09 September, 2014
By totten
Filed under v4.4, v4.3, v4.2, Community, Release, Security

We’ve been having some discussions among the folks who triage security issues, who publish new releases, and who maintain backports. We'll update the policy beginning with the upcoming 4.4.7 release (and related 4.2.19 and 4.3.9 releases).

Release Policy: The release window

For the past year (at least), the policy has been that new security releases must drop on the first Wednesday of a given month, and that other releases can drop anytime (with an undocumented requirement to target Tue/Wed/Thu). This aimed to strike a balance among predictability, security, and flexibility.

The revised policy is to allow stable point-releases on the first or third Wednesday of the month. This is another attempt to balance predictability/security/flexibility, and has a few notable implications:

  • Overall, it’s more predictable...
Read more
18 February, 2014
By Eileen
Filed under v4.2, Release

LTS release 4.2.16 is now on sourceforge. Unfortunately there is an error on some admin pages in 4.2.15 which happened because the porting of the security patch was rushed. Hopefully this won't occur in future. Note the job.create api has also been added to the LTS (this is extra code only - no existing code was altered to port this)

20 November, 2013
Filed under v4.4, v4.2, Release

Here it is folks, another thrilling update to everyone's favorite CRM for the social profit sector. This edition brings you maintenance and stability improvements to the latest version plus an update from the LTS team as well.

  • 4.4.2 The latest stable version of CiviCRM
  • 4.2.14 An updated LTS (long-term support) version

» View all issues fixed in the 4.4.2 release.

Which one should I use?

In most situations, and if you are new to CiviCRM, you should choose the latest stable version. It contains new features and receives the most support. 4.2 LTS (long term support...

Read more
06 November, 2013

A moderately critical security issue has just been fixed in CiviCRM. We recommend you immediately upgrade to one of the following newly released versions:

Read the following security announcement for details:


You can keep up with the latest security advisories by signing up for email alerts or the RSS feed. You can see past advisories at...

Read more
02 October, 2013

A critical security issue has just been fixed in CiviCRM. For the safety of your CiviCRM data you should immediately upgrade to one of the following newly released versions:

If you are unable to upgrade at this time, read the following security announcement for alternate solutions:


You can keep up with the latest security advisories by reguarly visiting http://civicrm.org/advisory or subscribing to the...

Read more
25 September, 2013
Filed under v4.3, v4.2, Release

The CiviCRM core team and community of developers and implementers are proud to present...

  • 4.3.6 The latest stable version of CiviCRM
  • 4.2.11 An updated LTS version

Which one should I use?

In most situations, and if you are new to CiviCRM, you should choose the latest stable version. It contains new features and receives the most support. 4.2 LTS (long term support) is provided for those organizations who are using an older version of CiviCRM and are not yet ready to upgrade; it receives critical bug fixes only. More about 4.2 LTS.

Noteworthy Fixes in 4.3.6:

Read more
29 July, 2013
By Eileen

About 4.2.10 LTS

The community of developers and implementers is proud to announce the 4.2.10 LTS release of CiviCRM.  LTS stands for "long term support" and the purpose of this release is three fold:

1. To provide bug and security fixes to those who are not ready to upgrade to CiviCRM 4.3 just yet

2. To increase the reliability of an existing CiviCRM release

3. To provide a consistent and stable hook and API platform for developers


Download it here


The developer community thanks the CiviCRM core team for their support of this effort.  This LTS release is not a substitute for CiviCRM 4.3 and beyond.  CiviCRM 4.3 contains newer features not...

Read more
25 July, 2013

Well this is my first post on the CivCRM Blog and I am very honoured to have been given the privilege by David Greenberg. We are a CRM consulting company - meaning that we provide consulting and advice to companies who require a CRM system or who have a CRM system in place but want to know how to use it to its full capacity.

We received a grant from the Western Australian Department of Commerce to work in partnership with the Fremantle Chamber of Commerce.  The funding was to provide educational workshops to West Australian businesses about what CRM is and how it can benefit your business.  As part of the funding we were also to carry out two pilot CRM implementations.  One of which was to be for the Chamber to manage these workshops as well as their other events and memberships.

The Fremantle Chamber were actually the ones who suggested that CiviCRM would be a good fit for them as it was open source and seemed to meet their requirements.  After some research and...

Read more
05 June, 2013

Recently I was asked to compile a list of all CiviCRM releases since 3.1.0, identifying which were security releases so that we could make sure clients' sites were secure. The organization I work for (Freeform Solutions) is focused on doing sites for other non-profit organizations, many of whom are still running older versions of CiviCRM due to budgetary or other constraints, so we wanted to be sure that no one was running a version known to contain security vulnerabilities. Since this seemed like the sort of resource that might be useful to other CiviCRM users, I'm sharing it here.

Of course, the simplest approach is probably just making sure any given client is running the latest release of their particular CiviCRM version (4.3.x, 4.2.x, etc.). But this isn't always reliable (as pointed out by Herb in a comment below), because security fixes are not always applied to older versions (currently, versions prior to 4.2 are not being updated...

Read more
17 April, 2013
By totten

IMPORTANT: You do NOT need to upgrade CiviCRM to remove this vulnerability. See "Prevent Attacks: Delete the Vulnerable File" below.

In recent days, multiple site admininistrators have reported evidence that their sites were attacked using vulnerabilities in the OpenFlashChart library included with prior versions of CiviCRM.  This vulnerability was eliminated in the CiviCRM v4.2.6 release (Dec 2012), and site administrators were strongly advised to apply the upgrade. However, as older versions of CiviCRM are still vulnerable, site administrators running outdated versions of CiviCRM should take steps immediately to prevent new attacks and identify past attacks. This blog post provides some background and suggestions.

You can check what version of CiviCRM you are using by looking on any CiviCRM page.  The version is displayed at the bottom of the screen (see screenshot...

Read more