Hi all, Recently we have seen some security issues fixed in the code base (CVE-2016-6800 and CVE-2016-4462). Thanks to all who participated in identifying, analysing and fixing these OFBiz security threats.
When I look at how we communicate to our adopters that there are threats and how they can be mitigated [1] I believe we could and we should do a little bit more. There we merely put a reference to the CVE [2] issue (see [3] for example) there and and advice to upgrade. But on that page we leave out any particulars on how the issue affected OFBiz and what was done to it. Rightly so as it is just a list of notifications. The details about the effect of the issue and the mitigation is in commits. But there is no apparent relation between the notification on [1] and the actual commit that mitigated. Also reporting the CVE in JIRA issues not optimal. This leads to the fact that details don't appear in release notes very well. I believe we could and should do better. We should *always* have a JIRA issue explaining the CVE issue and its effect on the OFBiz product, have it enhanced with the proper tags or labels (e.g. CVE/Security), and - like any other JIRA issue - have it showing with which commit(s) it has been resolved and on which branch it has been implemented. With a proper filter definition on JIRA we can then shorten the vulnerability section in [1] and have that link to that JIRA filter definition. What do you think? References: - [1] http://ofbiz.apache.org/download.html - [2] CVE: Common Vulnerability and Exposure - [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6800 Best regards, Pierre Smits ORRTIZ.COM <http://www.orrtiz.com> OFBiz based solutions & services OFBiz Extensions Marketplace http://oem.ofbizci.net/oci-2/
