Updating Security Advisory and CVEs page, and linking to page from release notes after updating.

Signed-off-by: Sunil Singh <[email protected]>

Author: sunilarjun

docs/14.releasenotes/01.5x/01.5x.md

@@ -13,21 +13,30 @@ To receive email notifications of new releases, please subscribe to this SUSE ma
 
 #### 5.4.6 August 2025
 
-##### Bug Fixes:
+##### New Features:
 
-* **NVSHAS-10019**: Fixed typo in TCP.SYN.Flood log.
-* **NVSHAS-10001**: Protect/Monitor enforcements present after group deletion.
-* **NVSHAS-9974**: Fixed condition checks in D2M and M2P to correctly interpret group name suffixes.
-* **NVSHAS-10018**: NeuVector is not scanning all images in GitLab Registry.
-* **NVSHAS-10001**: Federation operation failed 'invalid data' when configuring federation through ConfigMap.
-* **NVSHAS-10043**: Improve link and address subscription with options.
-* **NVSHAS-9981**: Update zero-drift behavior.
 * **NVSHAS-6733**: Export response rules as CRD.
-* **NVSHAS-10057**: Response rule import always fails.
-* **NVSHAS-10060**: Response rules for the target CRD group are not deleted.
-* **NVSHAS-9968-9990**: Support setting default admin account's default password.
-* **NVSHAS-10063**: Namespace user with runtime_policy(w) permission cannot create response rule.
 * **NVSHAS-9899**: NeuVector Process Profile Alerts for Java Services contain sensitive data.
+* **NVSHAS-9990**: Adopt new hash algorithm for user passwords.
+* **NVSHAS-9968**: Support setting default admin account's default password.
+
+##### Bugs Fixed
+
+* **NVSHAS-10062**: Manager not showing ERROR when failing to create admin password during 1st login.
+* **NVSHAS-10041**: Federation operation failed "invalid data" when configuring federation through ConfigMap.
+* **NVSHAS-10018**: Neuvector is not scanning all images in GitLab Registry.
+* **NVSHAS-10017**: False Positive Security Alert related to allowed process.
+* **NVSHAS-10001**: Protect/Monitor enforcements "linger" after group deletion.
+* **NVSHAS-9985**:	NeuVector (Fed Master) creates a problem for all requests coming from outside.
+* **NVSHAS-9981**:	Security Event is triggered whenever a new "Process Profile Rule" is added or changed in a group.
+
+##### Security Advisories:
+
+* [Admin account has insecure default password](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56)
+* [Insecure password management vulnerable to rainbow attacks](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3)
+* [Process with sensitive arguments lead to leakage](https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq)
+
+See the [Security Advisory and CVEs](/security_advisories/security_advisories/cve) documentation for more information.
 
 #### 5.4.5 July 2025
 

docs/16.security_advisories/01.security_advisories/Exposure-ManagerContainerLogs.md renamed to docs/16.security_advisories/01.security_advisories/cve.md

@@ -1,4 +1,16 @@
-# Sensitive information exposure in NeuVector manager container logs
+# Security Advisories and CVEs
+
+NeuVector is committed to informing the community of security issues. Below is a CVE reference list of published security advisories and CVEs (Common Vulnerabilities and Exposures) for issues we have resolved.
+
+## CVE List
+
+| ID | Description | Date | Resolution |
+| :---- | :---- | :---- | :---- |
+| [CVE-2025-8077](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56) | For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords.For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| [CVE-2025-54467](https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq) | By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+
+## Sensitive information exposure in NeuVector manager container logs
 
 **CVE ID:** CVE-2025-46808
 **CVSS Score:** 6.8- [AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N&version=3.1)
@@ -11,7 +23,7 @@
 
 **Fixed version: `5.4.5`** 
 
-### **Impact**
+### Impact
 
 A vulnerability has been identified in the NeuVector version up to and including `5.4.4`, where sensitive information is leaked into the manager container’s log. The listed fields can be caught in the log:
 
@@ -37,17 +49,18 @@ In the patched version, X-R-Sess is partially masked so that users can confirm w
 
 Please consult the associated [Unsecured credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.
 
-### **Patches**
+### Patches
 
 Patched versions include release `5.4.5` and above. Users are advised to rotate the GitHub token used in Remote Repository Configuration once they have upgraded to a fixed version.
 
-### **Workarounds**
+### Workarounds
 
 No workarounds are currently available. Customers are advised to upgrade to a fixed version at their earliest convenience.
 
-If you have any questions or comments about this advisory:
-
-* Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.
-* Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.
-* Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).
+## Questions and Support
 
+* Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy).
+* Open an issue in the [NeuVector GitHub repository](https://github.com/neuvector/neuvector/issues/new/choose).
+* References:
+  ** [NeuVector Support Matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/)
+  ** [Product Support Lifecycle](https://www.suse.com/lifecycle/#suse-security)

versioned_docs/version-5.4/14.releasenotes/01.5x/01.5x.md

@@ -13,21 +13,30 @@ To receive email notifications of new releases, please subscribe to this SUSE ma
 
 #### 5.4.6 August 2025
 
-##### Bug Fixes:
+##### New Features:
 
