[Vtigercrm-developers] Security Advisories

Richie richie at vtiger.com
Mon Oct 16 20:51:43 PDT 2006 

Dear Allan,
We meet again!
But, I do agree this is not a healthy way of development. We will have a 
relook at the approach. The reason we are asking to move over to vtiger5 
is simply because vtiger5
is much more stable than previously before.
But again, I do concede that simply because we have released vtiger5 
does not mandate
all the users to move to vtiger5 and we cannot leave vtiger-4.x as a 
lame duck.

I will have a relook.

Allan, kindly understand this - ' it is we ' that matters, not the 
vtiger-core team alone.
You are part of the team. As a team member, you have every right to 
point out the flaws that are happening. Could it not be put in a better 
manner is what I ask?

Again, thanks for bringing this to light regardless of how you achieve 
it ;-)

Richie


Allan Bush wrote:
> I love how the vtiger developers like to hand things off to "the team".
>
> The vtiger developers have long since abandoned supporting 4.2.x.  I
> seem to have become the 4.2 project manager (by being pretty much the
> only developer).  Here's my take on vtiger security (in both 4.2 and
> 5.0), it's not kind so I've refrained from stating my views earlier
> for fear of insulting someone, but here goes:
>
> VtigerCRM is insecure.  There may be 3 insecurities listed on secunia,
> but I bet I could exploit it in a hundred difference ways, given a
> proper login.
>
> It's an unfortunate situation, but it would take lot more work then I
> can to give to fix the issues.  I'm content as long as you can't
> exploit the program without logging in.  If anyone is willing to take
> up this project and provide the required fixes, I'll be more then
> happy to lend a hand and make sure that the required changes are
> merged into the next 4.2 release, but I don't have the time to do this
> entire project myself.
>
>
> On 10/15/06, Gopal <gopals at vtiger.com> wrote:
>   
>>  Dear Team,
>>
>>  Please have a look at another security advisory for version 4.2.
>>
>> http://securitydot.net/xpl/exploits/vulnerabilities/articles/1639/exploit.html
>>
>>  As of now, solution offered by advisory is to migrate product to the
>> version 5.
>>
>>  Thanks,
>>  Gopal
>>
>>  Thanks,
>>  Gopal
>>
>>  Philip wrote:
>>
>>  Hi Kim,
>>
>>  I have posted this as a ticket in trac, kindly refer the
>> url for status
>> http://secunia.com/advisories/21728/ ,
>>  i'll be fixing this on vtigerCRM 5 GA only.
>>
>>  Can anybody volunter for vtigerCRM 4.2.x ? if it has not
>> been fixed on that.
>>
>>  Philip
>>
>>
>>  ---- On Thu, 07 Sep 2006 Kim Haverblad <kim at haverblad.se>
>> wrote ----
>>
>>  Well, I posted the advisory info within this list
>> the same day (060904)
>>  it was issued by Secunia and so far no response
>> from anyone on the list.
>>
>>  /Kim
>>
>>  Ken Lyle wrote:
>>  > Another Secunia advisory has popped up:
>>  > http://secunia.com/advisories/21728/
>>  >
>>  > Who is managing and addressing these?
>>  >
>>  > Ken
>>  >
>>  > 484-948-5706
>>  > 866-OUT OF BOX
>>  > (866-688-6326)
>>  >
>>  _______________________________________________
>>  Get started with creating presentations online -
>> http://zohoshow.com?vt
>>  ________________________________
>>
>> _______________________________________________
>> Get started with creating presentations online - http://zohoshow.com?vt
>>
>> _______________________________________________
>> Reach hundreds of potential candidates - http://jobs.vtiger.com
>>
>>
>>     
> _______________________________________________
> Reach hundreds of potential candidates - http://jobs.vtiger.com 
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20061017/57025edd/attachment-0004.html

More information about the vtigercrm-developers mailing list