My advice is to update to the latest SuiteCRM, there are many security fixes also on the SuiteCRM side (not just in the SugarCRM core) in the latest versions.
You’ll have to do it in two steps, so maybe this could be a way to handle it:
backup before starting, of course, both files and database
do it in a test environment (like in a VM) first, so you can check if it’s working well, especially any customizations or add-ons you might have in place
this is a big upgrade, lots of things changed: so make sure you test your main functions extensively
check the Compatibility Matrix to see if you need database upgrades or, more likely, PHP upgrades. The move to PHP 7.x is a big step forward in terms of security and performance
Thanks, I have done this also , but even suitecrm 7.10.2 has sugar version 6.5.25.
My requirement is to upgrade the core sugar version now from 6.5.25 to 6.5.26
Target is to have core sugar 6.5.26 version in SuiteCRM.
An upgrade in the SugarCRM version inside SuiteCRM needs to be done by the SalesAgility team.
I believe that particular upgrade hasn’t been done yet for a simple reason - we had a security audit, fixed every “eval” issue in the entire code, so we don’t have those vulnerabilities anymore, and we don’t need that upgrade.
But I am not 100% sure of this, I am drawing from my memory from a few months ago when I had this discussion with our lead developer. So let me check this issue and I will get back to you.
You can rest assured that either the fixes aren’t confirmed as not needed, or that they will be taken care of, with highest priority.
Any other information or update regarding this?
If anyone has done such kind of up-gradation , please update here.
And how can I ensure these vulnerabilities has been removed in suitecrm up-graded version?
This has been tackled by removing all evals from the function - a different way than what Sugar has provided
The other (third) issue I am still looking at it. I am very sure it is already solved also, because we had a full 3rd party security audit and these kinds of path traversal issues were all addressed. I just want to make sure before I confirm it to you.
So, the important conclusions are:
upgrade to the latest SuiteCRM
stop thinking in terms of “there’s a SugarCRM version inside SuiteCRM”. We are now (always were?) a fully independent product, they are dead and gone. We will probably be removing the reference to the SugarCRM version from our “About” screen.
feel safe and enjoy
keep bugging us about any security issue you find! That’s a good pressure. If it’s a novelty, don’t report in public, just email security@suitecrm.com