<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta content="text/html;charset=UTF-8" http-equiv="Content-Type"></head><body >I fully agree with Mike. It is better to release 4.2.5 than 4.2.4.1.<br><br>Thanks,<br>Gopal<br>---
<br>S.S.G.Gopal
<br>skype: sripadag
<br>ph: +1 877 788 4437
<br>blog: http://gopal.vtiger.com<br><br><br><br><br>---- On Wed, 23 Aug 2006 <b>Allan Bush <allan.bush+vtiger_dev@gmail.com></b> wrote ---- <br><br><blockquote style="border-left: 1px solid rgb(160, 154, 255); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div>
Mike is correct.<br><br>If a security patch is created it should be released as 4.2.5 (or<br>maybe 4.2.4.1 although I think Jeff wants to save that for packaging<br>changes) and the planed 4.2.5 release should be pushed to 4.2.6<br>although there's enough new features in there to justify calling it<br>4.3.<br><br>On 8/23/06, Mike Fedyk <mfedyk@mikefedyk.com> wrote:<br>> I don't know if there is a branch for 4.2.5 yet, but if there are<br>> security issues in 4.2.4 then 4.2.5 should only contain security fixes.<br>> 4.2.6 can be based off of 4.2-trunk.<br>><br>> Brett Hooker wrote:<br>> > Business users will need a patch as they have weigh up testing and<br>> > learning the latest features, versus fixing a security hole right now.<br>> > Inclusion in the trunk is assumed.<br>> ><br>> > Mike Fedyk wrote:<br>> >><br>> >> If there are any patches published, they should go into the 4.2.5<br>> >> release. No more "patch" releases. That is what point releases are for.<br>> >><br>> >> ------------------------------------------------------------------------<br>> >><br>> >> *From:* vtigercrm-developers-bounces@lists.vtigercrm.com<br>> >> [mailto:vtigercrm-developers-bounces@lists.vtigercrm.com] *On Behalf<br>> >> Of *Gopal<br>> >> *Sent:* Tuesday, August 22, 2006 9:23 PM<br>> >> *To:* vtigercrm-developers@lists.vtigercrm.com<br>> >> *Subject:* Re: [Vtigercrm-developers] vTiger mulitple vulnerabilities<br>> >><br>> >> Dear Mike O'Loan,<br>> >><br>> >> Thanks for notifying issues in some of the modules. We will ensure<br>> >> that these issues are fixed immediately. If required we will release<br>> >> a patch for v4.2.3 immediately.<br>> >><br>> >> Regards,<br>> >> Gopal<br>> >> ---<br>> >> S.S.G.Gopal<br>> >> skype: sripadag<br>> >> ph: +1 877 788 4437<br>> >> blog: <a href="http://gopal.vtiger.com">http://gopal.vtiger.com</a><br>> >><br>> >><br>> >><br>> >><br>> >> ---- On Tue, 22 Aug 2006 *Mike O'Loan <mike.oloan@saucesoft.com>*<br>> >> wrote ----<br>> >><br>> >> The following files still have the same SQL injection vulnerability,<br>> >> carried over from vTiger 4.2.3. Although these aren't a problem with<br>> >> magic_quotes_gpc turned ON, it still needs to be fixed. It has been<br>> >> fixed in other modules by putting the PearDatabase::quote() function<br>> >> around any variable that needs to be placed in an SQL statement.<br>> >><br>> >> Affected files:<br>> >> modules\Faq\ListView.php<br>> >> modules\HelpDesk\ListView.php<br>> >> modules\Invoice\Popup.php<br>> >> modules\Leads\ListView.php<br>> >> modules\Leads\Popup.php<br>> >> modules\Products\Popup.php<br>> >><br>> >> Implementing this would reduce the SQL injection vulnerability for<br>> >> vTiger 4.2.x<br>> >><br>> >> --<br>> >> Mike O'Loan<br>> >> Chief Technical Officer<br>> >> Sauce Software Pty Ltd<br>> >><br>> >><br>> >> <a href="http://saucesoft.com">http://saucesoft.com</a><br>> >> Phone: +61 1300 559 165<br>> >> Fax: +61 7 3009 0442<br>> >> Email: mike.oloan@saucesoft.com <mailto:mike.oloan@saucesoft.com><br>> >> _______________________________________________<br>> >> Get started with creating presentations online - <a href="http://zohoshow.com?vt">http://zohoshow.com?vt</a><br>> >><br>> >> ------------------------------------------------------------------------<br>> >><br>> >> _______________________________________________<br>> >> Get started with creating presentations online - <a href="http://zohoshow.com?vt">http://zohoshow.com?vt</a><br>> > ------------------------------------------------------------------------<br>> ><br>> > _______________________________________________<br>> > Get started with creating presentations online - <a href="http://zohoshow.com?vt">http://zohoshow.com?vt</a><br>> _______________________________________________<br>> Get started with creating presentations online - <a href="http://zohoshow.com?vt">http://zohoshow.com?vt</a><br>><br>_______________________________________________<br>Get started with creating presentations online - <a href="http://zohoshow.com?vt">http://zohoshow.com?vt</a> <br>
</div>
</blockquote></body></html>