-* **NVSHAS-10019**: Fixed typo in TCP.SYN.Flood log.
-* **NVSHAS-10001**: Protect/Monitor enforcements present after group deletion.
-* **NVSHAS-9974**: Fixed condition checks in D2M and M2P to correctly interpret group name suffixes.
-* **NVSHAS-10018**: NeuVector is not scanning all images in GitLab Registry.
-* **NVSHAS-10001**: Federation operation failed 'invalid data' when configuring federation through ConfigMap.
-* **NVSHAS-10043**: Improve link and address subscription with options.
-* **NVSHAS-9981**: Update zero-drift behavior.
 * **NVSHAS-6733**: Export response rules as CRD.
-* **NVSHAS-10057**: Response rule import always fails.
-* **NVSHAS-10060**: Response rules for the target CRD group are not deleted.
-* **NVSHAS-9968-9990**: Support setting default admin account's default password.
-* **NVSHAS-10063**: Namespace user with runtime_policy(w) permission cannot create response rule.
 * **NVSHAS-9899**: NeuVector Process Profile Alerts for Java Services contain sensitive data.
+* **NVSHAS-9990**: Adopt new hash algorithm for user passwords.
+* **NVSHAS-9968**: Support setting default admin account's default password.
+
+##### Bugs Fixed
+
+* **NVSHAS-10062**: Manager not showing ERROR when failing to create admin password during 1st login.
+* **NVSHAS-10041**: Federation operation failed "invalid data" when configuring federation through ConfigMap.
+* **NVSHAS-10018**: Neuvector is not scanning all images in GitLab Registry.
+* **NVSHAS-10017**: False Positive Security Alert related to allowed process.
+* **NVSHAS-10001**: Protect/Monitor enforcements "linger" after group deletion.
+* **NVSHAS-9985**:	NeuVector (Fed Master) creates a problem for all requests coming from outside.
+* **NVSHAS-9981**:	Security Event is triggered whenever a new "Process Profile Rule" is added or changed in a group.
+
+##### Security Advisories:
+
+* [Admin account has insecure default password](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56)
+* [Insecure password management vulnerable to rainbow attacks](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3)
+* [Process with sensitive arguments lead to leakage](https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq)
+
+See the [Security Advisory and CVEs](/security_advisories/security_advisories/cve) documentation for more information.
 
 #### 5.4.5 July 2025
 

versioned_docs/version-5.4/16.security_advisories/01.security_advisories/Exposure-ManagerContainerLogs.md renamed to versioned_docs/version-5.4/16.security_advisories/01.security_advisories/cve.md

@@ -1,4 +1,16 @@
-# Sensitive information exposure in NeuVector manager container logs
+# Security Advisories and CVEs
+
+NeuVector is committed to informing the community of security issues. Below is a CVE reference list of published security advisories and CVEs (Common Vulnerabilities and Exposures) for issues we have resolved.
+
+## CVE List
+
+| ID | Description | Date | Resolution |
+| :---- | :---- | :---- | :---- |
+| [CVE-2025-8077](https://github.com/neuvector/neuvector/security/advisories/GHSA-8pxw-9c75-6w56) | For NeuVector deployment on the Kubernetes-based environment, the bootstrap password of the default admin user will be generated randomly and stored in a Kubernetes secret. The default admin will need to get the bootstrap password from the Kubernetes secret first and will be asked to change password after the first UI login is successful. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| [CVE-2025-53884](https://github.com/neuvector/neuvector/security/advisories/GHSA-8ff6-pc43-jwv3) | NeuVector uses a cryptographically secure salt with the PBKDF2 algorithm instead of a simple hash to protect user passwords.For rolling upgrades from earlier versions, NeuVector recalculates and stores the new password hash only after each user’s next successful login. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+| [CVE-2025-54467](https://github.com/neuvector/neuvector/security/advisories/GHSA-w54x-xfxg-4gxq) | By default, NeuVector redacts process commands that contain the strings password,passwd, pwd, token, or key in security logs, syslog, enforcer debug logs, controller debug logs, webhooks, and support logs. Users can configure a Kubernetes ConfigMap to define custom regex patterns for additional process commands to redact. | 25 Aug 2025 | [NeuVector v5.4.6](https://github.com/neuvector/neuvector/releases/tag/v5.4.6) |
+
+## Sensitive information exposure in NeuVector manager container logs
 
 **CVE ID:** CVE-2025-46808
 **CVSS Score:** 6.8- [AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N&version=3.1)
@@ -11,7 +23,7 @@
 
 **Fixed version: `5.4.5`** 
 
-### **Impact**
+### Impact
 
 A vulnerability has been identified in the NeuVector version up to and including `5.4.4`, where sensitive information is leaked into the manager container’s log. The listed fields can be caught in the log:
 
@@ -37,17 +49,18 @@ In the patched version, X-R-Sess is partially masked so that users can confirm w
 
 Please consult the associated [Unsecured credentials](https://attack.mitre.org/techniques/T1552/) for further information about this category of attack.
 
-### **Patches**
+### Patches
 
 Patched versions include release `5.4.5` and above. Users are advised to rotate the GitHub token used in Remote Repository Configuration once they have upgraded to a fixed version.
 
-### **Workarounds**
+### Workarounds
 
 No workarounds are currently available. Customers are advised to upgrade to a fixed version at their earliest convenience.
 
-If you have any questions or comments about this advisory:
-
-* Reach out to the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.
-* Open an issue in the [NeuVector](https://github.com/neuvector/neuvector/issues/new/choose) repository.
-* Verify with our [support matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/#suse-security).
+## Questions and Support
 
+* Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy).
+* Open an issue in the [NeuVector GitHub repository](https://github.com/neuvector/neuvector/issues/new/choose).
+* References:
+  ** [NeuVector Support Matrix](https://www.suse.com/suse-neuvector/support-matrix/all-supported-versions/neuvector-v-all-versions/)
+  ** [Product Support Lifecycle](https://www.suse.com/lifecycle/#suse-security)