When implementing the constituent relationship management solution for one of the biggest political organizations, we had to find a way to tailor the CiviCRM security model to the needs of a country-wide hierarchically structured organization.
Any multi-unit public organization with geographically distributed branches is set up with several levels of management, hierarchically structured units and roles. In our case there were four levels of hierarchy - the central office located in the capital, which manages the entire organization in 25 regions further divided into 12 to 30 districts each and finally the lowest level branches in every village or small town, as shown in pict 1. Such structure presupposes allocation of responsibilities and access hierarchically within a district, region or entire country.
We are joining some dudes from Systopia and Palasthotel to work on CiviMcRestFace (a first attempt at a CMS agnostic connector to CiviCRM) and CiviProxy (policeman between CiviCRM and the rest of the world - check https://github.com/systopia/CiviProxy ) in a sprint for 3 days. Good stuff, made possible by Heinrich Böll Stiftung, Amnesty International Flanders and PUM Senior Experts. As you can imagine we are hard at work, with regular insertions of coffee and cold water.
Our ambition is to add some necessary...Read more
Please note that release 4.7.21 and 4.6.29 are security releases. Please see below links to the security advisories:
When email was first designed, security was not considered important and up until fairly recently it was still possible to send an email from any address and get away with it.
However, as spam, phishing and spoofing attacks by email have become increasingly common there have been various attempts to make email more secure. In the last year or so the major providers (AOL, Google, Microsoft etc.) have all seriously tightened their security and authentication requirements for validating and receiving email. The result of this is that a lot of legitimate email is now being classified as spam or rejected by those providers. In order to ensure that your email continues to be marked as legitimate and received by these larger providers it is now almost essential that you implement SPF, DKIM and DMARC on your domains otherwise many of your...Read more
The latest release of CiviCRM 4.6 and 4.7 includes security fixes. We recommend upgrading to 4.7.7 or 4.6.16 to ensure the security of your site and data. The latest releases include 2 moderately critical fixes. A number of other non-security issues have also been fixed in the latest releases.
- CIVI-SA-2016-08: Persistent XSS in CiviCRM backend
- CIVI-SA-2016-07: SQL Injections in AJAX callbacks
Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the...
IATS has been a payment processor extension with CiviCRM for quite a while and has been actively developed & supported. If you are using the IATS extension you can say a quiet thank you to Alan, Karin & Stephen & stop reading.
If, however, you have been using IATS since the dark days before it was an extension and never switched over then it's time to make that change to ensure your site stays secure. Use IATS & need to check? Go to administer -> customise data & screens -> manage extensions and look for IATS. If it says installed - refer to the quiet thank you above (or better yet make a quiet donation to CiviCRM :-).
If not it's time to install the IATS extension https://civicrm.org/extensions/iats-payments - Alan has generously offered to provide support anyone making the transition. You can log an issue on the github repo if you need help -...Read more
We’ve been having some discussions among the folks who triage security issues, who publish new releases, and who maintain backports. We'll update the policy beginning with the upcoming 4.4.7 release (and related 4.2.19 and 4.3.9 releases).
Release Policy: The release window
For the past year (at least), the policy has been that new security releases must drop on the first Wednesday of a given month, and that other releases can drop anytime (with an undocumented requirement to target Tue/Wed/Thu). This aimed to strike a balance among predictability, security, and flexibility.
The revised policy is to allow stable point-releases on the first or third Wednesday of the month. This is another attempt to balance predictability/security/flexibility, and has a few notable implications:
- Overall, it’s more predictable...
Don't ask for your privacy. Take it back.
Reset the Net is a campaign to improve individual and organizational privacy against mass government surveillance. I think we as CiviCRM community members should step up and act. In particular, hosting providers, implementors, and organizations using CiviCRM should up their game to implement SSL, HSTS, and PFS.
As users, administrators, and developers of software used by non-profits and advocacy groups around the world, we should all be concerned about the security of information in CiviCRM databases.
Many administrators and consultants went into overdrive to respond promptly to the recent http://heartbleed.com/ security vulnerability. But we also need to be aware of threats from mass government surveillance.
Whether it is America's NSA, the Communications Security Establishment Canada, Britain's GCHQ, China's military, or other...Read more
We've just added a page detailing CiviCRM's security policy and release process.
This page is intended to help people identify how they can stay abreast of security updates, know when to expect them, and how to tell which release of CiviCRM to expect security fixes for.
If you maintain or operate a CiviCRM site (or sites!) then you this is a page you should be familiar with, and there are a few actions you should take -
- Make sure your team are subscribed to security notification updates.
- Put the newly announced security release window, first Wednesday of the month, in your schedule.
- Make sure your installed sites are running a supported release, so they qualify for security fixes!
The CiviCRM community are making ongoing...Read more