CiviCRM 5.50.0, 5.49.4, 5.45.6 ESR Security Release

2022-06-01 07:00
Written by

There has been a security release for CiviCRM. Upgrades are available for:

These upgrades address the following security issue:

We are committed to keeping CiviCRM free and open, forever. We depend on your support to help make that happen. We thank all our partners, members and ESR subscribers, who are regular financial contributors. If you can, please donate.

What's new in CiviCRM 5.50

As usual there is a very long list of changes that make CiviCRM more reliable and easier to use. Below are some items that might make sense to some people. Hopefully, if a topic interests you, we recommend reading the associated references, which should make more sense.

  • System Check - Add a reminder about CIVICRM_SIGN_KEYS, required by FormBuilder and Authx (23224)
  • Restrict allowed uploads - contact image (23147)
  • Add tracking table for import jobs (dev/core#1307: 23199 and 23245)
  • Api4: CustomFields - Improve metadata about which custom groups belong to which entities. (23336), Add NOW() date function (23378), Add MONTH sql function (23377), Add is_active extra field to Domain entity, to make it easier to get the current active domain (22159), Add Managed::reconcile action. (23243), Implement countFetched() and countMatched() on api4 results. (22115)
  • SearchKit: Add data segmentation functionality. Creates virtual fields based on flexible segmentation criteria. (23059), Add date pseudo-fields (23381)
  • FormBuilder (Afform): make survey title available in form builder (23322), Dispatch event to alter admin metadata; provide mixin, allowing extensions to add to the list of available entities, elements, input types, styles, etc (23303), Improve dragging into dropzones (23239), Optional reset button for search and submit forms (dev/core#3430: 23334), Add icons for SavedSearch and SearchDisplay entities (23149)
  • Smartgroups: Simplify and improve performance of query to insert updated cache (21943)
  • CiviCampaign: Make links to sign a petition easily accessible on the form. (23316)
  • CiviCase: Activity Type + Activity Status + Case Type not being Combined Correctly in Search Builder. This makes CaseType in APIv4 a managed entity. This is part of a move towards having all cases defined in configuration and deprecating XML-defined case types. (dev/core#3249: 23313), Fix Case Resources cuts off at 25 contacts when creating case activity (dev/core#3431: 23327)
  • WordPress: Improve error screen user experience by displaying site theme/decorations (22805), On the website front-end, CiviCRM page heading should start from h2 and not h1 (23324)
  • Upgrader - Add support for automatic snapshots (23522 and 23544). Adds a utility for recording a snapshot of certain columns in a database table prior to applying any upgrade steps to it. This will make it easier to roll back or compare changes if necessary after the upgrade. For now, the feature is disabled by default.

Big thanks to Andie Hunt and Alice Frumin from AGH Strategies for putting up together release notes. Planning a big upgrade? Check out the version-specific upgrade documentation.

This release was developed by the following code authors:

AGH Strategies - Alice Frumin, Andie Hunt; Agileware - Justin Freeman; Benjamin W; BrightMinded Ltd - Bradley Taylor; Circle Interactive - Pradeep Nayak; CiviCRM - Coleman Watts, Tim Otten; CiviDesk - Yashodha Chaku; Coop SymbioTIC - Mathieu Lutfy, Samuel Vanhove; Dave D; Freeform Solutions - Herb van den Dool; Ginkgo Street Labs - Michael Z Daryabeygi; iXiam - Luciano Spiegel; JMA Consulting - Monish Deb, Seamus Lee; John Kingsnorth; Joinery - Allen Shaw; Lighthouse Consulting and Design - Brian Shaughnessy; Megaphone Technology Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; Progressive Technology Project - Jamie McClelland; Third Sector Design - Kurund Jalmi; Wikimedia Foundation - Eileen McNaughton

Most authors also reviewed code for this release; in addition, the following reviewers contributed their comments:

Andreas Howiller; Andy Burns; Artful Robot - Rich Lott; Australian Greens - John Twyman; Betty Dolfing; Christian Wach; Circle Interactive - Dave Jenkins, Matt Trim; CiviCoop - Jaap Jansma; iXiam - Vangelis Pantazis; JMA Consulting - Edsel Lopez; John Kingsnorth; Joinery - Allen Shaw; Nicol Wistreich; Tadpole Collective - Kevin Cristiano

What else?

  • CiviCRM 5.49 had issues with Scheduled Reminders. It should be fixed, but you may want to check your configurations, notably with the "limit" filter (which resulted in reminders being sent to more people than expected).
  • Monish is working on improving Joomla!4 support
  • Input wanted on: membership sorting, exception handling, participant counts, sms tokens, doubts on the usefulness of the USPS integration.
  • A lot of work going on around improving imports (having a proper queue, avoid timeouts, code cleanup).
  • Reminder for extension authors to update their "civix" files for PHP 8.0 support.
  • Eileen is prepared (pending PR review) to name Justin Freeman an honorary kiwi, for his work on long-term (non-trivial) fixes for complex issues.

For more, subscribe to Eileen's dev-digest.

New Extensions

View all latest extensions

Support CiviCRM

We are committed to keeping CiviCRM free and open, forever. We depend on your support to help make that happen.

CiviCRM is community driven and is sustained through contributions, good vibes, solidarity, and financial support from its community. Help CiviCRM do a world of good.