SuiteCRM 7.9.4 Security & Maintenance Patch Now Available

SuiteCRM 7.9.4 is now available to download.

This release resolves a IMPORTANT Security Vulnerability that effect all releases of SuiteCRM, all users of ALL previous releases are advised to Upgrade to 7.9.4 as soon as possible.

SuiteCRM LTS 7.8.x will be released shortly.

This 7.9.4 release was an immediate patch for a bug that was raised on Github and the Forums due to decoding special characters which affected all languages - we’ve detailed the situation in a previous announcement here.

Would like to also go into more detailed the Security Fixes that 7.9.4 provides (as this release superseeds 7.9.3).

Security Issues Resolved:

[color=#ff0088][size=4]Ensuring Users can only send an Email via their own Inbound Email Account[/size][/color]

This issue affects Group Email Accounts as well. Previously Users with Group Inbound Email Accounts would’ve been able to send out Emails from those said Accounts using their own From Names and Addresses but this is of course is a Security risk.

All Group Account Email Accounts use the Email Settings found in the Admin Panel. Ensure that if you wish to allow normal users to send out emails from Group Inbound Accounts that the following setting is ticked TRUE.

Allow users to use this account for outgoing email:

[color=#ff0088][size=4]Cleaner HTML for Fields[/size][/color]

Dealing with a Cross-Site scripting regards to HTML fields. This fix was also applied to all fields to improve security.

[color=#ff0088][size=4]Apply Roles to Inline Editing[/size][/color]

This fix ensures that the current user has the ‘Edit’ Role of that field that they can complete an Inline Edit.

For a full list please View Release Notes for 7.9.4
and View Release Notes for 7.9.3

Download here from the SuiteCRM GitHub Repository or visit the official website to find the appropriate upgrade.

Thank you to all community members who logged bugs and contributed to this release.

All input is welcome.

The SuiteCRM Team.

Hello samus-aran,

apart from the decoding of the special characters, we also faced another issue after upgrading to 7.9.3 from 7.7.8. Only the default (Suite P) theme was available in Admin --> themes. After the upgrade, users who had selected different themes logged in to see their theme changed back to the default, without an option for switching to another one. The Themes tab in their profile was missing.

In the file system --> themes folder, sub folders containing the files for the alternative themes were still there.

We eventually had to switch back to 7.7.8 because of the special characters issue and the themes were made available again. If we upgrade to 7.9.4, will we face the same issue? Provided that we will, is there a way to activate the non-default themes post-upgrade and make them available to the users?

Thank you very much in advance,
John

Hi there jtsoukaris,

The 7.9.4 will resolve the charset issue that was found on 7.9.3.

As part of the 7.9 major Release we had deprecated the SuiteR & Suite7 theme as part of the features list. However if you have upgraded from an older version (and have the themes intact in the these folders) you can still set the availability of the themes by editing each themes’ themedef.php file.

Look for the lines:

‘version’ => array(
‘regex_matches’ => array(’^7.[0-8][^\d]’),
),

and change it to

‘version’ => array(
‘regex_matches’ => array(’^7.[0-9][^\d]’),
),

However I will note here that we had also removed the old Email Client from 7.9.x and thus deprecated the other themes styling for the new email module so the styling and possibly the functionality will not be the same on the older themes than it would be on the SuiteP theme.

If the Email Client isn’t of use to you i.e. physically creating and sending user made emails then you can do the above but if you wish to keep older themes AND use the Email Client (the old one) then I would recommend upgrade only to 7.8.x which has LTS.

Hi All

Apart from above, one more bug i fount on Activity feed, it doesn’t allow to select Facebook and Twitter both. If we select both then the home page becomes blank. Also if we select tweeter as single then it set for twitter forever. when we change from twitter to facebook then again the home page becomes blank.

Pl. solve this ASAP…

HI samus-aran, I think is worth mentioning that if anyone is upgrading to 7.9.4 using PHP 7.x, and also using Module Builder / Studio to customize layouts, should be aware that this release breaks the ability to customize any views due to discrepancies in some class declarations. AFAIK, these discrepancies used to be warnings on PHP 5.x but they have been upgraded to fatal errors in PHP 7.x. I haven’t confirmed this (testing back 7.9.4 on PHP 5.x), but it seems to be supported by this PHP 7 Changes to error and exception handling

If anyone wants to confirm if their setup is affected, just go to Module Builder, create any Package/Module, try to open any Layout. Nothing will happen, you can confirm an HTTP 500 Internal Error on your browser console, and your php logfile should show a full trace starting with:

PHP Fatal error: Declaration of UndeployedMetaDataImplementation::getFileName($view, $moduleName, $packageName, $type = MB_BASEMETADATALOCATION) must be compatible with AbstractMetaDataImplementation::getFileName($view, $moduleName, $type = MB_CUSTOMMETADATALOCATION) in ~/SuiteCRM-7.9.4/modules/ModuleBuilder/parsers/views/UndeployedMetaDataImplementation.php on line 49, referer: https://127.0.0.1:8001/index.php?module=ModuleBuilder&action=index&type=mb

As, you know this issue has been patched in github, see #3198

HTH

Dear samus-aran,

My instance of SuiteCRM is still at version 7.8.5 because it’s the release labelled as LTS. Will the fix of the security vulnerability be released for this version as well?

Regards,
Wolf

@WSiedler SalesAgility has already stated that all security patches will be released into the 7.8 branch as well.

Actually, the release you’re running, 7.8.5, is like that: it came out only due to security issues found after the 7.9 branch was already released.

I am 99% sure a 7.8.6 will come out eventually to include a few more fixes, I recently saw code being merged in GitHub into that branch.