...
You can trust the Apache OFBiz PMC Members and Committers, we do our best to keep OFBiz secure. But despite our best efforts we migth sometimes overlook a security issue. In such cases, as explained at https://ofbiz.apache.org/download.html, we strongly encourage OfBiz users to report security problems affecting OFBiz to the private security mailing list of the ASF Security Team, before disclosing them in a public forum. Please see the page of the ASF Security Team for further information and contact information. Also in case of doubt, refer to the current page where quick fixes not already released might be explained.
Also you should update your release version as soon as a security update is mentionned at https://ofbiz.apache.org/download.html#vulnerabilities.
Another option is to use a release branch rather than a released package. As soon as the release branch contains the security update you just have to "svn up" your referent working copy and apply in production...
You might refer to
Jira | ||||||
---|---|---|---|---|---|---|
|
...
Warning | ||
---|---|---|
| ||
Be sure to read The infamous Java serialize vulnerability page if you use RMI, JMX, Spring, or/and any other external librairies within your OFBiz instance |
...