There has been a security release for CiviCRM. We recommend you immediately upgrade to one of the following versions:
- CiviCRM v5.10.3
- CiviCRM v5.7.4 ESR
In addition to the security fixes, this release includes two regression fixes.
Below are the security advisories details:
- CIVI-SA-2019-01: Weak Access-Control for File Attachments
- CIVI-SA-2019-02: SQL Injection in "PrevNext" Cache
- CIVI-SA-2019-03: Cross-Site Scripting in "Logging Details" Report
Long Term Support (LTS) releases of CiviCRM are versions that are maintained for use by organizations for multi-year periods of time. The first official version of CiviCRM released as a LTS was version 4.4 and announced in October of 2014. 4.4 was the official LTS version until CiviCRM 4.7 was released, at which point version 4.6 was officially designated as the new LTS. The CiviCRM Core Team and several partners and contributors maintained version 4.4 and 4.6 until 2017, when Skvare and Compucorp officially took responsibility for the maintenance of CiviCRM 4.6 LTS.
Why have a Long Term Support release?
CiviCRM is open source software with a vibrant and active community of developers and contributors....Read more
When implementing the constituent relationship management solution for one of the biggest political organizations, we had to find a way to tailor the CiviCRM security model to the needs of a country-wide hierarchically structured organization.
Any multi-unit public organization with geographically distributed branches is set up with several levels of management, hierarchically structured units and roles. In our case there were four levels of hierarchy - the central office located in the capital, which manages the entire organization in 25 regions further divided into 12 to 30 districts each and finally the lowest level branches in every village or small town, as shown in pict 1. Such structure presupposes allocation of responsibilities and access hierarchically within a district, region or entire country.
We are joining some dudes from Systopia and Palasthotel to work on CiviMcRestFace (a first attempt at a CMS agnostic connector to CiviCRM) and CiviProxy (policeman between CiviCRM and the rest of the world - check https://github.com/systopia/CiviProxy ) in a sprint for 3 days. Good stuff, made possible by Heinrich Böll Stiftung, Amnesty International Flanders and PUM Senior Experts. As you can imagine we are hard at work, with regular insertions of coffee and cold water.
Our ambition is to add some necessary...Read more
Please note that release 4.7.21 and 4.6.29 are security releases. Please see below links to the security advisories:
When email was first designed, security was not considered important and up until fairly recently it was still possible to send an email from any address and get away with it.
However, as spam, phishing and spoofing attacks by email have become increasingly common there have been various attempts to make email more secure. In the last year or so the major providers (AOL, Google, Microsoft etc.) have all seriously tightened their security and authentication requirements for validating and receiving email. The result of this is that a lot of legitimate email is now being classified as spam or rejected by those providers. In order to ensure that your email continues to be marked as legitimate and received by these larger providers it is now almost essential that you implement SPF, DKIM and DMARC on your domains otherwise many of your...Read more
The latest release of CiviCRM 4.6 and 4.7 includes security fixes. We recommend upgrading to 4.7.7 or 4.6.16 to ensure the security of your site and data. The latest releases include 2 moderately critical fixes. A number of other non-security issues have also been fixed in the latest releases.
- CIVI-SA-2016-08: Persistent XSS in CiviCRM backend
- CIVI-SA-2016-07: SQL Injections in AJAX callbacks
Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the...
IATS has been a payment processor extension with CiviCRM for quite a while and has been actively developed & supported. If you are using the IATS extension you can say a quiet thank you to Alan, Karin & Stephen & stop reading.
If, however, you have been using IATS since the dark days before it was an extension and never switched over then it's time to make that change to ensure your site stays secure. Use IATS & need to check? Go to administer -> customise data & screens -> manage extensions and look for IATS. If it says installed - refer to the quiet thank you above (or better yet make a quiet donation to CiviCRM :-).
If not it's time to install the IATS extension https://civicrm.org/extensions/iats-payments - Alan has generously offered to provide support anyone making the transition. You can log an issue on the github repo if you need help -...Read more
We’ve been having some discussions among the folks who triage security issues, who publish new releases, and who maintain backports. We'll update the policy beginning with the upcoming 4.4.7 release (and related 4.2.19 and 4.3.9 releases).
Release Policy: The release window
For the past year (at least), the policy has been that new security releases must drop on the first Wednesday of a given month, and that other releases can drop anytime (with an undocumented requirement to target Tue/Wed/Thu). This aimed to strike a balance among predictability, security, and flexibility.
The revised policy is to allow stable point-releases on the first or third Wednesday of the month. This is another attempt to balance predictability/security/flexibility, and has a few notable implications:
- Overall, it’s more predictable...
Don't ask for your privacy. Take it back.
Reset the Net is a campaign to improve individual and organizational privacy against mass government surveillance. I think we as CiviCRM community members should step up and act. In particular, hosting providers, implementors, and organizations using CiviCRM should up their game to implement SSL, HSTS, and PFS.
As users, administrators, and developers of software used by non-profits and advocacy groups around the world, we should all be concerned about the security of information in CiviCRM databases.
Many administrators and consultants went into overdrive to respond promptly to the recent http://heartbleed.com/ security vulnerability. But we also need to be aware of threats from mass government surveillance.
Whether it is America's NSA, the Communications Security Establishment Canada, Britain's GCHQ, China's military, or other...Read more