[Vtigercrm-developers] Vtiger 7.1 Release Schedule

Stefan Warnat ich at stefanwarnat.de
Thu Jan 4 13:53:44 GMT 2018


Hy Vtiger Team,

Please merge this request into VT 7.1:
http://code.vtiger.com/vtiger/vtigercrm/merge_requests/278

In my eyes it is a major problem, because it looks like something overwrite
random data, when the admin don't see the relation to UserIDs.
Problem could be reconstructed, by simple edit a User and check
vtiger_crmentity.label of the crmid = UserID.

*@Blazej:* I would be happy to read your case studies to fix the most
important security bugs in vtiger.

Regards,

Stefan




----
*Freelancer at Webdevelopment*

Web: http://www.stefanwarnat.de
Xing: https://www.xing.com/profile/Stefan_Warnat2
LinkedIn: http://www.linkedin.com/pub/stefan-warnat/6/827/820
eMail: kontakt at stefanwarnat.de


On Fri, Dec 29, 2017 at 8:48 PM, Błażej Pabiszczak <
b.pabiszczak at yetiforce.com> wrote:

> Vtiger Team,
>
> I'm following your project all the time, but as you can see, I have not
> taken part in threats for many months and it's probably one of my last
> posts here. On the one hand, I'm very happy that Vtiger is developing so
> slowly, on the other hand, I know that it will also more or less affect our
> project.
>
> From the technical perspective, there is less and less Vtiger in our fork
> and probably over the years, everything will be gradually disappearing from
> YetiForce, so there will be nothing to discuss. Certainly, what you have
> done from the visual perspective gives an awesome effect, so
> congratulations! However, everything else [especially the majority of the
> PHP code] is low quality and you have to do something about it. As far as I
> understand, most of the standards related to the code quality and its
> performance are of no importance to you [because you develop a product only
> for small companies] but you really have to do something about security! It
> will become even more important because from May 2018 all Europe will have
> a new GDPR regulation, where security is a crucial element, so low security
> level will expose companies that use this solution, e.g: large fines will
> be charged.
>
> The problem with security in VtigerCRM [but also in many of its forks,
> e.g. VTE CRM, coreBOS, JoForce] is that this system is not well secured in
> any way, I mean the following actions:
>
>    - loading files
>    - loading pictures
>    - verification of privileges for actions
>    - verification of privileges for records
>    - data injection [XSS, SQL Injection]
>    - a possibility to increase privileges
>    - CRM's server suspension [does not require login]
>    - etc
>
> If it were isolated cases, we wouldn't have a problem because every
> application contains some security vulnerabilities, however, what is in the
> engine of each of the above-mentioned systems tells us that none of these
> companies has ever undergone any professional security audit and
> developers' proficiency inside these companies is insufficient. I can
> understand it in the case of coreBOS and JoForce, because they are
> companies with 1-2 developers for the whole project, but as far as I
> remember, you have dozens of them and several thousand customers for
> On-Demand versions.We have been improving security in YetiForce for two
> years and we can see how much has already been done, but also how much
> still needs to be done. After each detected vulnerability we verified
> whether it exists in other systems and it turns out that 95% of found and
> fixed errors are still present in other forks.
>
> Starting from mid-January, we will be publishing a case study about found
> errors [currently we have over 100 for Vtiger, but in coreBOS and JoForce
> there are many more]. In addition, all modules we tested for Vtiger have
> numerous security vulnerabilities and we will also describe this problem.
> Some errors that we found require rewriting of entire mechanisms, which
> sometimes takes a few days, so it would be worth for you to spend more time
> and effort on security in 2018 - it will pay off in the following years.
> With your current level of commitment in the project, it may turn out that
> some errors you will be fixing for months, which is why I hope that this
> time you will approach the problem professionally and designate 1-2 best
> PHP developers who will be fixing security bugs on a regular basis.
>
> However, the most important thing for you should be to find a company that
> really specializes in security audits and perform an audit of the entire
> application! Without it, you will only create semblances of security, as at
> present. Such audits should be carried out on a regular basis, preferably
> before the release of each new version.
>
> PS. Happy New Year!
> ---
>
> Z poważaniem / Regards
> *Błażej Pabiszczak*
> M: +48.884999123 <+48%20884%20999%20123>
> E: b.pabiszczak at yetiforce.com
>
>
> W dniu 2017-12-28 20:40, Satish Dvnk napisał(a):
>
> Yes, Simone. We have pushed all the changes of mobile app /web mobile into
> branch 7.1 and please confirm us as we fixed most(major) issues in app/web
> mobile.
>
> On 28-Dec-2017 9:28 PM, "Simone Travaglini" <simonetravaglini at gmail.com>
> wrote:
>
>> Hi satish,
>> thanks for update. It's a good news!
>> What about mobile module? we see you are working on it, but still bugs...
>> Do you think you will release a stable version with VtT7.1?
>>
>>
>> 2017-12-28 16:31 GMT+01:00 Satish Dvnk <satish.dvnk at vtiger.com>:
>>
>>> Hi All,
>>>
>>> We are happy to announce that we are going to release the Vtiger
>>> community edition version 7.1 in January. We would like to appreciate your
>>> valuable contributions and validation towards this release.
>>>
>>> Following are the expected release schedule for the V7.1.
>>>
>>>    - *RCA* - 1st week of Jan
>>>    - *GA* - 4th week of Jan
>>>
>>>
>>>
>>> FYI *V7.1 Features and fixes :*
>>> *Features :*
>>>
>>>    1. *Follow A Record* (Click on *Star* icon to follow a record. By
>>>    following any record, you get updates on it as other users of your
>>>    organization modify the record. these updates are notified to you via
>>>    emails. Deselect the *Star* icon to unfollow the record.)
>>>    2. *Duplicate Record Prevention* (Prevent duplicate records in
>>>    Vtiger from all sources by enabling the duplicate check)
>>>    3. *Webform Attachments *(Allow user to attach files to web forms)
>>>    4. *Import Users Using .CSV file* (Supports importing User data
>>>    using .csv file)
>>>    5. Supporting* Mysql V5.7*
>>>    6. *Customize modules* icons
>>>
>>> *Other fixes :*
>>>
>>>    - Product Issues
>>>    <http://code.vtiger.com/vtiger/vtigercrm/compare/master...7.1.0>
>>>    - Usability Issues
>>>    - etc.
>>>
>>>
>>>
>>> *regards,Satish.Dvnk*
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>>
>>
>>
>> --
>> Simone Travaglini
>> 328 5499846
>> Linkedin: Simone Travaglini
>>
>>
>> Rispetta l'ambiente: non stampare questa mail se non ti è veramente
>> necessario!
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20180104/61ce3f5c/attachment.html>


More information about the vtigercrm-developers mailing list