SECURITY Release: CiviCRM 4.3.4
Today marks the 5th stable release of CiviCRM 4.3. The CiviCRM community has truly rallied to make 4.3 the most reliable and feature-rich version yet - over 60 people contributed patches and testing to 4.3.4 alone.
This is a security release. You should upgrade your site immediately. If you are unable to do so, read the following security bulletins for alternate instructions for securing your site:
SECURITY Fixes in 4.3.4:
- CIVI-SA-2013-002 - OpenFlashChart XSS
- CIVI-SA-2013-003 - Custom Search Permissions
- CIVI-SA-2013-004 - Limited SQL Injection via Quick Search API
- CIVI-SA-2013-005 - Smarty XSS
- CIVI-SA-2013-006 - html2text PHP code execution
Noteworthy Bug Fixes in 4.3.4:
- Fixed 'Create user record' in Drupal 6
- Creating new financial type without AR account leads to unbalanced transactions
- CiviCase behaviour when deleting clients from the database
- Total_Amount field is incorrectly recorded as 0 for repeating credit card contribs
- Quick Search Showing on Front End
Other Enhancements to 4.3.4:
CiviCRM is free, open source software made possible through contributions from people like you. If your organization benefits from using CiviCRM AND from the great new features in this release, please consider making a recurring contribution to support the project.
CiviCRM is more compatible than ever, this version has been tested to run with:
- Drupal 7
- Drupal 6 (community supported)
- Joomla 2.5
- Wordpress 3.4 and higher
If you are installing CiviCRM 4.3 from scratch, please use the corresponding automated installer instructions:
Upgrading to 4.3
If your site is highly customized with special code or theming for CiviCRM you will want to upgrade a test copy first and test your customizations. For everyone else, follow these simple steps to get yourself up and running with 4.3.
Community support and engagement is the force that sustains and drives CiviCRM forward. This release would not have been possible without the incredible contributions of these people and organizations:
AGH Strategies - Andrew Hunt; Backoffice Thinking; Chris Burgess; Circle Interactive - Andrew Walker, Dave Moreton; CiviDesk - Nicolas Ganivet; CiviHosting - Hershel Robinson; Community Builders; Compucorp; Confluence - Frank Gomez; Dave D; EE-atWork - Erik Hommel; Electronic Frontier Foundation - Micah Lee, Kellie Brownell; Emphanos - Allen Shaw; Fuzion NZ - Eileen McNaughton, Peter Davis, Torrance Hodgeson; Jim Meehan; JMA Consulting - Joe Murray; Keith Morgan; Ken West; Korlon - Stuart Gaston; Koumbit - Samuel Vanhove; Lighthouse Consulting and Design - Brian Shaughnessy; Mathieu Lutfy; New York State Senate - Ken Zalewski; NfP Services (MTL Software Group) - Jag Kandasamy, Rajesh Sundararajan; Niro Solutions; Noah Miller; Palante Technology Cooperative - Jon Goldberg; Progressive Tech Project - Alice Aguilar, Jamie McClelland; Paul Delbar; Registered Nurses Association of Ontario; San Francisco Baykeeper - Eliet Henderson; Tech to the People - Xavier Dutoit; Third Sector Design; Veda Consulting - Parvez Saleh; Web Access - Pradeep Nayak; Zing - Simon West, Andrew Tombs.