We have officially released versions 6.5.25 for all editions. The reason for this patch is SugarCRM recently detected security vulnerabilities that have since been carefully investigated and addressed. As always, we take data security and the protection of your private information very seriously at SugarCRM. We have taken action to minimize potential risks.
For more information regarding the specific advisory, please refer to the following Security Advisory announcement:
- Security Advisory sugarcrm-sa-2017-002 : Authenticated users may cause arbitrary code to be executed.
Following our investigations, we have no reason to believe that the vulnerabilities were exploited. However, we recommend that you take the immediate steps below to ensure that your data stays protected:
If you are hosted in Sugar On-Demand, no action is required as this vulnerability has been patched in our On-Demand environment.
If you host your instance On-Site (in any environment outside of our Sugar On-Demand environment), please visit our Download Manager to download the latest patch for your release, 6.5.25, which addresses these vulnerabilities. Community Edition patches are available through SourceForge. Our Installation and Upgrade Guide contains the appropriate guidance to apply this patch to your instance.
If upgrading now is not an option, and you are running a commercial version of Sugar, please open a case with our support team to request a hotfix for the security vulnerabilities. We will then supply a module loadable package that can be applied to your current version and edition of Sugar. Please note that we will only supply hotfixes for supported versions. Support tickets can be opened via our portal or by emailing email@example.com. If you are not familiar with the support process, please review our knowledge base article on Working With Sugar Support.
The release notes for 6.5.25 can be found at the following links: