CiviCRM security releases since 3.1 - quick reference list

Published
2013-06-05 10:04
Written by

Recently I was asked to compile a list of all CiviCRM releases since 3.1.0, identifying which were security releases so that we could make sure clients' sites were secure. The organization I work for (Freeform Solutions) is focused on doing sites for other non-profit organizations, many of whom are still running older versions of CiviCRM due to budgetary or other constraints, so we wanted to be sure that no one was running a version known to contain security vulnerabilities. Since this seemed like the sort of resource that might be useful to other CiviCRM users, I'm sharing it here.

Of course, the simplest approach is probably just making sure any given client is running the latest release of their particular CiviCRM version (4.3.x, 4.2.x, etc.). But this isn't always reliable (as pointed out by Herb in a comment below), because security fixes are not always applied to older versions (currently, versions prior to 4.2 are not being updated, so they can't be assumed to be secure). Also, it's helpful to be able to identify versions with known security vulnerabilities at a glance, so that if you have a number of sites running older versions, or when taking on a new client, you can quickly identify the sites most in need of an immediate upgrade.

The release numbers are linked to the release announcements, where possible, so that you can see exactly what was changed in each release, although there were a few I couldn't find release announcements for, so those have no link.

Apologies for the minimal formatting - the list was originally in a table format, which was easier to read, but the text format allowed for blog posts apparently doesn't allow tables.

