Closed chris001 closed 8 months ago
Release notes from 6.25.6 state ( https://support.sugarcrm.com/Documentation/Unsupported_Versions/Sugar_6.5/index.html ):
Fixed Issues Sugar 6.5.26 is a security update released to address certain security vulnerabilities identified during our routine QA checks. We strongly recommend that you install this update at the earliest opportunity. While we have not experienced any reported incidents relating to these vulnerabilities to date, failure to install this update could leave you exposed to malicious third party attacks. For more information regarding this, please refer to the following Security Advisory announcements: Security Advisory sugarcrm-sa-2017-003: Instances configured with SAML may enable unauthorized access. Security Advisory sugarcrm-sa-2017-004: Authenticated users may cause arbitrary code to be executed. Security Advisory sugarcrm-sa-2017-005: Custom code may execute an eval through a deprecated function. These vulnerabilities have been addressed in release 6.5.26 which is available for download from the Download Manager. Administrators are strongly encouraged to upgrade their Sugar instances running 6.5.25 and prior to version 6.5.26 to prevent potential exploitation of these weaknesses.
If memory serves me, at some point this was brought up and it was decided against updating SuiteCRM with the new SugarCRM. Instead, all the relevant changes (security stuff) were solved directly in SuiteCRM code.
But it is entirely possible that all of that happened in a dream of mine. Does anybody else remember this?
This was a long time ago, but we compared 6.5.26 with SuiteCRM at the time and found there was no benefit to including it.
I see plenty eval
on user input data. Are these all absolutely safe?
I would bet those are all safe due to the exhaustive generic clean-ups that we already do on every single request. These are the wrong approach, they are excessive and misguided, but anyway, they do have some upside!
Any way, since these are security issues I'd say a careful case-by-case check should be made. To be sure.
Issue
CE code base in the repo is on 6.5.25. This isn't the latest version.
Expected Behavior
Update the CE code to latest version 6.5.26.
Actual Behavior
It's running on the old CE 6.5.25.
Possible Fix
Download the CE 6.5.x to 6.5.26 silent updater and run it on this SuiteCRM repo code, let it update, add, and remove files, if any. EDIT: SugarCRM removed all CE download files from SourceForge. They're archived here: **1. silent upgrade to 6.5.26
Steps to Reproduce
sugar_version.php
in the Code folder, it's version 6.5.25. Online it clearly states 6.5.26 is the latest (and last) version of 6.5 CE.Context
The newest version 6.5.26 fixed some bugs. Otherwise SugarCRM wouldn't have released it.
Your Environment