There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:
- CiviCRM v5.10.3
- CiviCRM v5.7.4 ESR
In addition to the security fixes, this release includes two regression fixes.
Below are the security advisories details:
- CIVI-SA-2019-01: Weak Access-Control for File Attachments
- CIVI-SA-2019-02: SQL Injection in "PrevNext" Cache
- CIVI-SA-2019-03: Cross-Site Scripting in "Logging Details" Report
- CIVI-SA-2019-04: SQL Injection in Group and Tag Filters
- CIVI-SA-2019-05: Cross-Site Scripting in "New Pledge" Form
- CIVI-SA-2019-06: Cross-Site Scripting in Contact Reference Fields
- CIVI-SA-2019-07: Limit Cross-Domain Execution by jQuery
- CIVI-SA-2019-08: Arbitrary File Read
The regression issues fixed in this release are:
- Custom Search results selection failure and dev/core#679 Groups and Tags affect search results when using Search Builder. See Gitlab issue for more details.
- Mass SMS not sent when send time is set to immediately. See Gitlab issue for more details.
Upgrade now for the most stable CiviCRM experience:
- To download CiviCRM 5.10.3: https://civicrm.org/download
- To download CiviCRM 5.7.4 ESR version: https://civicrm.org/esr
I'm a bit confused with the ESR access.
On the ESR page it states "ESR is available to sponsoring Partners and to end user organizations that subscribe to it. It is free for CiviCRM members."
Does that mean it is free for CiviCRM members or CiviCRM organisations that are members?
From what I can tell organisations may actually have to subscribe to the Civicrm ESR? Again on this page it states "CiviCRM ESR is free with membership to CiviCRM".
Previous ESR releases up to 5.7.3 were available on the main download page, so you will have users who will need to signup so I think this needs further clarification. To note, checkout process to become a member seems to take a long time and errors (at least in it did for me), so you could potentially lock out users from getting the latest ESR release.
Where is the latest ESR version available for download?
Thanks in advance!
@alexgamblin Apologies for the confusion. ESR was announced after 5.7 was released. We indicated at that time that 5.7 was the best version for ESR and encouraged organizations to upgrade then. You're correct that at that time it could be done for free. Again, we announced the candidate for ESR after the release was already out.
ESR is available CiviCRM Partners that sponsor it, i.e. help fund core team work on it, as well CiviCRM Member organizations, i.e. end user organizations that support the CiviCRM Core Team through financial contributions. Partners that support have ESR have unlimited keys for ESR. Member organizations have access to a single key for ESR for their use. It takes a few to process requests, so give us a bit and keys will be emailed to you.
We'll look into the checkout process and see what's up with it. Sorry for the slowness and errors.
"Partners that support have ESR have unlimited keys for ESR" - my understanding is that is true at a technical level but they should be installing to no more sites than their sponsorship covers - ie. partners paying $100 per month are effectively paying for 5 of their customers to be able to access it.
Is my understanding correct Josh?
The download link for 5.10.3 actually takes me to 5.10.4 ?