[Vtigercrm-developers] Vtiger 7.1 Release Schedule

Błażej Pabiszczak b.pabiszczak at yetiforce.com
Tue Jan 9 22:53:08 GMT 2018 

@Ranieri, @Stefan 

Of course, we will describe the errors, forward them to the producer and
give them some time to fix them and then we will publish them. In my
opinion, you won't be able to fix the majority of bugs by yourself
because a lot of them requires major changes in the engine [e.g. one
error requires adding verification of permissions in almost 200 files].
Another error requires rewriting the entire mechanism of data cleansing
because it has been poorly designed and needs to be fixed in many
places. These changes can be carried out only by a very good developer
who needs to consult them with an architect, and additionally these
changes should be verified by the security department.

---
Z poważaniem / Regards

BŁAŻEJ PABISZCZAK 
M: +48.884999123
E: b.pabiszczak at yetiforce.com 

W dniu 2018-01-04 16:12, Ranieri napisał(a):

> Hi @BLAZEJ 
> 
> I will happy if you can share with me, your study about coreBOS. 
> 
> Thanks! 
> 
> 2018-01-04 11:53 GMT-02:00 Stefan Warnat <ich at stefanwarnat.de>:
> 
> Hy Vtiger Team, 
> 
> Please merge this request into VT 7.1: http://code.vtiger.com/vtiger/vtigercrm/merge_requests/278 [1] 
> 
> In my eyes it is a major problem, because it looks like something overwrite random data, when the admin don't see the relation to UserIDs. 
> Problem could be reconstructed, by simple edit a User and check vtiger_crmentity.label of the crmid = UserID. 
> 
> @BLAZEJ: I would be happy to read your case studies to fix the most important security bugs in vtiger.  
> 
> Regards, 
> 
> Stefan 
> 
> ----
> FREELANCER at WEBDEVELOPMENT
> 
> Web: http://www.stefanwarnat.de
> Xing: https://www.xing.com/profile/Stefan_Warnat2 [2]
> LinkedIn: http://www.linkedin.com/pub/stefan-warnat/6/827/820 [3]
> eMail: kontakt at stefanwarnat.de
> 
> On Fri, Dec 29, 2017 at 8:48 PM, Błażej Pabiszczak <b.pabiszczak at yetiforce.com> wrote:
> 
> Vtiger Team, 
> 
> I'm following your project all the time, but as you can see, I have not taken part in threats for many months and it's probably one of my last posts here. On the one hand, I'm very happy that Vtiger is developing so slowly, on the other hand, I know that it will also more or less affect our project. 
> 
> From the technical perspective, there is less and less Vtiger in our fork and probably over the years, everything will be gradually disappearing from YetiForce, so there will be nothing to discuss. Certainly, what you have done from the visual perspective gives an awesome effect, so congratulations! However, everything else [especially the majority of the PHP code] is low quality and you have to do something about it. As far as I understand, most of the standards related to the code quality and its performance are of no importance to you [because you develop a product only for small companies] but you really have to do something about security! It will become even more important because from May 2018 all Europe will have a new GDPR regulation, where security is a crucial element, so low security level will expose companies that use this solution, e.g: large fines will be charged. 
> 
> The problem with security in VtigerCRM [but also in many of its forks, e.g. VTE CRM, coreBOS, JoForce] is that this system is not well secured in any way, I mean the following actions: 
> 
> * loading files
> * loading pictures
> * verification of privileges for actions
> * verification of privileges for records
> * data injection [XSS, SQL Injection]
> * a possibility to increase privileges
> * CRM's server suspension [does not require login]
> * etc
> 
> If it were isolated cases, we wouldn't have a problem because every application contains some security vulnerabilities, however, what is in the engine of each of the above-mentioned systems tells us that none of these companies has ever undergone any professional security audit and developers' proficiency inside these companies is insufficient. I can understand it in the case of coreBOS and JoForce, because they are companies with 1-2 developers for the whole project, but as far as I remember, you have dozens of them and several thousand customers for On-Demand versions.We have been improving security in YetiForce for two years and we can see how much has already been done, but also how much still needs to be done. After each detected vulnerability we verified whether it exists in other systems and it turns out that 95% of found and fixed errors are still present in other forks. 
