Important security update - CiviCRM 3.3.5 released

Published
2011-02-08 13:46
Written by

The team is excited to announce the release of CiviCRM 3.3.5 - it is now available for download. You can also try it out on our demo site. Apart from fixing a few bug issues, this release contains two critical security updates:

  • Cross site scripting problem, where the site can be exploited to execute arbitrary JavaScript.
  • Permissioning vulnerability, which allowed anonymous users to potentially change information for another contact.

 

Please consider doing an upgrade as soon as possible to avoid potential security risks. If you have already upgraded using the 3.3.4 release package - and you did not experience any errors during the upgrade - then you already have the security patches installed and you do not have to upgrade to this release at this time.

 

What's new?

Here is a overview of the feature list for this stable release :

  • CiviMail workflow functionality (Rules Integration). Read more here.
  • Back-office staff can now enter recurring contributions for constituents. Constituents can signup for automatically renewing memberships via online contribution pages. Back-office staff can also create auto-renew memberships. (Both features require use of Authorize.net, PayPal Pro or PayPal Standard payment processors) Read more here.
  • First version of new CiviCampaign component, it includes initial support for Canvassing, Surveys and Petitions.
  • Advanced search extended to show objects other than contacts (and object related actions) - including activities, contributions, etc.
  • Serious dedupe performance improvements.
  • First take on extension mechanism for CiviCRM, allowing creation and distribution of plugins (payment processors, custom search, custom report templates for now).
  • New case and grant reports.
  • Better "session" management support for CiviEvent.
  • First version of database logging, so you will be able to see who changed what and when.
  • Address sharing between any two contacts.

Downloads

You can download the release from SourceForge - select from the civicrm-stable section. The filenames include the 3.3.5 label: civicrm-3.3.5. Make sure you're downloading correct version: for Drupal or Joomla.

 

New Installations

If you are installing CiviCRM 3.3.5 from scratch, refer to the installation guide:

Upgrading 2.2.* or 3.0.* or 3.1.* or 3.2.* Sites to 3.3

The procedure for upgrading to 3.3.5 is the same as for upgrading to 3.0.x. You can upgrade directly from 2.2.x or 3.0.x or 3.1.x or 3.2.x. Instructions:

We will continue to include automated upgrades for subsequent releases of 3.3 - so you should be able to upgrade your site easily over the course of the release cycle.

Comments

Thanks for the upgrade Dave.

It would be helpful to also advise the community whether the security vulnerability exists in previous version code (eg 2.2.x, 3.0.x, 3.1.x and 3.2x - or at least 3.2.x), so people with those versions know whether they now also need to look at upgrading!

I appreciate that it may not be feasible to provide such an advisory for more than just the most recent couple of versions.

Regards

Andrew

Our current policy is to support the latest release only (and hence to check security issues against it).

We do understand that folks have older version out there, but it is fairly time and resource intensive to support more than one version (its also very time intensive to support just one version!)

if folks in the community want this policy changed AND are willing to step up and donate their time / energy / resources to make this happen, please start a thread on the forum.

With regard to this specific issue, we do "think" it does affect prior versions also lobo