Hey Anahita,

Appreciate the update!

Best,
Aditi

On Mon, Jun 15, 2026 at 8:55 PM Anahita Goljahani <
[email protected]> wrote:

> Hi Aditi,
>
> Thanks for the recap.
>
> Just a quick clarification: release 24.09.07 has already been
> published and addresses two additional CVEs. Therefore, I would advise
> upgrading to release 24.09.07, instead of 24.09.06.
>
> Regards,
> Anahita
>
> Il giorno lun 15 giu 2026 alle ore 13:12 Aditi Patel
> <[email protected]> ha scritto:
> >
> > Hi all,
> >
> > A quick recap of what the OFBiz community got done in May 2026.
> >
> > 24.09.06
> > <
> https://www.google.com/url?q=https://lists.apache.org/thread/vsnvbbbfbdlj1vgp9kz7s7yxqmn9ngpm&source=gmail&ust=1781607323083000&sa=E
> >
> > is out and a batch of 17+ CVEs is patched—please upgrade.
> >
> > 118 issues touched · 27 opened · 80 resolved · 1 release · 17+ CVEs
> > Shipped
> >
> >    - 24.09.06 released (May 19), carrying a coordinated 17+ CVE
> disclosure
> >    (SSTI→RCE, JWT forgery, path traversal, SSRF). Treat as an
> upgrade-now item.
> >    - OFBIZ-13407
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13407&source=gmail&ust=1781607323083000&sa=E
> >
> >    — patched several Apache Tomcat CVEs via dependency update.
> >    - OFBIZ-9205
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-9205&source=gmail&ust=1781607323083000&sa=E
> >
> >    — fixed a long-standing accounting bug where cancelling a taxed order
> >    created wrong OrderAdjustments (lands in 24.09.07).
> >    - OFBIZ-13425
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13425&source=gmail&ust=1781607323083000&sa=E
> >
> >    — PO shipments are now correctly marked received when receipts contain
> >    rejected units (24.09.07).
> >    - OFBIZ-13412
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13412&source=gmail&ust=1781607323083000&sa=E
> >
> >    — added H2 database support to trunk, replacing retired Derby.
> >    - OFBIZ-13138
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13138&source=gmail&ust=1781607323083000&sa=E
> >
> >    — JUnit 5 unit testing enabled framework-wide (4.13.x → 6.1.x
> migration
> >    <
> https://www.google.com/url?q=https://lists.apache.org/thread/ssh1m7s3qyn3126qm0q7d7n6shrvmcw2&source=gmail&ust=1781607323083000&sa=E
> >
> >    ).
> >    - OFBIZ-13426
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13426&source=gmail&ust=1781607323083000&sa=E
> >
> >    — dedicated SECURITY_PWD_UPDATE permission for cross-user password
> >    resets.
> >
> > In progress
> >
> >    - OFBIZ-13262
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13262&source=gmail&ust=1781607323083000&sa=E
> >
> >    — inventory reservation flow for manufacturing work orders; first
> changes
> >    in trunk, feature still being built out.
> >    - Headless plugins — Headless Commerce plugin
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13410&source=gmail&ust=1781607323083000&sa=E
> >
> >    plus a headless, API-first manufacturing proposal.
> >    - OFBIZ-13398
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13398&source=gmail&ust=1781607323083000&sa=E
> >
> >    — PWA Picking Application as a new plugin (PR + demo posted
> >    <https://youtu.be/9ByUvnGx5ws>).
> >    - Framework decoupling — removing application dependencies from
> >    framework code
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13418&source=gmail&ust=1781607323083000&sa=E
> >;
> >    sub-tasks for UserLogin.userFullName
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13392&source=gmail&ust=1781607323083000&sa=E
> >
> >    and EntityPermissionChecker
> >    <
> https://www.google.com/url?q=https://issues.apache.org/jira/browse/OFBIZ-13393&source=gmail&ust=1781607323083000&sa=E
> >
> > are
> >    already done.
> >    - Proposals on the dev list — move the REST-API plugin into the
> >    framework; backport Tomcat 10 / Jakarta to release24.09.
> >
> > Also worth knowing
> >
> >    - Apache Derby retired — H2 is the path forward (see OFBIZ-13412
> above).
> >    - Business Advisory Committee — proposal to add a business-side
> >    governance body as OFBiz expands into enterprise automation.
> >
> > Thanks to everyone who pitched in: Jacopo Cappellato (release manager),
> > Mridul Pathak, Ashish Vijaywargiya, Deepak Dixit, Anil K Patel, Jacques
> Le
> > Roux, Divesh Dutta, Arun Patidar, and many more.
> >
> > Best,
> > Aditi Patel
> > HotWax Commerce
> > [email protected]
>

Reply via email to