Extended Security Release Update

Published
2018-12-02 07:27
Written by

CiviCRM Users by Version

CiviCRM Versions
CiviCRM version 5.8 will ship soon and, as we indicated previously, version 5.7 will continue on as 'Extended Security Release (ESR)'. What does this mean for anyone not using the latest stable version of CiviCRM (i.e. the monthly upgrades)? For users on CiviCRM 4.6 and 4.7, it means that these versions will no longer be officially supported. Or, in not so technical speak, "end of life". So, for those 3,700 +/- organizations using 4.6 or 4.7, now would be a good time to either upgrade to the latest stable version, or subscribe to ESR and upgrade to version 5.7.

For those using CiviCRM 4.6 in particular, you're running a version that only supports PHP 5.6, which is officially end of life at the end of December.

Any host that upgrades your PHP beyond 5.6 to say, 7.2, will cause CiviCRM to not work. Needless to say, you've extra incentive to upgrade.

What about users on CiviCRM 5.3, the version with the last security release applied? We'd encourage you to upgrade as well, though perhaps it feels less critical to most. I mean, it did receive the last security update (though it's no longer receiving bug fixes), right? To be clear though, the next security release could come at any time. That's the nature of security after all... you find a vulnerability, assess the risk, and it if warrants, you push out a fix asap. What happens when a new security update is released? Well, CiviCRM 5.3 won't receive the update and you'll be vulnerable if you don't upgrade.

No better time to upgrade...

December is here, and the days are moving fast. Older versions of CiviCRM are end of life, so we encourage you to have a plan to upgrade, whether to the lastest stable or to Extended Security Release (ESR). For those wanting to maintain the same version of CiviCRM for longer, ESR is the best option for you going forward. More info on ESR can be found here: https://civicrm.org/esr

Comments

Just to push back a little on this - I think if a site is on 5.3 that's fine - as long as they are comfortable upgrading to the next security release as soon as it comes out - for most 5.3 users the upgrade from 5.3 to 5.7.5 or 5.9.2 or whatever they upgrade to when they do their next security update will be a fairly minor exercise (of course that might also be an argument to upgrade now as there are definitely bug fixes in later versions that are not in 5.3). Upgrading from 5.3 to 5.7 (or 5.8 will be out later in the week)  is a point version upgrade in the same way upgrading from 4.6.17 to 4.6.28 was. 

Obviously sites on 4.7 are not secure and they should upgrade ASAP. Sites on 4.6 are likely to have convoluted custom code and they should be getting themselves onto a 5.x version so that any related issues are dealt with well in advance of an urgent security update.

I also want to push back a little. A CRM upgrade process could be a lot of work because one needs to test all the primary processes which are managed in the CRM. Also, a lot of organisations using CiviCRM are fundraising organisations, which mean that december is the most busy month of the year for those organisations, so december is the wrong period to do an upgrade.

" one needs to test all the primary processes which are managed in the CRM" - I'd probably change the word 'needs' to 'may need to'

We (WMF) have been very careful about how we integrate with CiviCRM and we have invested in really good unit test coverage - so we when we next upgrade we will be upgrading by about 4 minor releases and we won't do any testing other than pass the new code through our unit tests. (I would say we did test all primary processes when upgrading from 4.2 to 4.6 & we tested a small subset upgrading from 4.6 to 4.7 but since then we don't really)