  • 4.6.10 & 4.4.20 - security
  • 4.6.9 - Sep 27, 2015 - security - note that this issue also affects 4.5, but no fix has been released for that version. 4.5.x users are urged to upgrade to 4.6.9.
  • 4.6.8 - Aug 27, 2015 - important bug fix
  • 4.6.7 & 4.4.19 - Aug 19 - security
  • 4.6.6 - Aug 5, 2015 - bug fix
  • 4.6.5 - Jul 16, 2015 - bug fix
  • 4.6.4 - Jun 17, 2015 - bug fix
  • 4.6.3 - May 20, 2015 - bug fix
  • 4.6.2 - Apr 15, 2015 - bug fix
  • 4.6 - Apr 3, 2015 - major release
  • 4.5.8 - Mar 5, 2015 - bug fix
  • 4.5.7 & 4.4.13 - Mar 4, 2015 - security - also 3 other security issues (reflected XSS in AJAX callbacks, persistent XSS and SQL injection in CiviMail) fixed in those and 4.3.11 & 4.2.20
  • 4.5.6 & 4.4.12 - Feb 4, 2015 - bug fix
  • 4.5.5 & 4.4.11 - Dec 17, 2014 - security
  • 4.5.4 & 4.4.10 - Nov 19, 2014 - bug fix
  • 4.5.3 & 4.4.9 - Nov 5, 2014 - bug fix
  • 4.5.2 & 4.4.8 - Oct 14, 2014 - bug fix
  • 4.5.1 - Oct 9, 2014 - bug fix
  • 4.5 - Sep 18, 2014 - major release
  • 4.4.7, 4.3.9 & 4.2.19 - Sep 17, 2014 - security (note: first update for 4.3.x in a long time)
  • 4.2.18 - Aug 6, 2014 - bug fix
  • 4.4.6 & 4.2.17 - July 1, 2014 - security
  • 4.4.5 - Apr 17, 2014 - bug fix
  • 4.2.16 - Feb 18. 2014 - bug fix
  • 4.4.4 & 4.2.15 - Feb 7, 2014 - security (note that this announcement does not include an update for 4.3.x - sites running 4.3 will need to upgrade to 4.4, or use a manual fix for the specific directories involved)
  • 4.4.3 - Dec 5, 2013 - bug fix
  • 4.2.14 & 4.4.2 - Nov 20, 2013 - bug fix
  • 4.2.13, 4.3.8 & 4.4.1 - Nov 6, 2013 - security
  • 4.4 - Oct 23, 2013 - major release
  • 4.3.7 & 4.2.12 - Oct 2, 2013 - security
  • 4.3.6 & 4.2.11 - Sep 25, 2013 - bug fix
  • 4.3.5 - Jul 8, 2013 - security
  • 4.3.4 - June 10, 2013 - security
  • 4.3.3 - May 8, 2013 - bug fix
  • 4.3.2 - May 2, 2013 - bug fix
  • 4.3.1 - Apr 18, 2013 - bug fix
  • 4.3 - Apr 10, 2013 - major release
  • 4.2.10 - Jul 29, 2013 - security
  • 4.2.9 - Apr 3, 2013 - bug fix
  • 4.2.8 - Feb 20, 2013 - bug fix
  • 4.2.7 - Jan 2, 2013 - security
  • 4.2.6 - Nov 1, 2012 - security (also, critical bug fix related to Drush upgrades)
  • 4.2.5 - Nov 1, 2012 - pulled - do not use
  • 4.2.4 - Oct 18, 2012 - bug fix
  • 4.2.3 - Oct 17, 2012 - pulled - do not use
  • 4.2.2 - Sep 27, 2012 - bug fix
  • 4.2.1 - Sep 12, 2012 - bug fix
  • 4.2 - Aug 20, 2012 - major release
  • 4.1.6 - Sep 6, 2012 - bug fix? (no announcement found)
  • 4.1.5 - Jul 11, 2012 - security
  • 4.1.4 - Jul 10, 2012 - pulled - do not use
  • 4.1.3 - Jun 5, 2012 - security
  • 4.1.2 - Apr 19, 2012 - bug fix
  • 4.1.1 - Mar 1, 2012 - bug fix
  • 4.1 - Feb 15, 2012 - major release
  • 4.0.8 - Dec 15, 2011 - bug fix
  • 4.0.7 - Oct 19, 2011 - bug fix
  • 4.0.6 - Sep 23, 2011 - bug fix
  • 4.0.5 - Aug 3, 2011 - bug fix
  • 4.0.4 - Jun 23, 2011 - security
  • 4.0.3 - Jun 14, 2011 - bug fix
  • 4.0.2 - Jun 2, 2011 - bug fix
  • 4.0.1 - May 6, 2011 - bug fix
  • 4.0 - Apr 20, 2011 - major release
  • 3.4.8 - Dec 15, 2011 - bug fix
  • 3.4.7 - Oct 19, 2011 - bug fix
  • 3.4.6 - Sep 23, 2011 - bug fix
  • 3.4.5 - Aug 3, 2011 - bug fix
  • 3.4.4 - Jun 23, 2011 - security
  • 3.4.3 - Jun 14, 2011 - bug fix
  • 3.4.2 - Jun 2, 2011 - bug fix
  • 3.4.1 - May 6, 2011 - bug fix
  • 3.4 - Apr 20, 2011 - major release
  • 3.3.6 - Mar 28, 2011 - bug fix
  • 3.3.5 - Feb 8, 2011 - security
  • 3.3.4 - Feb 8, 2011 - pulled - do not use
  • 3.3.3 - Jan 19, 2011 - bug fix
  • 3.3.2 - Jan 4, 2011 - bug fix
  • 3.3.1 - Dec 9, 2010 - bug fix
  • 3.3 - Dec 3, 2010 - major release
  • 3.2.5 - Nov 18, 2010 - security
  • 3.2.4 - Oct 28, 2010 - bug fix
  • 3.2.3 - Sep 7, 2010 - bug fix
  • 3.2.2 - Aug 23, 2010 - bug fix
  • 3.2.1 - Aug 11, 2010 - bug fix
  • 3.2 - Jul 28, 2010 - major release
  • 3.1.6 - Jul 21, 2010 - security
  • 3.1.5 - May 20, 2010 - bug fix
  • 3.1.4 - Apr 14, 2010 - bug fix
  • 3.1.3 - Feb 25, 2010 - bug fix
  • 3.1.2 - Feb 11, 2010 - bug fix
  • 3.1.1 - Jan 29, 2010 - bug fix
  • 3.1 - Jan 29, 2010 - major release - pulled - do not use

Comments

All versions prior to 4.3.4 are unsafe.

It's incorrect to assume that you can simply take the latest release of a major version, such as 4.2.9 or 4.1.6. You have to make sure all the security fixes were also applied to that previous major version. Looking at 4.3.4 security fixes one can see an OpenFlashChart XSS vulnerability that was fixed in 4.3.4 and the unreleased 4.2.10. The same goes for all the other security fixes for 4.3.4. So you can safely assume that all versions of CiviCRM except for 4.3.4 are vulnerable.

4.2.10 will be released by a community team for long-term support of 4.2. As of today, July 3, 4.2.10 hasn't been released yet so people should decide if they are able to upgrade to 4.3.4 or wait for the security releases for 4.2

I've added 4.2.10 to the list now that it's out, so people who for whatever reason can't upgrade to 4.3.5 yet (since 4.3.4 turned out to have security issues of its own, apparently) do have an option now.

I updated this list Oct 4, post 4.3.7