The 4.6.11 release of CiviCRM addresses multiple vulnerabilities in DOMPDF, a library used within CiviCRM to generate PDFs.
For more information, see the DOMPDF release notes for DOMPDF v0.6.2
- CiviCRM before 4.6.11
- CiviCRM 4.6.11 and later
- Upgrade to CiviCRM 4.6.11 or later, OR
-
Apply patches from CRM-17733:
- For 4.4, https://github.com/civicrm/civicrm-packages/pull/136
- For 4.6+, https://github.com/civicrm/civicrm-core/pull/7478
This issue was reported by Neil Drumm of the Drupal Security Team. The fix was co-ordinated by Tim Otten of CiviCRM, and Chris Burgess of Fuzion Aotearoa.
- https://github.com/dompdf/dompdf/releases/tag/v0.6.2