[Vtigercrm-developers] vtiger CRM 5.4.0 - Security Patch Released in Live

Adam Heinz amh at metricwise.net
Tue Mar 26 14:46:22 GMT 2013 

This isn't a patch, this is a zip file.  Unrolling the zip over top of a
pristine vtiger 5.4.0 and moving some files around (ConfigEditor,
MailManager and Tooltip modules) reveals that this zip appears to be the
most recent two changesets from vtigercrm/branches/5.4.0 [1].  If you
download the unified diff [2] from Trac and make some replacements, you
should be able to patch [3] an installation.  YMMV; I had several patch
errors due to modifications in our fork.

[1]
http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?reponame=&new=13857%40vtigercrm%2Fbranches%2F5.4.0&old=13833%40vtigercrm%2Fbranches%2F5.4.0
[2]
http://trac.vtiger.com/cgi-bin/trac.cgi/changeset?format=diff&new=13857&old=13833&new_path=%2Fvtigercrm%2Fbranches%2F5.4.0&old_path=%2Fvtigercrm%2Fbranches%2F5.4.0
[3] cat vtiger.patch | sed -f vtiger.sed | patch -p3



On Tue, Mar 26, 2013 at 3:41 AM, Appu <apparao at vtiger.com> wrote:

> Hi All,
>
> We released a security patch for 5.4.0 that fixes the following security
> issues.
>
>    - Local File Inclusion
>    - Local File Deletion
>    - SQL Injection
>    - PHP Code Injection
>    - Cross site scripting
>    - Arbitrary File Upload
>    - Authentication Bypass vulnerabilities(SOAP API's)
>
> We would like to thank *Nick Freeman* from security-assessment.com and *
> Egidio *for reporting these vulnerabilities.
>
> *Download Links* :
>
> https://www.vtiger.com/crm/open-source-downloads/ or
>
>
> http://sourceforge.net/projects/vtigercrm/files/vtiger%20CRM%205.4.0/Core%20Product/VtigerCRM540_Security_Patch.zip
>
>
> *Note:* We recommend taking a backup of your source directory before you
> unpack the patch in the source directory.
>
> *  *
> Thanks,
> Apparao G
>
> *TEAM*
>
> *Connect with us on: *Website <http://vtiger.com/>* **I* Twitter<http://twitter.com/#%21/vtigercrm>
> *I* Facebook<http://www.facebook.com/pages/vtiger/226866697333578?sk=wall>
>  *I* Blog <http://blog.vtiger.com/>* I* Wiki<http://wiki.vtiger.com/index.php/Main_Page>
>  *I *Forums  <http://forums.vtiger.com/>
> **
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130326/5af797fa/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vtiger.sed
Type: application/octet-stream
Size: 249 bytes
Desc: not available
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20130326/5af797fa/attachment.obj>

More information about the vtigercrm-developers mailing list