The latest release of CiviCRM 4.6 and 4.7 includes security fixes. We recommend upgrading to 4.7.7 or 4.6.16 to ensure the security of your site and data. The latest releases include 2 moderately critical fixes. A number of other non-security issues have also been fixed in the latest releases.
- CIVI-SA-2016-08: Persistent XSS in CiviCRM backend
- CIVI-SA-2016-07: SQL Injections in AJAX callbacks
Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the incredible contributions of many people. For the May 4th release, special thanks go to:
- Mattias Michaux, Seamus Lee, and Dave Jenkins for their conscientious work on time-sensitive security issues.
- Eileen McNaughton, Chris Burgess, Jon Goldberg, Nate Haug, and members of the core team (Coleman Watts, Jitendra Purohit, Monish Deb, Tim Otten, Yashodha Chaku) who participated in peer-review and testing (in addition to their regular development work).
- To all the other developers who contributed improvements to this revision, including: Allen Shaw, Andrew Perry, Andy Walker, Arit Kumar Nath, Aron Novak, Brian Shaughnessy, Geoff St Pierre, Herb van den Dool, Joanne Chester, Johan Vervloet, John Kingsnorth, John Kirk, Joseph Lacey, Karin Gerritsen, Ken West, Laryn Kragt Bakker, Mathieu Lutfy, Omar Abu Hussein, Rohan Katkar, Saurabh Batra, Spencer Brooks, Stephen Palmstrom, Tim Mallezie, Tomasz Pietrzkowski, Torrance Hodgson.
For a list of other contributors who have participated in the 4.7 cycle, see the previous release announcements.
What's New In CiviCRM 4.7
- Administrator Status Page - Provides CiviCRM site administrators a single place to check configuration issues including cron status, permissions, optimal system settings, etc.
- Dedupe improvements - Optimizes duplicate contact identification and merging for organizations with large numbers of duplicates.
- Changes to WYIWYG editor - Incorporates the new CK Configurator directly in CiviCRM, allowing easy selection of plugins and themes.
- Payment processing improvements - Thanks to Eileen for overhauling the payment system to be more reliable and to support token-based recurring payments as well as non-credit card payment methods.
- Many useful improvements to contribution and activity reports.
- API enhancements - the api now supports joins across related entities, and filtering by custom fields - Big thanks to johanv for this!
Along with this and other exciting new features, this release includes 50+ fixes and minor improvements.
If you are installing CiviCRM 4.7 from scratch, please use the corresponding automated installer instructions:
Authorize.net users:: Prior to 4.7, CiviCRM forced Authorize.net to send out receipt emails regardless of Authorize.net configuration. From 4.7 onwards this will not happen and you should log into your Authorize.net interface and configure whether you want Authorize.net to send out receipts (in addition to those sent by CiviCRM).
Lybunt report users:: Some fields that were previously mandatory on Lybunt are now optional. On new reports they are on by default but you might need to check the fields you want are selected for existing reports.
Upgrading to 4.7
If your site is highly customized with special code or theming for CiviCRM you will want to upgrade a test copy first and test your customizations. For everyone else, follow these simple steps to get yourself up and running with 4.7.
I am interested in the Payment Processing Improvements but the link above does not display anything useful. Maybe the link is broken.