Released November 20, 2019
| Does this version...? | |
|---|---|
| Fix security vulnerabilities? | yes |
| Change the database schema? | no |
| Alter the API? | yes |
| Require attention to configuration options? | no |
| Fix problems installing or upgrading to a previous version? | no |
| Introduce features? | no |
| Fix bugs? | yes |
- CIVI-SA-2019-19: SQL injection in "dedupefind"
- CIVI-SA-2019-20: Privilege escalation via leaked key
- CIVI-SA-2019-21: PHP object injection via "Saved Search" and "Report Instance" APIs
- CIVI-SA-2019-22: Cross-site scripting in dashboard titles
- CIVI-SA-2019-23: Incorrect storage encoding for APIv4
- CIVIEXT-SA-2019-02: Cross-site scripting in CiviCase v5 extension
- Member Summary Report - Fix filtering by "Member Since" (dev/core#1406: 15894)
- Contribution Search - Fix issue with displaying cancellation date (dev/core#1391: 15893)
- Contribution Search - Fix issue where search criteria were applied inconsistently (dev/core#1374: 15896)
- Additional Payment Form, Payment API - Calculate "Net Amount" automatically. Remove error-prone field from UI. (dev/core#1409: 15889)
This release was developed by the following people, who participated in various stages of reporting, analysis, development, review, and testing:
Alan Dixon of Blackfly Solutions; Coleman Watts of CiviCRM; Daniel Compton of Armadillo Sec Ltd; Dave D; Eileen McNaughton of Wikimedia Foundation; Karin Gerritsen of Semper IT; Kevin Cristiano of Tadpole Collective; Mark Burdett of Electronic Frontier Foundation; Morgan Robinson of Palante Technology Cooperative; Patrick Figel of Greenpeace CEE; Seamus Lee of Australian Greens; Tim Otten of CiviCRM