We are excited to announce the release of 4.4.21 LTS and security releases 4.6.12 and 4.7.1. The latest releases of CiviCRM 4.7 and 4.6 include 2 moderately critical and a non-critical security fixes. A number of other non-security issues have also been fixed in the latest releases.
- CIVI-SA-2016-01: Path disclosure
- CIVI-SA-2016-02: Access bypass
- CIVI-SA-2016-03: Multiple vulnerabilties in DOMPDF
What's New In CiviCRM 4.7
- Administrator Status Page - Provides CiviCRM site administrators a single place to check configuration issues including cron status, permissions, optimal system settings, etc.
- Dedupe improvements - Optimizes duplicate contact identification and merging for organizations with large numbers of duplicates.
- Changes to WYIWYG editor - Incorporates the new CK Configurator directly in CiviCRM, allowing easy selection of plugins and themes.
- Payment processing improvements - Thanks to Eileen for overhauling the payment system to be more reliable and to support token-based recurring payments as well as non-credit card payment methods.
- Many useful improvements to contribution and activity reports.
- API enhancements - the api now supports joins across related entities, and filtering by custom fields - Big thanks to johanv for this!
Along with this and other exciting new features, this release includes 10+ fixes and minor improvements.
New Installations
If you are installing CiviCRM 4.7 from scratch, please use the corresponding automated installer instructions:
Authorize.net users:: Prior to 4.7, CiviCRM forced Authorize.net to send out receipt emails regardless of Authorize.net configuration. From 4.7 onwards this will not happen and you should log into your Authorize.net interface and configure whether you want Authorize.net to send out receipts (in addition to those sent by CiviCRM).
Lybunt report users:: Some fields that were previously mandatory on Lybunt are now optional. On new reports they are on by default but you might need to check the fields you want are selected for existing reports.
Upgrading to 4.7
If your site is highly customized with special code or theming for CiviCRM you will want to upgrade a test copy first and test your customizations. For everyone else, follow these simple steps to get yourself up and running with 4.7.
Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the incredible contributions of these people and organizations:
AGH Strategies - Andrew Hunt, Tyrell Cook, Nikki Murray; Agileware - Francis Whittle; Andrew West; Aputsiaĸ Niels Janussen; Aron Novak; Backoffice Thinking; Barbara Miller; Borislav Zlatanov; Brian Dombrowski; Caroline Badley; Christian Wach; Charlie DeTar; Circle Interactive - Dave Jenkins; CiviCoop - Jaap Jansma; CiviDesk - Nicolas Ganivet, Sunil Pawar, Virginie Ganivet; Compucorp - Guanhuan Chen, Jamie Novick; CiviCoop - Jaap Jansma; Coop SymbioTIC - Mathieu Lutfy, Samuel Vanhove; Dave D; David Hayes; Dhanesh Dhuri; Dmitry Smirnov; Elin Waring; Emphanos LLC - Allen Shaw; Esantanche; Freeform Solutions - Lola Slade, Stephanie Gray, Herb van den Dool; Future First - David Knoll, John Prescott; Fuzion NZ - Chris Burgess, Eileen McNaughton, Peter Davis, Torrance Hodgson; Giant Rabbit - Peter Haight; Ginkgo Street Labs - Frank Gomez, Galata Tona, Michael Daryabeygi, Roshani Kothari, Toby Lounsbury; Jake Martin White; Joanne Chester; Joe McLaughlin; Johan Vervloet; John P Kirk; Joris; JMA Consulting - Joe Murray, Pradeep Nayak, Edsel Lopez; gah242s; Greenleaf Advancement - Guy Iaccarino; K Sneed Consulting - Kate Sneed; Kemal Bay; Ken West; Kevin Levie; Korlon - Stuart Gaston; kreynen; Laryn; Lesley Evensen (zorgalina); Lighthouse Consulting and Design - Brian Shaughnessy; Marty Wright; Matthew Wire; Mattias Michaux; Mohit Aggarwal; National Urban League - Lisa Taliano; Nicholai Burton; Niels Heinemann; New York City Council; New York State Senate - Ken Zalewski; Northbridge Digital - Oliver Gibson; Olaf Buddenhagen; Palante Technology Cooperative - Jon Goldberg, Joseph Lacey, Paul Campbell; Progressive Tech Project - Alice Aguilar, Jamie McClelland; Richard Van Oosterhout; RocXa; Saurabh Batra; Seamus Lee; Seb35; Semper IT - Karin Gerritsen; Shawn Holt; Skvare - Jeremy Proffitt, Peter Petrik; Smiling Heart Enterprises - Neil Planchon; Squiffle Consulting - Aidan Saunders; Stephen Palmstrom; Symbiotic - Mathieu Lutfy, Samuel Vanhove; Systopia - Björn Endres, Niko Bochan; Tadpole - Dana Skallman, Kevin Cristiano; Tech to the People - Xavier Dutoit; Thomas Leichtuss; Tim Mallezie; Torenware Networks - Rob Thorne; University of Cambridge – Alex Corr, John Kingsnorth; Veda Consulting - Parvez Saleh, Deepak Srivastava, Kajan; Wanna Pixel - Nathan Porter, Marisa Porter; Web Access - Rohan Katkar, Sudha Bisht; Wikimedia Foundation - Adam Wight; yurg; zarandras.
It appears that the "fixed versions" on the security advisories are incorrect, since they say everything has been fixed in 4.6.11.
The fixes were released with 4.6.10/4.6.11, but with the 4.6.10 release no email went out to the security notifications list, and with 4.6.11 no mention was made of security content AND no email went out.
This was raised with us by a user who identified that notice hadn't been given. Since these are things we say we will do to help people keep secure, after discussion the security team decided to label 4.6.12 as a security release just to get the word out. That way notifications would arrive on the expected window for those who plan updates.
So yes - some confusion, and our apologies both for the lack of notification initially and the confusing message when attempting to address it within the framework of our scheduled security release process.
I've volunteered to be responsible for tasks like co-ordinating these announcements with the release team in future. So now I officially lead the CiviCRM Security Team! Unto the breach, etc :)
I've just updated the various SA pages to link to patches on Github for those who aren't able to upgrade to the latest release.
Head's up: there's no 4.6.12 listed on the download page: https://civicrm.org/download/list
Thanks! It's been fixed.