17 September, 2014
By totten
Filed under Release, Security Releases

There has been a security advisory for CiviCRM. We recommend you immediately upgrade to one of the following versions:

Read the security advisories for details:

To receive future CiviCRM security notices, subscribe to notifications.

In addition,...

Read more
01 July, 2014
By totten

There has been a security advisory for CiviCRM. We recommend you immediately upgrade to one of the following versions:

Read the security advisories for details:

To receive future CiviCRM security notices, subscribe to notifications.

In addition, CiviCRM 4.4.6 contains 30 fixes, making it the most...

Read more
06 February, 2014
Filed under Release, Security Releases

There has just been a security advisory for CiviCRM. We recommend you immediately upgrade to one of the following newly released versions:

Read the security announcement for details: https://civicrm.org/advisory/civi-sa-2014-001-risk-information-disclosure

To receive future CiviCRM security notices, subscribe to notifications.

In addition, the latest version of CiviCRM 4.4 contains over 120 fixes, making it the most stable version of 4.4 available. Upgrading now can save you a lot of...

Read more
06 November, 2013

A moderately critical security issue has just been fixed in CiviCRM. We recommend you immediately upgrade to one of the following newly released versions:

Read the following security announcement for details:

https://civicrm.org/advisory/civi-sa-2013-010-sql-injection-permissioned-users

You can keep up with the latest security advisories by signing up for email alerts or the RSS feed. You can see past advisories at...

Read more
02 October, 2013

A critical security issue has just been fixed in CiviCRM. For the safety of your CiviCRM data you should immediately upgrade to one of the following newly released versions:

If you are unable to upgrade at this time, read the following security announcement for alternate solutions:

http://civicrm.org/advisory/civi-sa-2013-009-sql-injection-vulnerability

You can keep up with the latest security advisories by reguarly visiting http://civicrm.org/advisory or subscribing to the...

Read more
29 July, 2013
By Eileen

About 4.2.10 LTS


The community of developers and implementers is proud to announce the 4.2.10 LTS release of CiviCRM.  LTS stands for "long term support" and the purpose of this release is three fold:

1. To provide bug and security fixes to those who are not ready to upgrade to CiviCRM 4.3 just yet

2. To increase the reliability of an existing CiviCRM release


3. To provide a consistent and stable hook and API platform for developers

 

Download it here

 

The developer community thanks the CiviCRM core team for their support of this effort.  This LTS release is not a substitute for CiviCRM 4.3 and beyond.  CiviCRM 4.3 contains newer features not...

Read more
08 July, 2013

Announcing the 6th stable release of CiviCRM 4.3, containing small bug fixes and two minor security updates to make your CRM more stable and secure.

This is a security release. You should upgrade your site immediately. If you are unable to do so, read the following security bulletins for alternate instructions for securing your site:

SECURITY Fixes in 4.3.5:

You can keep up with the latest security advisories by reguarly visiting http://civicrm.org/advisory or subscribing to the...

Read more
10 June, 2013
Filed under Release, Security Releases

Today marks the 5th stable release of CiviCRM 4.3. The CiviCRM community has truly rallied to make 4.3 the most reliable and feature-rich version yet - over 60 people contributed patches and testing to 4.3.4 alone.

This is a security release. You should upgrade your site immediately. If you are unable to do so, read the following security bulletins for alternate instructions for securing your site:

SECURITY Fixes in 4.3.4:

Read more
05 June, 2013

Recently I was asked to compile a list of all CiviCRM releases since 3.1.0, identifying which were security releases so that we could make sure clients' sites were secure. The organization I work for (Freeform Solutions) is focused on doing sites for other non-profit organizations, many of whom are still running older versions of CiviCRM due to budgetary or other constraints, so we wanted to be sure that no one was running a version known to contain security vulnerabilities. Since this seemed like the sort of resource that might be useful to other CiviCRM users, I'm sharing it here.

Of course, the simplest approach is probably just making sure any given client is running the latest release of their particular CiviCRM version (4.3.x, 4.2.x, etc.). But this isn't always reliable (as pointed out by Herb in a comment below), because security fixes are not always applied to older versions (currently, versions prior to 4.2 are not being updated...

Read more
17 April, 2013
By totten

IMPORTANT: You do NOT need to upgrade CiviCRM to remove this vulnerability. See "Prevent Attacks: Delete the Vulnerable File" below.

In recent days, multiple site admininistrators have reported evidence that their sites were attacked using vulnerabilities in the OpenFlashChart library included with prior versions of CiviCRM.  This vulnerability was eliminated in the CiviCRM v4.2.6 release (Dec 2012), and site administrators were strongly advised to apply the upgrade. However, as older versions of CiviCRM are still vulnerable, site administrators running outdated versions of CiviCRM should take steps immediately to prevent new attacks and identify past attacks. This blog post provides some background and suggestions.

You can check what version of CiviCRM you are using by looking on any CiviCRM page.  The version is displayed at the bottom of the screen (see screenshot...

Read more