Security Releases: 4.4.7, 4.3.9, 4.2.19

2014-09-17 12:27
Written by

There has been a security advisory for CiviCRM. We recommend you immediately upgrade to one of the following versions:

Read the security advisories for details:

To receive future CiviCRM security notices, subscribe to notifications.

In addition, CiviCRM 4.4.7 contains 40+ fixes, making it the most stable version of 4.4 available. Upgrading now can save you a lot of troubleshooting later.

» View all issues fixed in the 4.4.7 release.

4.2 LTS Regression Advisory

The latest version of the 4.2 LTS fixes a security hole but contains a regression that affects individuals filling in contribution pages on behalf of organisations IF they have more than one employer.  If they make an error in filling out the form, the form they see as a result contains fields for each employer.

We recommend you upgrade to secure your site. If this edge case affects your organisation you should look at upgrading directly to 4.4 or contract someone to work further on this. The 4.4 patch is complex & the code involved has changed between versions and the 4.2 LTS is now winding down - hence we were not able to secure the LTS without this edge case regression within the amount of time people were prepared to donate.


CiviCRM 4.4 is compatible with:

  • Drupal 7
  • Drupal 6 (community supported)
  • Joomla 2.5 & 3.0
  • Wordpress 3.4 and higher

New Installations

If you are installing CiviCRM 4.4 from scratch, please use the corresponding automated installer instructions:

Upgrading to 4.4

If your site is highly customized with special code or theming for CiviCRM you will want to upgrade a test copy first and test your customizations. For everyone else, follow these simple steps to get yourself up and running with 4.4.


Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the incredible contributions of these people and organizations:

AGH Strategies - Andrew Hunt; Backoffice Thinking; Chris Burgess; Circle Interactive - Andrew Walker, Dave Moreton; CiviDesk - Nicolas Ganivet; CiviHosting - Hershel Robinson; Community Builders; Compucorp - Jamie Novick, Erawat Chamanont; Confluence - Frank Gomez, Michael Daryabeygi; Dave D; CiviCoop - Erik Hommel; Drupal Association - Neil Drumm; Electronic Frontier Foundation - Micah Lee, Kellie Brownell; Emphanos - Allen Shaw; Fuzion NZ - Eileen McNaughton, Peter Davis, Torrance Hodgeson; Giant Rabbit- Anna Heath; Jim Meehan; JMA Consulting - Joe Murray; Keith Morgan; Ken West; Korlon - Stuart Gaston; Koumbit - Samuel Vanhove; Lighthouse Consulting and Design - Brian Shaughnessy; Mathieu Lutfy; National Democratic Institute - Chris Doten; New York State Senate - Ken Zalewski; NfP Services (MTL Software Group) - Jag Kandasamy, Rajesh Sundararajan; Niro Solutions; Noah Miller; Orgis - Hans Idink; Palante Technology Cooperative - Jon Goldberg; Progressive Tech Project - Alice Aguilar, Jamie McClelland; Paul Delbar; Registered Nurses Association of Ontario; San Francisco Baykeeper - Eliet Henderson; Tadpole - Dana Skall; Tallyfox; Tech to the People - Xavier Dutoit; Third Sector Design; Veda Consulting - Parvez Saleh; Web Access - Pradeep Nayak; Wikimedia Foundation - Adam Wight; Zing - Simon West, Andrew Tombs, CiviDesk - Nicolas Ganivet.


Yay - good to see so many fixes in 4.4.7 too - we've been deploying these fixes on our site pretty much as they've been going into core (or before) & have been enjoying the increasing reliability of 4.4