IMPORTANT: You do NOT need to upgrade CiviCRM to remove this vulnerability. See "Prevent Attacks: Delete the Vulnerable File" below.
In recent days, multiple site admininistrators have reported evidence that their sites were attacked using vulnerabilities in the OpenFlashChart library included with prior versions of CiviCRM. This vulnerability was eliminated in the CiviCRM v4.2.6 release (Dec 2012), and site administrators were strongly advised to apply the upgrade. However, as older versions of CiviCRM are still vulnerable, site administrators running outdated versions of CiviCRM should take steps immediately to prevent new attacks and identify past attacks. This blog post provides some background and suggestions.
You can check what version of CiviCRM you are using by looking on any CiviCRM page. The version is displayed at the bottom of the screen (see screenshot...
The team is excited to announce the seventh release of 4.2 stable with support for Drupal 7, Joomla 2.5 and WordPress 3.3.
We strongly recommend that all sites upgrade their CiviCRM code to this release if you are using previous version of 4.2. There have been significant (75+) bug fixes, including two security fixes, since the last stable release of 4.2. You can download the release from SourceForge, and you can also test drive the release on each platform using the public demos:
What is new in 4.2?
Here's a quick list of some of the other cool new features and improvements in this release:... Read more
The team is excited to announce the fifth release of 4.2 stable with support for Drupal 7, Joomla 2.5 and WordPress 3.x
This release includes a critical bug fix related to drush upgrades, eliminates a vulnerability in the OpenFlashChart tool which is included in CiviCRM distributions, and also includes another 20+ fixes. We recommend that site administrators review the issue queue and apply the upgrade in a timely manner. You can download the release from ...Read more
CiviCRM 3.4.4 and 4.0.4 has just been released and both are available for download. This release fixes security vulnerabilities in the 3.4.3 / 4.0.3 release, helping to harden your system. We recommend you upgrade immediately to realize these improvements. You can also try them out on the public demos: Drupal 6 / Drupal 7 and Joomla 1.5 / Joomla 1.6 sites. The newest CiviCRM...Read more
The team is excited to announce the release of CiviCRM 3.3.5 - it is now available for download. You can also try it out on our demo site. Apart from fixing a few bug issues, this release contains two critical security updates:
- Permissioning vulnerability, which allowed anonymous users to potentially change information for another contact.
Please consider doing an upgrade as soon as possible to avoid potential security risks. If you have already upgraded using the 3.3.4 release package - and you did not experience any errors during the upgrade - then you already...Read more
The team has released version 2.2.7 today. This release includes an important security update - and we recommend that you upgrade sites to this release as soon as possible. 2.2.7 also includes phase 1 of CiviReport - with 14 built-in report templates with coverage of contact data, contributions, events and memberships. Stay tuned for a separate blog post with lots more details on the new reporting features. You can review a complete list of 2.2.7 changes on the issue tracker.
You can download CiviCRM 2.2.7 at our download page. Select from the Newest Files section at the top of the page. The filenames include the 2.2.7 label: civicrm-2.2.7…. Be sure and download the correct version for your CMS (...Read more