorship.html" target="external">Sponsorship</a> - and <a href="https://www.apache.org/foundation/contributing.html" target="external">Donations</a> + and <a href="https://www.apache.org/foundation/contributing.html" target="external">Donations</a> </li> <li><a href="https://www.apache.org/foundation/thanks.html" target="external">Thanks</a></li> <li><a href="https://ofbiz.apache.org/security.html">Security</a></li> diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php index 297cde5..6932770 100644 --- a/template/page/security.tpl.php +++ b/template/page/security.tpl.php @@ -19,23 +19,23 @@ <h2><a id="security"></a>Security Vulnerabilities</h2> <div class="divider"><span></span></div> <p>Please see the <a href="https://www.apache.org/security" target="external">ASF Security Team webpage</a> for further information about reporting a security vulnerability as well as their contact information. </p> - + <p><strong>We strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing lists (either secur...@ofbiz.apache.org or secur...@apache.org), before disclosing them in a public forum. Please don't pack several vulnerabilities in the same report, send them one by one, thanks in advance.</strong></p> - - <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. + + <p>Note that we no longer create CVEs for post-auth attacks done using demo credentials, notably using the admin user. <strong> <a href="https://s.apache.org/dsj2p"> Rather create bugs reports in our issue tracker (Jira) for that.</a><span style="color:red"> Please don't create Jira issues for unauth (aka pre-auth) reports, thanks in advance.</span></strong></p> - - <p>One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because - <a href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/#security" target="external"> we highly suggest to OFBiz users to not use credentials demo in production</a> + + <p>One of the reason we no longer create CVEs for post-auth attacks done using demo credentials is because + <a href="https://nightlies.apache.org/ofbiz/trunk/readme/html5/README.html#security"> we highly suggest to OFBiz users to not use credentials demo in production</a> and we expect OFBiz users to do so. - <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external"> We also warn our users on the "Keeping OFBiz secure wiki page".</a> + <a href="https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure" target="external"> We also warn our users on the "Keeping OFBiz secure wiki page".</a> And finally, mostly we reject post-auth vulnerabilities because we have a solid CSRF defense.</p> - + <h3>List of Known Vulnerabilities</h3> <ul class="iconsList"> - <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47501" target="external">CVE-2022-47501</a>; affected releases before 18.12.07; fixed in 18.12.07 with commit <a href="https://github.com/apache/ofbiz-plugins/commit/582add7d3" target="external">582add7d3</a></li> + <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47501" target="external">CVE-2022-47501</a>; affected releases before 18.12.07; fixed in 18.12.07 with commit <a href="https://github.com/apache/ofbiz-plugins/commit/582add7d3" target="external">582add7d3</a></li> <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25813" target="external">CVE-2022-25813</a>; affected releases before 18.12.06; fixed in 18.12.06 with commits <a href="https://github.com/apache/ofbiz-framework/commit/843b1c7e71" target="external">843b1c7e71</a>, <a href="https://github.com/apache/ofbiz-framework/commit/3797e60375" target="external">3797e60375</a>, <a href="https://github.com/apache/ofbiz-framework/commit/b24dcff344" [...] <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29063" target="external">CVE-2022-29063</a>; affected releases before 18.12.06; fixed in 18.12.06 with commit <a href="https://github.com/apache/ofbiz-plugins/commit/061252a80" target="external">061252a80</a></li> <li><i class="icon-pin"></i> <a href="//cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29158" target="external">CVE-2022-29158</a>; affected releases before 18.12.06; fixed in 18.12.06 with commit <a href="https://github.com/apache/ofbiz-framework/commit/ff92c4bc9" target="external">ff92c4bc9</a></li>