I need one urgent help and suggestion.
I have suitecrm version 7.7.6 having sugar version 6.5.24, this sugar version has some sort of vulnerabilities.
I would like to upgrade this sugar version from 6.5.24 to 6.5.26, remember CRM is SUITECRM.
Please let me know which upgrade package will be needed for this with download path.
My advice is to update to the latest SuiteCRM, there are many security fixes also on the SuiteCRM side (not just in the SugarCRM core) in the latest versions.
You’ll have to do it in two steps, so maybe this could be a way to handle it:
https://suitecrm.com/files/157/SuiteCRM-7.8-Upgrades/243/SuiteCRM-Upgrade-7.7.x-to-7.8.17.zip
then
https://suitecrm.com/files/161/SuiteCRM-7.10-Upgrades/250/SuiteCRM-Upgrade-7.8.x-to-7.10.2.zip
(or 7.10.3 if it is already out by the time you actually upgrade)
Some extra advice:
Thanks, I have done this also , but even suitecrm 7.10.2 has sugar version 6.5.25.
My requirement is to upgrade the core sugar version now from 6.5.25 to 6.5.26
Target is to have core sugar 6.5.26 version in SuiteCRM.
How to proceed further for this.
Core Sugar Version 6.5.26 has some vulnerabilities fixed as,
http://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-003/
http://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-004/
http://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-005/
An upgrade in the SugarCRM version inside SuiteCRM needs to be done by the SalesAgility team.
I believe that particular upgrade hasn’t been done yet for a simple reason - we had a security audit, fixed every “eval” issue in the entire code, so we don’t have those vulnerabilities anymore, and we don’t need that upgrade.
But I am not 100% sure of this, I am drawing from my memory from a few months ago when I had this discussion with our lead developer. So let me check this issue and I will get back to you.
You can rest assured that either the fixes aren’t confirmed as not needed, or that they will be taken care of, with highest priority.
Any other information or update regarding this?
If anyone has done such kind of up-gradation , please update here.
And how can I ensure these vulnerabilities has been removed in suitecrm up-graded version?
Here is a 90% complete update (since you’re in such a rush):
SugarCRM has completely removed their code from GitHub. There is no more code, no more of their fixes, no future vulnerabilities report. It’s over.
SuiteCRM has already patched (actually, before they reported it) at least two of the three vulnerabilities on that version 6.5.26
http://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-003/
This has been tackled as the vulnerability was in version earlier than v2.10.0. SuiteCRM’s onelogin SAML is at version v2.11
http://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2017-005/
This has been tackled by removing all evals from the function - a different way than what Sugar has provided
The other (third) issue I am still looking at it. I am very sure it is already solved also, because we had a full 3rd party security audit and these kinds of path traversal issues were all addressed. I just want to make sure before I confirm it to you.
So, the important conclusions are:
upgrade to the latest SuiteCRM
stop thinking in terms of “there’s a SugarCRM version inside SuiteCRM”. We are now (always were?) a fully independent product, they are dead and gone. We will probably be removing the reference to the SugarCRM version from our “About” screen.
feel safe and enjoy
keep bugging us about any security issue you find! That’s a good pressure. If it’s a novelty, don’t report in public, just email security@suitecrm.com
Thanks
hey, thanks for the explanation.
Second, upgrading to 7.8.17 , is ok?
And I don’t want to upgrade it to suitecrm7.10.2 , as don’t want theme to be changed?
So all such security issues will also be fixed in up-graded version 7.8.17 , right?
The security fixes go into all currently supported versions, so that would be all three branches: 7.8.x, 7.9.x, 7.10.x
All these have full security patches in their latest versions.
Thanks for your quick response 