[Vtigercrm-developers] Vtiger 7.1 Release Schedule

Ranieri rslemer at gmail.com
Thu Jan 4 15:12:39 GMT 2018 

Hi *@Blazej*

I will happy if you can share with me, your study about coreBOS.

Thanks!

2018-01-04 11:53 GMT-02:00 Stefan Warnat <ich at stefanwarnat.de>:

> Hy Vtiger Team,
>
> Please merge this request into VT 7.1: http://code.vtiger.com/
> vtiger/vtigercrm/merge_requests/278
>
> In my eyes it is a major problem, because it looks like something
> overwrite random data, when the admin don't see the relation to UserIDs.
> Problem could be reconstructed, by simple edit a User and check
> vtiger_crmentity.label of the crmid = UserID.
>
> *@Blazej:* I would be happy to read your case studies to fix the most
> important security bugs in vtiger.
>
> Regards,
>
> Stefan
>
>
>
>
> ----
> *Freelancer at Webdevelopment*
>
> Web: http://www.stefanwarnat.de
> Xing: https://www.xing.com/profile/Stefan_Warnat2
> LinkedIn: http://www.linkedin.com/pub/stefan-warnat/6/827/820
> eMail: kontakt at stefanwarnat.de
>
>
> On Fri, Dec 29, 2017 at 8:48 PM, Błażej Pabiszczak <
> b.pabiszczak at yetiforce.com> wrote:
>
>> Vtiger Team,
>>
>> I'm following your project all the time, but as you can see, I have not
>> taken part in threats for many months and it's probably one of my last
>> posts here. On the one hand, I'm very happy that Vtiger is developing so
>> slowly, on the other hand, I know that it will also more or less affect our
>> project.
>>
>> From the technical perspective, there is less and less Vtiger in our fork
>> and probably over the years, everything will be gradually disappearing from
>> YetiForce, so there will be nothing to discuss. Certainly, what you have
>> done from the visual perspective gives an awesome effect, so
>> congratulations! However, everything else [especially the majority of the
>> PHP code] is low quality and you have to do something about it. As far as I
>> understand, most of the standards related to the code quality and its
>> performance are of no importance to you [because you develop a product only
>> for small companies] but you really have to do something about security! It
>> will become even more important because from May 2018 all Europe will have
>> a new GDPR regulation, where security is a crucial element, so low security
>> level will expose companies that use this solution, e.g: large fines will
>> be charged.
>>
>> The problem with security in VtigerCRM [but also in many of its forks,
>> e.g. VTE CRM, coreBOS, JoForce] is that this system is not well secured in
>> any way, I mean the following actions:
>>
>>    - loading files
>>    - loading pictures
>>    - verification of privileges for actions
>>    - verification of privileges for records
>>    - data injection [XSS, SQL Injection]
>>    - a possibility to increase privileges
>>    - CRM's server suspension [does not require login]
>>    - etc
>>
>> If it were isolated cases, we wouldn't have a problem because every
>> application contains some security vulnerabilities, however, what is in the
>> engine of each of the above-mentioned systems tells us that none of these
>> companies has ever undergone any professional security audit and
>> developers' proficiency inside these companies is insufficient. I can
>> understand it in the case of coreBOS and JoForce, because they are
>> companies with 1-2 developers for the whole project, but as far as I
>> remember, you have dozens of them and several thousand customers for
>> On-Demand versions.We have been improving security in YetiForce for two
>> years and we can see how much has already been done, but also how much
>> still needs to be done. After each detected vulnerability we verified
>> whether it exists in other systems and it turns out that 95% of found and
>> fixed errors are still present in other forks.
>>
>> Starting from mid-January, we will be publishing a case study about found
>> errors [currently we have over 100 for Vtiger, but in coreBOS and JoForce
>> there are many more]. In addition, all modules we tested for Vtiger have
>> numerous security vulnerabilities and we will also describe this problem.
>> Some errors that we found require rewriting of entire mechanisms, which
>> sometimes takes a few days, so it would be worth for you to spend more time
>> and effort on security in 2018 - it will pay off in the following years.
>> With your current level of commitment in the project, it may turn out that
>> some errors you will be fixing for months, which is why I hope that this
>> time you will approach the problem professionally and designate 1-2 best
>> PHP developers who will be fixing security bugs on a regular basis.
>>
>> However, the most important thing for you should be to find a company
>> that really specializes in security audits and perform an audit of the
>> entire application! Without it, you will only create semblances of
>> security, as at present. Such audits should be carried out on a regular
>> basis, preferably before the release of each new version.
>>
>> PS. Happy New Year!
>> ---
>>
>> Z poważaniem / Regards
>> *Błażej Pabiszczak*
>> M: +48.884999123 <+48%20884%20999%20123>
>> E: b.pabiszczak at yetiforce.com
>>
>>
>> W dniu 2017-12-28 20:40, Satish Dvnk napisał(a):
>>
>> Yes, Simone. We have pushed all the changes of mobile app /web mobile
>> into branch 7.1 and please confirm us as we fixed most(major) issues in
>> app/web mobile.
>>
>> On 28-Dec-2017 9:28 PM, "Simone Travaglini" <simonetravaglini at gmail.com>
>> wrote:
>>
>>> Hi satish,
>>> thanks for update. It's a good news!
>>> What about mobile module? we see you are working on it, but still
>>> bugs... Do you think you will release a stable version with VtT7.1?
>>>
>>>
>>> 2017-12-28 16:31 GMT+01:00 Satish Dvnk <satish.dvnk at vtiger.com>:
>>>
>>>> Hi All,
>>>>
>>>> We are happy to announce that we are going to release the Vtiger
>>>> community edition version 7.1 in January. We would like to appreciate your
>>>> valuable contributions and validation towards this release.
>>>>
>>>> Following are the expected release schedule for the V7.1.
>>>>
>>>>    - *RCA* - 1st week of Jan
>>>>    - *GA* - 4th week of Jan
>>>>
>>>>
>>>>
>>>> FYI *V7.1 Features and fixes :*
>>>> *Features :*
>>>>
>>>>    1. *Follow A Record* (Click on *Star* icon to follow a record. By
>>>>    following any record, you get updates on it as other users of your
>>>>    organization modify the record. these updates are notified to you via
>>>>    emails. Deselect the *Star* icon to unfollow the record.)
>>>>    2. *Duplicate Record Prevention* (Prevent duplicate records in
>>>>    Vtiger from all sources by enabling the duplicate check)
>>>>    3. *Webform Attachments *(Allow user to attach files to web forms)
>>>>    4. *Import Users Using .CSV file* (Supports importing User data
>>>>    using .csv file)
>>>>    5. Supporting* Mysql V5.7*
>>>>    6. *Customize modules* icons
>>>>
>>>> *Other fixes :*
>>>>
>>>>    - Product Issues
>>>>    <http://code.vtiger.com/vtiger/vtigercrm/compare/master...7.1.0>
>>>>    - Usability Issues
>>>>    - etc.
>>>>
>>>>
>>>>
>>>> *regards,Satish.Dvnk*
>>>>
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>
>>>
>>>
>>>
>>> --
>>> Simone Travaglini
>>> 328 5499846
>>> Linkedin: Simone Travaglini
>>>
>>>
>>> Rispetta l'ambiente: non stampare questa mail se non ti è veramente
>>> necessario!
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>>
>> _______________________________________________
>> http://www.vtiger.com/
>>
>
>
> _______________________________________________
> http://www.vtiger.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20180104/52417399/attachment.html>

More information about the vtigercrm-developers mailing list