We have officially released versions 6.5.26 for all editions and 22.214.171.124 and 126.96.36.199 for all commercial editions. SugarCRM recently detected security vulnerabilities that have since been investigated and addressed in these releases. As always, we take data security and the protection of your private information very seriously at SugarCRM. We have taken action to minimize potential risks.
For more information regarding the specific advisories, please refer to the following Security Advisory announcements:
- Security Advisory sugarcrm-sa-2017-003 : Instances configured with SAML may enable unauthorized access.
- Security Advisory sugarcrm-sa-2017-004 : Authenticated users may cause arbitrary code to be executed.
- Security Advisory sugarcrm-sa-2017-005 : Custom code may execute an eval through a deprecated function.
Following our investigations, we have no reason to believe that the vulnerabilities were exploited. However, we recommend that you take the immediate steps below to ensure that your data stays protected:
If you are hosted in Sugar On-Demand, no action is required as these vulnerabilities and bugs have been patched in our On-Demand environment. If you have additional questions related to how your instance has been affected, please open a case with our support team.
If you host your instance On-Site (in any environment outside of our Sugar On-Demand environment), please carefully review the following instructions and take the actions outlined below at the earliest opportunity. Failure to take these actions could leave you exposed to malicious attacks:
Please visit our Download Manager to download the latest patch for your release, 188.8.131.52, which address these vulnerabilities. Our Installation and Upgrade Guide contains the appropriate guidance to apply these patches to your instance.
Please visit our Download Manager to download the latest patch for your release, 184.108.40.206, which address these vulnerabilities. Our Installation and Upgrade Guide contains the appropriate guidance to apply these patches to your instance.
Please visit our Download Manager to download the latest patch for your release, 6.5.26, which addresses these vulnerabilities. Community Edition patches are available through SourceForge. Our Installation and Upgrade Guide contains the appropriate guidance to apply this patch to your instance.
If upgrading now is not an option, and you are running a commercial version of Sugar, please open a case with our support team to request a hotfix for the security vulnerabilities. We will then supply a module loadable package that can be applied to your current version and edition of Sugar. Please note that we will only supply hotfixes for supported versions. Support tickets can be opened via our portal or by emailing email@example.com. If you are not familiar with the support process, please review our knowledge base article on Working With Sugar Support.
The release notes for 6.5.26 can be found at the following links:
- Ultimate 6.5.26 Release Notes
- Enterprise 6.5.26 Release Notes
- Corporate 6.5.26 Release Notes
- Professional 6.5.26 Release Notes
- Community Edition 6.5.26 Release Notes
The release notes for 220.127.116.11 can be found at the following links:
- Ultimate 18.104.22.168 Release Notes
- Enterprise 22.214.171.124 Release Notes
- Corporate 126.96.36.199 Release Notes
- Professional 188.8.131.52 Release Notes
The release notes for 184.108.40.206 can be found at the following links:
- Ultimate 220.127.116.11 Release Notes
- Enterprise 18.104.22.168 Release Notes
- Corporate 22.214.171.124 Release Notes
- Professional 126.96.36.199 Release Notes
If you want to ensure you are up-to-date on all our latest releases, please click the ‘Follow’ button under the Releases space in the community.