Hey Anahita, Appreciate the update!
Best, Aditi On Mon, Jun 15, 2026 at 8:55 PM Anahita Goljahani < [email protected]> wrote: > Hi Aditi, > > Thanks for the recap. > > Just a quick clarification: release 24.09.07 has already been > published and addresses two additional CVEs. Therefore, I would advise > upgrading to release 24.09.07, instead of 24.09.06. > > Regards, > Anahita > > Il giorno lun 15 giu 2026 alle ore 13:12 Aditi Patel > <[email protected]> ha scritto: > > > > Hi all, > > > > A quick recap of what the OFBiz community got done in May 2026. > > > > 24.09.06 > > < > https://www.google.com/url?q=https://lists.apache.org/thread/vsnvbbbfbdlj1vgp9kz7s7yxqmn9ngpm&source=gmail&ust=1781607323083000&sa=E > > > > is out and a batch of 17+ CVEs is patched—please upgrade. > > > > 118 issues touched · 27 opened · 80 resolved · 1 release · 17+ CVEs > > Shipped > > > > - 24.09.06 released (May 19), carrying a coordinated 17+ CVE > disclosure > > (SSTI→RCE, JWT forgery, path traversal, SSRF). Treat as an > upgrade-now item. > > - OFBIZ-13407 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13407&source=gmail&ust=1781607323083000&sa=E > > > > — patched several Apache Tomcat CVEs via dependency update. > > - OFBIZ-9205 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-9205&source=gmail&ust=1781607323083000&sa=E > > > > — fixed a long-standing accounting bug where cancelling a taxed order > > created wrong OrderAdjustments (lands in 24.09.07). > > - OFBIZ-13425 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13425&source=gmail&ust=1781607323083000&sa=E > > > > — PO shipments are now correctly marked received when receipts contain > > rejected units (24.09.07). > > - OFBIZ-13412 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13412&source=gmail&ust=1781607323083000&sa=E > > > > — added H2 database support to trunk, replacing retired Derby. > > - OFBIZ-13138 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13138&source=gmail&ust=1781607323083000&sa=E > > > > — JUnit 5 unit testing enabled framework-wide (4.13.x → 6.1.x > migration > > < > https://www.google.com/url?q=https://lists.apache.org/thread/ssh1m7s3qyn3126qm0q7d7n6shrvmcw2&source=gmail&ust=1781607323083000&sa=E > > > > ). > > - OFBIZ-13426 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13426&source=gmail&ust=1781607323083000&sa=E > > > > — dedicated SECURITY_PWD_UPDATE permission for cross-user password > > resets. > > > > In progress > > > > - OFBIZ-13262 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13262&source=gmail&ust=1781607323083000&sa=E > > > > — inventory reservation flow for manufacturing work orders; first > changes > > in trunk, feature still being built out. > > - Headless plugins — Headless Commerce plugin > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13410&source=gmail&ust=1781607323083000&sa=E > > > > plus a headless, API-first manufacturing proposal. > > - OFBIZ-13398 > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13398&source=gmail&ust=1781607323083000&sa=E > > > > — PWA Picking Application as a new plugin (PR + demo posted > > <https://youtu.be/9ByUvnGx5ws>). > > - Framework decoupling — removing application dependencies from > > framework code > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13418&source=gmail&ust=1781607323083000&sa=E > >; > > sub-tasks for UserLogin.userFullName > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13392&source=gmail&ust=1781607323083000&sa=E > > > > and EntityPermissionChecker > > < > https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13393&source=gmail&ust=1781607323083000&sa=E > > > > are > > already done. > > - Proposals on the dev list — move the REST-API plugin into the > > framework; backport Tomcat 10 / Jakarta to release24.09. > > > > Also worth knowing > > > > - Apache Derby retired — H2 is the path forward (see OFBIZ-13412 > above). > > - Business Advisory Committee — proposal to add a business-side > > governance body as OFBiz expands into enterprise automation. > > > > Thanks to everyone who pitched in: Jacopo Cappellato (release manager), > > Mridul Pathak, Ashish Vijaywargiya, Deepak Dixit, Anil K Patel, Jacques > Le > > Roux, Divesh Dutta, Arun Patidar, and many more. > > > > Best, > > Aditi Patel > > HotWax Commerce > > [email protected] >
