There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:
- CiviCRM v5.13.4
- CiviCRM v5.7.6 ESR
Below are the security advisories details:
- CIVI-SA-2019-09: XXE in PHPWord
- CIVI-SA-2019-10: TCPDF XSS and RCE vulnerabilities
- CIVI-SA-2019-11: jQuery Object.prototype pollution
- CIVI-SA-2019-12: SQLI in "Country", et al
If you’re not already aware, CiviCRM version 5.13 shipped this past Wednesday. In addition to this being the normal monthly release of the latest stable version of CiviCRM, it will also serve as the next version of CiviCRM ESR, officially in August. Finally, CiviCRM version 5.13 will be the last version of CiviCRM to support PHP 5.6.
There’s a lot here to digest, so let’s break it down with a few questions.
Will the current version of ESR be supported until August?
Yes. Originally slated for 6 months of support, ESR version 5.7 will continue to receive security and critical fixes up until the release of 5.13 ESR. After August 2019, version 5.7 will be sunset.
Will PHP 5.6 continue to work on versions of CiviCRM beyond 5.13?
Possibly, however it will no longer be supported by CiviCRM. That...Read more
This is just a quick reminder that as announced in August the CiviCRM release on 2 Jan 2019 will be the last release supporting PHP 5.5.
Upstream php.net support for PHP versions 5.6 and 7.0 also ends at the end of this month; if you are on these versions, we recommend that you consider your upgrading. Our goal is that CiviCRM will support PHP 5.6 and 7.0 through to September and December 2019 respectively. We will re-evaluate that goal in March per the previous announcement.
Our recommended version is PHP 7.2. We have only done very limited testing on the newly released PHP 7.3 so we are not in a position to recommend 7.3 yet. Note that if you have a saved SMTP password you will need to re-save it after upgrading to PHP 7.2.
At this stage there is no intention to continue supporting PHP 5.5 in future ESR releases. However, combining longer term...Read more