I would like to take this opportunity, to thank all of our security advisories to share their reports<br>and making the follow up which helped us getting many of the security issues closed.<br><br>@Carlo: <br>Thank you for expressing your satisfaction on 5.1.0 and backing up support for team.<br>
<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
I'm not able to locate that patch from <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://vtiger.com/" target="_blank">vtiger.com</a> downloads page anymore<br></blockquote><br>We have move the download links for 5.0.4 and earlier to our Archive Page:<br>
<a href="http://www.vtiger.com/index.php?option=com_content&task=view&id=68&Itemid=57">http://www.vtiger.com/index.php?option=com_content&task=view&id=68&Itemid=57</a><br><br>The downloads are available on sourceforge under: <a href="http://sourceforge.net/projects/vtigercrm/files/vtiger%2520CRM%2520Release%2520Archive/">vtiger CRM Release Archive</a> section.<br>
<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
My point: I think you/we should put security as a priority, even if (paradoxally) it was only for marketing reasons !</blockquote><div><br>Impact due to bug-fix also in prioritizing the issue or when rolling in changes while addressing it, this is required because<br>
we will need to take care of existing installations. <br>
<br><span style="font-weight: bold;">Addressing security issues is given high priority without any reason. </span><br><br>Care is taken to spare more time in analyzing, designing the solution to avoid re-fixes etc... <br>
<br>We would certainly encourage community developers in sharing patches or suggestion in this front.<br></div><br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
There's also a trac ticket related to this, with milestone deleted ...<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6216" target="_blank">http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6216</a></blockquote>
<div><br>I would like to clarify that deleting the milestone doesn't mean we are ignoring it. <br>All the open tickets and set desired milestone before fixing it.<br></div><br>Our team is continuing effort to strengthen vtiger CRM framework and we will roll changes incrementally.<br>
<br>There is a work-around for securing the document at <a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6153">http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6153</a> <br>(which involves moving the storage folder out of web access, our team is evaluating this option)<br>
<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">
Please do not see this as critics, but as a positive contribution.</blockquote><div><br>As always, we are open to any critics be it good or bad ... as there is something to learn from it.<br><br>Thank you for your continually support and keep spreading the word - vtiger<br>
<br>Regards,<br>Prasad<br>vtiger Team<br></div><br><br><br><div><span class="gmail_quote">On 8/24/09, <b class="gmail_sendername">Carlo Beschi</b> <<a href="mailto:carloz@gnumerica.org">carloz@gnumerica.org</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi all,<br> <br> I'm pretty sure many of you already read this:<br> <br> <a href="http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/">http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/</a><br>
<br> It got quite popular since it was then republished here:<br> <br> <a href="http://secunia.com/advisories/36309/">http://secunia.com/advisories/36309/</a><br> <br> <br> I'd like to start from here to share a couple of thoughts ...<br>
<br> I love vtiger CRM, and I know that many of the issues highlighted have<br> been solved in 5.1.<br> <br> I also appreciate the fact that the team attitude towards the community<br> has evolved a lot, in the last months / years: some of the issues<br>
contained in the current advisory were originally reported on vtiger<br> forums at the end of 2007:<br> <br> <a href="http://forums.vtiger.com/viewtopic.php?t=16756">http://forums.vtiger.com/viewtopic.php?t=16756</a><br>
<br> At that time, the post(er), was not given, in my opinion, the deserved<br> attention.<br> <br> I know vtiger software quite well, and understand that some of the<br> issues are "architectural", so it's very complicate to fix them in 5.0.x<br>
versions.<br> <br> But I also know that version migration is not that easy either<br> (expecially for customized installs) - although the scripts are getting<br> better and better.<br> <br> I expect we'll have an important number of 5.0.x still around, for a<br>
quite long time ...<br> <br> We should not forget this.<br> <br> I was happy to see the 5.0.4 securiy patch released, last year. It fixed<br> a good number of issues ...<br> <br> I'm not able to locate that patch from <a href="http://vtiger.com">vtiger.com</a> downloads page anymore<br>
... (I see 5.1.0 downoads, 5.0.4 language packs. link to download<br> archives were the patch is not listed).<br> <br> <br> My point: I think you/we should put security as a priority, even if<br> (paradoxally) it was only for marketing reasons !<br>
<br> <br> I bet you/we're loosing hundreds of potential vtiger users, because of<br> the buzz that advisories generated on twitter and linkedin and all<br> around ...<br> <br> People who don't know vtiger yet, who don't know nothing about the great<br>
things the new wonderful 5.1 release is bringing ...<br> <br> People who will think ... "vtiger is not that much enterprise ready,<br> after all"...<br> <br> <br> One more brief point, about 5.1 itself. Documents security is still very<br>
basic ...<br> See please this forum thread:<br> <a href="http://forums.vtiger.com/viewtopic.php?p=86615#86615">http://forums.vtiger.com/viewtopic.php?p=86615#86615</a><br> <br> There's also a trac ticket related to this, with milestone deleted ...<br>
<a href="http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6216">http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6216</a><br> <br> I'm testing and confirming this myself ...<br> <br> webmaster@aragorn:/mnt/var/www/<a href="http://demo.vtiger-italia.net/510/storage/2009/August/week4$">demo.vtiger-italia.net/510/storage/2009/August/week4$</a><br>
ls<br> 131_joomla1.5_com_vtiger_forms-1.0.zip<br> <br> vtiger CRM is a candidate for a serious, stable, complete Document<br> Manager System. But this kind of things need to be solved, first.<br> <br> <br> OK, the rant has ended :-)<br>
<br> Please do not see this as critics, but as a positive contribution.<br> <br> Beside language, geographical and cultural differences, we're all<br> willing to help ... To keep the software great and the community strong :-))<br>
<br> Ciao<br> Carlo(z)<br> <br> <br> <br> _______________________________________________<br> Reach hundreds of potential candidates - <a href="http://jobs.vtiger.com">http://jobs.vtiger.com</a><br> </blockquote></div><br>