When email was first designed, security was not considered important and up until fairly recently it was still possible to send an email from any address and get away with it.
However, as spam, phishing and spoofing attacks by email have become increasingly common there have been various attempts to make email more secure. In the last year or so the major providers (AOL, Google, Microsoft etc.) have all seriously tightened their security and authentication requirements for validating and receiving email. The result of this is that a lot of legitimate email is now being classified as spam or rejected by those providers. In order to ensure that your email continues to be marked as legitimate and received by these larger providers it is now almost essential that you implement SPF, DKIM and DMARC on your domains otherwise many of your...Read more
The latest release of CiviCRM 4.6 and 4.7 includes security fixes. We recommend upgrading to 4.7.7 or 4.6.16 to ensure the security of your site and data. The latest releases include 2 moderately critical fixes. A number of other non-security issues have also been fixed in the latest releases.
- CIVI-SA-2016-08: Persistent XSS in CiviCRM backend
- CIVI-SA-2016-07: SQL Injections in AJAX callbacks
Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the...
IATS has been a payment processor extension with CiviCRM for quite a while and has been actively developed & supported. If you are using the IATS extension you can say a quiet thank you to Alan, Karin & Stephen & stop reading.
If, however, you have been using IATS since the dark days before it was an extension and never switched over then it's time to make that change to ensure your site stays secure. Use IATS & need to check? Go to administer -> customise data & screens -> manage extensions and look for IATS. If it says installed - refer to the quiet thank you above (or better yet make a quiet donation to CiviCRM :-).
If not it's time to install the IATS extension https://civicrm.org/extensions/iats-payments - Alan has generously offered to provide support anyone making the transition. You can log an issue on the github repo if you need help -...Read more
We’ve been having some discussions among the folks who triage security issues, who publish new releases, and who maintain backports. We'll update the policy beginning with the upcoming 4.4.7 release (and related 4.2.19 and 4.3.9 releases).
Release Policy: The release window
For the past year (at least), the policy has been that new security releases must drop on the first Wednesday of a given month, and that other releases can drop anytime (with an undocumented requirement to target Tue/Wed/Thu). This aimed to strike a balance among predictability, security, and flexibility.
The revised policy is to allow stable point-releases on the first or third Wednesday of the month. This is another attempt to balance predictability/security/flexibility, and has a few notable implications:
- Overall, it’s more predictable...
Reset the Net is a campaign to improve individual and organizational privacy against mass government surveillance. I think we as CiviCRM community members should step up and act. In particular, hosting providers, implementors, and organizations using CiviCRM should up their game to implement SSL, HSTS, and PFS.
As users, administrators, and developers of software used by non-profits and advocacy groups around the world, we should all be concerned about the security of information in CiviCRM databases.
Many administrators and consultants went into overdrive to respond promptly to the recent http://heartbleed.com/ security vulnerability. But we also need to be aware of threats from mass government surveillance.
Whether it is America's NSA, the Communications Security Establishment Canada, Britain's GCHQ, China's military, or other government...Read more
We've just added a page detailing CiviCRM's security policy and release process.
This page is intended to help people identify how they can stay abreast of security updates, know when to expect them, and how to tell which release of CiviCRM to expect security fixes for.
If you maintain or operate a CiviCRM site (or sites!) then you this is a page you should be familiar with, and there are a few actions you should take -
- Make sure your team are subscribed to security notification updates.
- Put the newly announced security release window, first Wednesday of the month, in your schedule.
- Make sure your installed sites are running a supported release, so they qualify for security fixes!
The CiviCRM community are making ongoing efforts...Read more