We have officially released versions 6.5.24 for all editions and 6.7.13, 7.5.2.5, 7.6.2.2 for all commercial editions. The reason for these patches is SugarCRM recently detected security vulnerabilities that have since been carefully investigated and addressed. As always, we take data security and the protection of your private information very seriously at SugarCRM. We have taken action to minimize potential risks.
For more information regarding the specific advisories, please refer to the following Security Advisory announcements:
- Security Advisory sugarcrm-sa-2016-003 : Authenticated users may cause arbitrary SQL to be executed.
- Security Advisory sugarcrm-sa-2016-004 : Authenticated users may obtain user-sensitive data.
- Security Advisory sugarcrm-sa-2016-005 : Authenticated users may cause arbitrary code to be executed.
- Security Advisory sugarcrm-sa-2016-006 : Authenticated users may cause arbitrary code to be executed.
- Security Advisory sugarcrm-sa-2016-007 : Authenticated users may create user accounts with increased privileges
- Security Advisory sugarcrm-sa-2016-008 : Unauthenticated users may cause arbitrary code to be executed.
Following our investigations, we have no reason to believe that the vulnerabilities were exploited. However, we recommend that you take the immediate steps below to ensure that your data stays protected:
On-Demand Customers
If you are hosted in Sugar On-Demand, no action is required.
Starting tonight, Thursday, July 21, 2016, we will begin executing upgrades for all affected customers. If you would like to know when we have scheduled your instance upgrade or request that we expedite the upgrade, please open a case.
Sugar instances will be upgraded based off the version you are currently running:
| Current Version | Upgraded Version | Availability to upgrade to Major Version |
|---|---|---|
| 7.6.x | 7.6.2.2 | No |
| 7.5.x | 7.5.2.5 | No |
| 6.7.x | 6.7.13 | Yes (7.6.2.2) |
| 6.5.x | 6.5.24 | No |
For the releases above with no ability to upgrade to another major version, we plan to release a version (tentatively 7.7.1.1) within the next 30 days that will support upgrades from the 6.5, 7.5, and 7.6 releases. If you are planning a major version upgrade for one of these versions before this roll-out, we recommend you open a case today to schedule the major version upgrade with our support team so that we can apply the security patch after that upgrade completes.
On-Site Customers
If you host your instance On-Site (in any environment outside of our Sugar On-Demand environment), please carefully review the following instructions and take the actions outlined below at the earliest opportunity. The actions you need to take depend on the version of Sugar you currently run. Failure to take these actions could leave you exposed to malicious attacks:
Version 7.6.x
Please visit our Download Manager to download the latest patch for your release, 7.6.2.2, which address these vulnerabilities. Our Installation and Upgrade Guide contains the appropriate guidance to apply these patches to your instance.
Version 7.5.x
Please visit our Download Manager to download the latest patch for your release, 7.6.2.2, which address these vulnerabilities. Our Installation and Upgrade Guide contains the appropriate guidance to apply these patches to your instance.
Version 6.5.x
Please visit our Download Manager to download the latest patch for your release, 6.5.24, which addresses these vulnerabilities. Community Edition patches are available through SourceForge. Our Installation and Upgrade Guide contains the appropriate guidance to apply this patch to your instance.
As with the Sugar On-Demand upgrade matrix, customers running 6.5.24, 7.5.2.5, or 7.6.2.2 will not have the ability to upgrade to another major release until our planned release (tentatively 7.7.1.1). If you are planning a major version upgrade before this release, our recommendation is to execute the major version upgrade as soon as possible and apply the applicable security patch for that release after that upgrade completes.
If upgrading now is not an option, and you are running a commercial version of Sugar, please open a case with our support team to request a hotfix for the security vulnerabilities. We will then supply a module loadable package that can be applied to your current version and edition of Sugar. Please note that we will only supply hotfixes for supported versions. Support tickets can be opened via our portal or by emailing support@sugarcrm.com. If you are not familiar with the support process, please review our knowledge base article on Working With Sugar Support.
Release Notes
The release notes for 6.5.24 can be found at the following links:
- Ultimate 6.5.24 Release Notes
- Enterprise 6.5.24 Release Notes
- Corporate 6.5.24 Release Notes
- Professional 6.5.24 Release Notes
- Community Edition 6.5.24 Release Notes
The release notes for 6.7.13 can be found at the following links:
- Ultimate 6.7.13 Release Notes
- Enterprise 6.7.13 Release Notes
- Corporate 6.7.13 Release Notes
- Professional 6.7.13 Release Notes
The release notes for 7.5.2.5 can be found at the following links:
- Ultimate 7.5.2.5 Release Notes
- Enterprise 7.5.2.5 Release Notes
- Corporate 7.5.2.5 Release Notes
- Professional 7.5.2.5 Release Notes
The release notes for 7.6.2.2 can be found at the following links:
- Ultimate 7.6.2.2 Release Notes
- Enterprise 7.6.2.2 Release Notes
- Corporate 7.6.2.2 Release Notes
- Professional 7.6.2.2 Release Notes
If you want to ensure you are up-to-date on all our latest releases, please click the ‘Follow’ button under the Explore space in the community.