[Vtigercrm-developers] vTiger mulitple vulnerabilities

Gopal gopals at vtiger.com
Wed Aug 23 21:17:15 PDT 2006


I fully agree with Mike. It is better to release 4.2.5 than 4.2.4.1.

Thanks,
Gopal
---
S.S.G.Gopal
skype: sripadag
ph: +1 877 788 4437
blog: http://gopal.vtiger.com




---- On Wed, 23 Aug 2006 Allan Bush <allan.bush+vtiger_dev at gmail.com> wrote ---- 

Mike is correct.

If a security patch is created it should be released as 4.2.5 (or
maybe 4.2.4.1 although I think Jeff wants to save that for packaging
changes) and the planed 4.2.5 release should be pushed to 4.2.6
although there's enough new features in there to justify calling it
4.3.

On 8/23/06, Mike Fedyk <mfedyk at mikefedyk.com> wrote:
> I don't know if there is a branch for 4.2.5 yet, but if there are
> security issues in 4.2.4 then 4.2.5 should only contain security fixes.
> 4.2.6 can be based off of 4.2-trunk.
>
> Brett Hooker wrote:
> > Business users will need a patch as they have weigh up testing and
> > learning the latest features, versus fixing a security hole right now.
> > Inclusion in the trunk is assumed.
> >
> > Mike Fedyk wrote:
> >>
> >> If there are any patches published, they should go into the 4.2.5
> >> release. No more "patch" releases. That is what point releases are for.
> >>
> >> ------------------------------------------------------------------------
> >>
> >> *From:* vtigercrm-developers-bounces at lists.vtigercrm.com
> >> [mailto:vtigercrm-developers-bounces at lists.vtigercrm.com] *On Behalf
> >> Of *Gopal
> >> *Sent:* Tuesday, August 22, 2006 9:23 PM
> >> *To:* vtigercrm-developers at lists.vtigercrm.com
> >> *Subject:* Re: [Vtigercrm-developers] vTiger mulitple vulnerabilities
> >>
> >> Dear Mike O'Loan,
> >>
> >> Thanks for notifying issues in some of the modules. We will ensure
> >> that these issues are fixed immediately. If required we will release
> >> a patch for v4.2.3 immediately.
> >>
> >> Regards,
> >> Gopal
> >> ---
> >> S.S.G.Gopal
> >> skype: sripadag
> >> ph: +1 877 788 4437
> >> blog: http://gopal.vtiger.com
> >>
> >>
> >>
> >>
> >> ---- On Tue, 22 Aug 2006 *Mike O'Loan <mike.oloan at saucesoft.com>*
> >> wrote ----
> >>
> >> The following files still have the same SQL injection vulnerability,
> >> carried over from vTiger 4.2.3. Although these aren't a problem with
> >> magic_quotes_gpc turned ON, it still needs to be fixed. It has been
> >> fixed in other modules by putting the PearDatabase::quote() function
> >> around any variable that needs to be placed in an SQL statement.
> >>
> >> Affected files:
> >> modules\Faq\ListView.php
> >> modules\HelpDesk\ListView.php
> >> modules\Invoice\Popup.php
> >> modules\Leads\ListView.php
> >> modules\Leads\Popup.php
> >> modules\Products\Popup.php
> >>
> >> Implementing this would reduce the SQL injection vulnerability for
> >> vTiger 4.2.x
> >>
> >> --
> >> Mike O'Loan
> >> Chief Technical Officer
> >> Sauce Software Pty Ltd
> >>
> >>
> >> http://saucesoft.com
> >> Phone: +61 1300 559 165
> >> Fax: +61 7 3009 0442
> >> Email: mike.oloan at saucesoft.com <mailto:mike.oloan at saucesoft.com>
> >> _______________________________________________
> >> Get started with creating presentations online - http://zohoshow.com?vt
> >>
> >> ------------------------------------------------------------------------
> >>
> >> _______________________________________________
> >> Get started with creating presentations online - http://zohoshow.com?vt
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Get started with creating presentations online - http://zohoshow.com?vt
> _______________________________________________
> Get started with creating presentations online - http://zohoshow.com?vt
>
_______________________________________________
Get started with creating presentations online - http://zohoshow.com?vt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20060823/e9e515ac/attachment-0004.html 


More information about the vtigercrm-developers mailing list