Merge pull request #4767 from OpenLiberty/cve-add

ayoho · web-flow · commit 934ef823ef7a · 2026-03-30T13:13:00.000-05:00
adding cve session and remove repeated content
diff --git a/posts/2026-01-27-26.0.0.1.adoc b/posts/2026-01-27-26.0.0.1.adoc
@@ -69,6 +69,7 @@ In this release, Open Liberty introduces log throttling to automatically suppres
 In link:{url-about}[Open Liberty] 26.0.0.1:
 
 * <<logging, Log Throttling>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
 * <<bugs, Notable bug fixes>>
 
 // // // // // // // //
@@ -207,6 +208,29 @@ When `throttleType` is set to `message`, throttling is applied to the entire mes
   
 // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
 
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-12635[CVE-2025-12635]
+|5.4
+|Cross-site scripting
+|17.0.0.3-25.0.0.12
+|Affects the `servlet-3.1`, `servlet-4.0`, `servlet-5.0`, and `servlet-6.0` features
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [RELEASE_VERSION]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
 
 [#bugs]
 == Notable bugs fixed in this release
diff --git a/posts/2026-02-24-26.0.0.2.adoc b/posts/2026-02-24-26.0.0.2.adoc
@@ -67,6 +67,7 @@ This release introduces Java Toolchains support, enabling developers to decouple
 In link:{url-about}[Open Liberty] 26.0.0.2:
 
 * <<java_toolchains, Java Toolchains in Liberty Build Plugins>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
 * <<bugs, Notable bug fixes>>
 
 View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26002+label%3A%22release+bug%22[26.0.0.2].
@@ -159,11 +160,10 @@ With Java Toolchains, you can now run your build tool on a modern JDK (for examp
 
 === Maven Plugin integration
 
-The Liberty Maven plugin now integrates seamlessly with the maven-toolchain-plugin. To use this feature, define your available JDKs in your `~/.m2/toolchains.xml` file. The plugin automatically detects and uses the toolchain that is specified in your project's `pom.xml` file.
 The Liberty Maven Plugin now integrates seamlessly with the maven-toolchain-plugin as of version 3.12.0.
 To use this feature, define your available JDKs in your `~/.m2/toolchains.xml` file and then configure `<jdkToolchain>` tag in `<configuration>`.
-
 The plugin automatically detects and uses the toolchain specified in your project’s `pom.xml` file.
+
 For detailed configuration steps and parameters, see the link:https://github.com/OpenLiberty/ci.maven/blob/main/docs/toolchain.md[Liberty Maven Plugin Toolchain documentation].
 
 The plugin acknowledges the JDK vendor and version constraints that are defined in your Maven profiles, helping to ensure that your server environment remains consistent across different developer machines and CI/CD pipelines.
@@ -224,6 +224,31 @@ java {
   
 // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
 
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-14914[CVE-2025-14914]
+|7.6
+|Remote code execution
+|17.0.0.3-26.0.0.1
+|Affects the `restConnector-2.0` feature
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [RELEASE_VERSION]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+
 [#bugs]
 == Notable bugs fixed in this release
 
diff --git a/posts/2026-03-24-26.0.0.3.adoc b/posts/2026-03-24-26.0.0.3.adoc
@@ -68,6 +68,7 @@ In link:{url-about}[Open Liberty] 26.0.0.3:
 
 * <<userregistry, UserRegistry Attribute Reader Enhancement>>
 * <<jandex, Jandex Index Format Support Update>>
+* <<CVEs, Security Vulnerability (CVE) Fixes>>
 * <<bugs, Notable bug fixes>>
 
 View the list of fixed bugs in link:https://github.com/OpenLiberty/open-liberty/issues?q=label%3Arelease%3A26003+label%3A%22release+bug%22[26.0.0.3].
@@ -293,6 +294,37 @@ For more information, see the link:https://smallrye.io/jandex/jandex/3.5.3/index
 
 // DO NOT MODIFY THIS LINE. </GHA-BLOG-TOPIC> 
 
+[#CVEs]
+== Security vulnerability (CVE) fixes in this release
+[cols="5*"]
+|===
+|CVE |CVSS Score |Vulnerability Assessment |Versions Affected |Notes
+
+|https://www.cve.org/CVERecord?id=CVE-2025-14923[CVE-2025-14923]
+|4.7
+|Weaker security
+|17.0.0.3-26.0.0.2
+|
+
+|https://www.cve.org/CVERecord?id=CVE-2024-29371[CVE-2024-29371]
+|7.5
+|Denial of service
+|21.0.0.3-26.0.0.2
+|Affects the `openidConnectClient-1.0`, `socialLogin-1.0`, `mpJwt-1.2`, `mpJwt-2.0`, `mpJwt-2.1`, and `jwt-1.0` features
+|===
+// // // // // // // //
+// In the preceding section:
+// If there were any CVEs addressed in this release, fill out the table.  For the information, reference https://github.com/OpenLiberty/docs/blob/draft/modules/ROOT/pages/security-vulnerabilities.adoc.  If it has not been updated for this release, reach out to Kristen Clarke or Michal Broz.
+// Note: When linking to features, use the 
+// `link:{url-prefix}/docs/latest/reference/feature/someFeature-1.0.html[Some Feature 1.0]` format and 
+// NOT what security-vulnerabilities.adoc does (feature:someFeature-1.0[])
+//
+// If there are no CVEs fixed in this release, replace the table with: 
+// "There are no security vulnerability fixes in Open Liberty [RELEASE_VERSION]."
+// // // // // // // //
+For a list of past security vulnerability fixes, reference the link:{url-prefix}/docs/latest/security-vulnerabilities.html[Security vulnerability (CVE) list].
+
+
 [#bugs]
 == Notable bugs fixed in this release
 
