We have officially released version 18.104.22.168 for all commercial editions. The 22.214.171.124 release is available to download for On-Site customers and is being automatically applied to On-Demand instances running an earlier version of Sugar releases.
This release addresses bugs identified in prior releases and includes fixes for recently detected security vulnerabilities that have since been carefully investigated and addressed.
As always, we take data security and the protection of your private information very seriously at SugarCRM. We strive to address security vulnerabilities that come to our attention and inform our customers of those vulnerabilities so they can take steps to safeguard their Sugar instances.
For more information regarding the specific advisories, please refer to the following Security Advisory announcements:
- Security Advisory sugarcrm-sa-2016-003 : Authenticated users may cause arbitrary SQL to be executed.
- Security Advisory sugarcrm-sa-2016-004 : Authenticated users may obtain user-sensitive data.
- Security Advisory sugarcrm-sa-2016-005 : Authenticated users may cause arbitrary code to be executed.
- Security Advisory sugarcrm-sa-2016-006 : Authenticated users may cause arbitrary code to be executed.
- Security Advisory sugarcrm-sa-2016-008 : Unauthenticated users may cause arbitrary code to be executed.
Following our investigations, we have no reason to believe that the vulnerabilities were exploited. However, we encourage you to take the following actions to remediate the vulnerabilities in your Sugar instances:
If you are hosted in Sugar On-Demand, no action is required.
Starting tonight, Thursday, July 21, 2016, we will begin executing upgrades for all affected customers. If you would like to know when we have scheduled your instance upgrade or request that we expedite the upgrade, please open a case.
If you host your instance On-Site (in any environment outside of our Sugar On-Demand environment), please visit our Download Manager to download 126.96.36.199 at the earliest opportunity, which address these vulnerabilities. Our Installation and Upgrade Guide contains the appropriate guidance to apply this patch to your instance. Failure to take these actions could leave you exposed to malicious attacks.
Customers hosting Sugar on their own servers can review the following installation and upgrade instructions:
- Ultimate 7.7 Installation and Upgrade Guide
- Enterprise 7.7 Installation and Upgrade Guide
- Corporate 7.7 Installation and Upgrade Guide
- Professional 7.7 Installation and Upgrade Guide
For information about what is new in 7.7, please review Version 7.7 Released! in the community.
If upgrading now is not an option, and you are running a commercial version of Sugar, please open a case with our support team to request a hotfix for the security vulnerabilities. We will then supply a module loadable package that can be applied to your current version and edition of Sugar. Support tickets can be opened via our portal or by emailing firstname.lastname@example.org. If you are not familiar with the support process, please review our knowledge base article on Working With Sugar Support.
Sugar 188.8.131.52 addresses bugs identified in prior releases which are detailed in the 184.108.40.206 Release Notes.
Sugar 220.127.116.11 is compatible and supported for new installations and upgrades for customers running a MySQL, DB2, Oracle, or MSSQL stack. Please visit the Supported Platforms page for a complete list of supported configurations. Changes to supported platforms include:
- Added support for PHP 5.6 New
- Updated versions of Firefox, Safari, and Chrome Updated
18.104.22.168 Release Notes
The release notes for 22.214.171.124 can be found at the following links:
- Ultimate 126.96.36.199 Release Notes
- Enterprise 188.8.131.52 Release Notes
- Corporate 184.108.40.206 Release Notes
- Professional 220.127.116.11 Release Notes
18.104.22.168 Development Changes
Developers should review the Development Changes sections of the 22.214.171.124 Release Notes to learn more about changes that could affect integrations and custom development:
- Ultimate 126.96.36.199 Release Notes - Development Changes
- Enterprise 188.8.131.52 Release Notes - Development Changes
- Corporate 184.108.40.206 Release Notes - Development Changes
- Professional 220.127.116.11 Release Notes - Development Changes
If you want to ensure you are up-to-date on all our latest releases, please click the ‘Follow’ button under the Releases space in the community.