vtiger CRM 5.0.4 Security Patch Release
November 13th, 2008 by Asha
We have released a security patch for 5.0.4 that fixes the following security issues along with some critical bugs reported by the community. More details can be found in the release notes [VtigerCRM 5.0.4 SecurityPatch_ReleaseNotes].
Security Issues:-
1. Local File Disclosure
2. Cross-Site Scripting
3. SQL injection Vulnerbility
4. Arbatory File Upload
Trac Tickets:-
#5235: Patch Apply: Timeout settings need change
#5255: Cannot import more than 500 records
#5307: Campaign Related info getting lost
#5298: File attachment download gets corrupted
#5294: Organization image upload issue
#5231: Webmail qualify issue
#5268: Homepage dashboard link showing incorrect data in list view
#4847: Problem in selecting users/groups/profiles from the roles and groups edit view
#5393: Not able to delete default profiles/roles/users
We thank vtiger community for their support to detect the issues and help us resolve it. Special thank to Mark Piper, Fabian Fingerele, and Different Solutions.
Patch Download:
The 5.0.4 Security patch download is available here: [ VtigerCRM5.0.4_SecurityPatch]
NOTE: You will need to unpack the zip into your vtiger CRM folder. We recommend you to take a backup of your directory first before you unpack the patch.
Regards,
Asha
Vtiger Team
Help others find this article: 
|
|
|
|
|
Posted in General | | Post Comment | Permalink | Trackback
Hi,
definitely a good move.
Here’s the link to the unified diff on trac.vtiger.com for those who like to patch the install using patch command instead of overwriting existing files:
http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?old_path=vtigercrm%2Fbranches%2F5.0.4&old=12052&new_path=vtigercrm%2Fbranches%2F5.0.4&new=12177
Keep up the great work!
carloz
@vtiger team:
It may be nice if the vtiger version number is also updated. This will help administrators in identifying the latest version. If the core release and patch are separately maintained , then there is high chance for missing the security patches.
@Carlo
Thanks for posting the link to unified diff. The vtiger release maintainers always missed it.
@Carloz
Thanks for the diff update. I was about to ask someone for one. Great work.
Jarvis
Hello, thank you very much for the contributions.
My comment: After installing the patch is impossible to see the list of users of the module for configuration, I do not see anything, just the title of the module.
You will have some experience with that, how can I resolve it?
Regards.
Salvador M.
Hi Salvador M.
We are unable to reproduce the issue reported by you, we need some more information to reproduce it, for that can you provide your server access on which vtigerCRM is installed.
Regards,
Nitin
Vtiger Team
Hi Nitin:
Thanks, you can tell me your email address for send my server information? you need a nick for access?
Thanks.
Regards
Salvador M.
Hi J. Salvador MartÃnez,
We are able to find the cause of your issue, its with your directory permission and no where related to the security patch.
Please go through this link (http://wiki.vtiger.com/index.php/Vtiger_CRM_5.0.4_-_Installation_Manual_for_Linux#Prerequisites_2) before installing the vtiger CRM for the directory permissions otherwise some things will not work in CRM properly.
Regards,
Nitin
Vtiger Team
Greetings, Asha. I was wondering about the process for backing up the source directory. Sorry for my ignorance but I’m a MS guy not a LI(U)NIX guy (please don’t shoot me!) and this is unfamiliar territory.
Thanks,
WineLover80538
Hi WineLover80538,
When we say backup your source directory, we just mean that keep a copy of the source directory somewhere else. Just to make sure that if anything goes wrong, you can copy back your old source.
Regards,
Asha
Vtiger Team
What is the average response time for patches when security vulnerabilities are discovered?
Excellent work guys!, so many enhancements,
It’s the best CRM ever
Hi,
Is it recommendend to patch fresh installation before calling install.php, because it seems so from install script changes point of view?
Regards,
ganiwo
what is the proper patch command to use? i keep getting failed to execute errors when i try a dry run.
my src dir = /var/www/html/salescrm
so i dl and untar the zip to that dir. then i copy and paste the unified patch file into a new file (patch.txt) in that same src dir. then i run:
patch –dry-run -verbose -p3
what is the proper patch command to use? my src dir = /var/www/html/salescrm, so i dl and unzip to that dir. then i copy and paste the unified patch file into a new file (patch.txt) in that same src dir. then i run:
patch –dry-run -verbose -p3
what is the proper patch command to use? my src dir = /var/www/html/salescrm, so i dl and unzip to that dir. then i copy and paste the unified patch file into a new file (patch.txt) in that same src dir. then i run:
patch –dry-run -verbose -p3 (used less than symbol here) patch.txt
but each patch attempt says hunk 1 (or 1 & 2) failed. i tried unzipping into vtigercrm/branches/5.0.4/ dir i made in the src dir. same result. am i unzipping to the wrong dir? am i using the wrong command? am i running it from the wrong dir? all of the above?
thanx for your help.
Hi mowgli,
All you need to do is unzip the patch into your vtiger CRM source directory. (i.e., /var/www/html/salescrm)
Regards,
Asha
Vtiger Team
Hi mowgli,
It will not overwrite all the files in the directory, but will overwrite only those files which we have included in the patch. As long as you have not done any customization over the 5.0.4 source, you can go ahead and unzip the patch without any fear.
Regards,
Asha
so if i did have customization, would the patch command be the way to integrate the patch w/o altering my own changes?
either way i’d like to know what the proper patch command/method/procedure is just for my own knowledge.
but asha thanx for telling me how it would work w/o using the patch cmd.
so anyone? what am i doing wrong (desc above)?