> 
> Starting from mid-January, we will be publishing a case study about found errors [currently we have over 100 for Vtiger, but in coreBOS and JoForce there are many more]. In addition, all modules we tested for Vtiger have numerous security vulnerabilities and we will also describe this problem. Some errors that we found require rewriting of entire mechanisms, which sometimes takes a few days, so it would be worth for you to spend more time and effort on security in 2018 - it will pay off in the following years. With your current level of commitment in the project, it may turn out that some errors you will be fixing for months, which is why I hope that this time you will approach the problem professionally and designate 1-2 best PHP developers who will be fixing security bugs on a regular basis. 
> 
> However, the most important thing for you should be to find a company that really specializes in security audits and perform an audit of the entire application! Without it, you will only create semblances of security, as at present. Such audits should be carried out on a regular basis, preferably before the release of each new version. 
> 
> PS. Happy New Year!
> 
> ---
> Z poważaniem / Regards
> 
> BŁAŻEJ PABISZCZAK 
> M: +48.884999123 [4]
> E: b.pabiszczak at yetiforce.com 
> 
> W dniu 2017-12-28 20:40, Satish Dvnk napisał(a): 
> 
> Yes, Simone. We have pushed all the changes of mobile app /web mobile into branch 7.1 and please confirm us as we fixed most(major) issues in app/web mobile. 
> 
> On 28-Dec-2017 9:28 PM, "Simone Travaglini" <simonetravaglini at gmail.com> wrote:
> 
> Hi satish, 
> thanks for update. It's a good news! 
> What about mobile module? we see you are working on it, but still bugs... Do you think you will release a stable version with VtT7.1? 
> 
> 2017-12-28 16:31 GMT+01:00 Satish Dvnk <satish.dvnk at vtiger.com>:
> 
> Hi All, 
> 
> We are happy to announce that we are going to release the Vtiger community edition version 7.1 in January. We would like to appreciate your valuable contributions and validation towards this release. 
> 
> Following are the expected release schedule for the V7.1. 
> 
> * RCA - 1st week of Jan
> * GA - 4th week of Jan
> 
> FYI V7.1 FEATURES AND FIXES :
> 
> FEATURES : 
> 
> * FOLLOW A RECORD (Click on STAR icon to follow a record. By following any record, you get updates on it as other users of your organization modify the record. these updates are notified to you via emails. Deselect the STAR icon to unfollow the record.)
> * DUPLICATE RECORD PREVENTION (Prevent duplicate records in Vtiger from all sources by enabling the duplicate check)
> * WEBFORM ATTACHMENTS (Allow user to attach files to web forms)
> * IMPORT USERS USING .CSV FILE (Supports importing User data using .csv file)
> * Supporting MYSQL V5.7
> * CUSTOMIZE MODULES icons
> 
> OTHER FIXES : 
> 
> * Product Issues [5]
> * Usability Issues
> * etc.
> 
> regards,
> Satish.Dvnk 
> _______________________________________________
> http://www.vtiger.com/ 
> 
> -- 
> Simone Travaglini
> 328 5499846
> Linkedin: Simone Travaglini 
> 
> Rispetta l'ambiente: non stampare questa mail se non ti è veramente necessario! 
> _______________________________________________
> http://www.vtiger.com/

_______________________________________________
http://www.vtiger.com/ 
_______________________________________________
http://www.vtiger.com/ 
_______________________________________________
http://www.vtiger.com/ 
_______________________________________________
http://www.vtiger.com/ 

Links:
------
[1] http://code.vtiger.com/vtiger/vtigercrm/merge_requests/278
[2] https://www.xing.com/profile/Stefan_Warnat2
[3] http://www.linkedin.com/pub/stefan-warnat/6/827/820
[4] tel:+48%20884%20999%20123
[5] http://code.vtiger.com/vtiger/vtigercrm/compare/master...7.1.0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20180109/aa6e3c3e/attachment-0001.html>

More information about the vtigercrm-developers mailing list