All sites are strongly encouraged to upgrade to the latest secure versions of CiviCRM: v4.7.14 and v4.6.24.
- CIVI-SA-2016-19 Order By clause in API not properly being validated
- CIVI-SA-2016-20 Lack of validation on contact ids when using apiQuery function
- CIVI-SA-2016-21 Incorrect Escaping of custom group name in CiviCase
- CIVI-SA-2016-22 Profile Permission check by-passes in Wordpress
- CIVI-SA-2016-23 Unescaped html in entity reference fields
This release Andrew Hunt from AGH Strategies has stepped up and committed to compiling release notes. It is no small endeavor given the volume of the patches and the work that goes into interpreting them so we are very grateful. The release notes can be found here.
There are a huge number of people who put effort into every release and we try to thank and acknowledge everyone in the contributors list. I'd like to make special mention of 4 people this release who put significant /increased effort into testing the release and doing QA. They are not the only ones, just some that stand out to me right at the moment: Dave Jenkins of Circle Interactive, Karin of Semper IT, Pradeep of JMA Consulting and Seamus Lee of Australian Green Party.
WHAT'S NEW IN CIVICRM 4.7
- Administrator Status Page - Provides CiviCRM site administrators a single place to check configuration issues including cron status, permissions, optimal system settings, etc.
- Dedupe improvements - Optimizes duplicate contact identification and merging for organizations with large numbers of duplicates.
- Changes to WYIWYG editor - Incorporates the new CK Configurator directly in CiviCRM, allowing easy selection of plugins and themes.
- Payment processing improvements - Thanks to Eileen for overhauling the payment system to be more reliable and to support token-based recurring payments as well as non-credit card payment methods.
- Many useful improvements to contribution and activity reports.
- API enhancements - the api now supports joins across related entities, and filtering by custom fields - Big thanks to johanv for this!
Along with this and other exciting new features, this release includes 50 fixes and minor improvements.
If you are installing CiviCRM 4.7 from scratch, please use the corresponding automated installer instructions:
Authorize.net users:: Prior to 4.7, CiviCRM forced Authorize.net to send out receipt emails regardless of Authorize.net configuration. From 4.7 onwards this will not happen and you should log into your Authorize.net interface and configure whether you want Authorize.net to send out receipts (in addition to those sent by CiviCRM).
Lybunt report users:: Some fields that were previously mandatory on Lybunt are now optional. On new reports they are on by default but you might need to check the fields you want are selected for existing reports.
UPGRADING TO 4.7
If your site is highly customized with special code or theming for CiviCRM you will want to upgrade a test copy first and test your customizations. For everyone else, follow these simple steps to get yourself up and running with 4.7.