[civicrm-core.git] / release-notes / 5.28.1.md

# CiviCRM 5.28.1

Released August 19, 2020

- **[Security advisories](#security)**
- **[Bugs Resolved](#bugs)**
- **[Credits](#credits)**

## <a name="synopsis"></a>Synopsis

| *Does this version...?*                                         |         |
|:--------------------------------------------------------------- |:-------:|
| **Fix security vulnerabilities?**                               | **yes** |
| Change the database schema?                                     |   no    |
| Alter the API?                                                  |   no    |
| Require attention to configuration options?                     |   no    |
| Fix problems installing or upgrading to a previous version?     |   no    |
| Introduce features?                                             |   no    |
| **Fix bugs?**                                                   | **yes** |

## <a name="security"></a>Security advisories

- **[CIVI-SA-2020-09](https://civicrm.org/advisory/civi-sa-2020-09-privilege-escalation-acl-smart-groups): Privilege Escalation via Smart Groups**
- **[CIVI-SA-2020-10](https://civicrm.org/advisory/civi-sa-2020-10-cross-site-scripting-activity-details): Cross Site Scripting in Activity Details**
- **[CIVI-SA-2020-11](https://civicrm.org/advisory/civi-sa-2020-11-csrf-ckeditor-configuration-form): CSRF on CKEditor Configuration**
- **[CIVI-SA-2020-12](https://civicrm.org/advisory/civi-sa-2020-12-xss-ckeditor-configuration): XSS in CKEditor Configuration**
- **[CIVI-SA-2020-13](https://civicrm.org/advisory/civi-sa-2020-13-xss-event-summary): XSS in Event Summary**
- **[CIVI-SA-2020-14](https://civicrm.org/advisory/civi-sa-2020-14-xss-profile-description-field): XSS in Profile Description**
- **[CIVI-SA-2020-15](https://civicrm.org/advisory/civi-sa-2020-15-persistent-xss-contact-activity-tab): Persistant XSS in Contact Activity Tab**
- **[CIVI-SA-2020-16](https://civicrm.org/advisory/civi-sa-2020-16-jquery-security-update-cve-2020-11022-cve-2020-11023): jQuery CVE-202-11022, CVE-2020-11023**
- **[CIVI-SA-2020-17](https://civicrm.org/advisory/civi-sa-2020-17-harden-session-private-key): Harden Per-Session Private Key**
- **[CIVI-SA-2020-18](https://civicrm.org/advisory/civi-sa-2020-18-html-injection-through-error-message): HTML Injection via Error Message**
- **[CIVI-SA-2020-19](https://civicrm.org/advisory/civi-sa-2020-19-edit-permission-recurring-contributions): Edit Permission for Recurring Contributions**

## <a name="bugs"></a>Bugs Resolved

* **_Activities_: Exporting all activities from a "Find Activity" search as an ACLed user causes DB error ([dev/core#1952](https://lab.civicrm.org/dev/core/-/issues/1952):
  [#18017](https://github.com/civicrm/civicrm-core/pull/18017))**
* **_CiviContribute_: Receipts display unlabeled price options as "null" ([dev/core#1936](https://lab.civicrm.org/dev/core/-/issues/1936):
  [#18124](https://github.com/civicrm/civicrm-core/pull/18124))**
* **_CiviContribute_: Credit card fields are required even when the amount is 0 ([dev/core#1953](https://lab.civicrm.org/dev/core/-/issues/1953):
  [#18144](https://github.com/civicrm/civicrm-core/pull/18144), [#16163](https://github.com/civicrm/civicrm-core/pull/16163), [#18166](https://github.com/civicrm/civicrm-core/pull/16166))**
* **_Dedupe_: Merging contacts with certain "Settings" produces error ([dev/core#1934](https://lab.civicrm.org/dev/core/-/issues/1934):
  [#18126](https://github.com/civicrm/civicrm-core/pull/18126))**

## <a name="credits"></a>Credits

This release was developed by the following people, who participated in
various stages of reporting, analysis, development, review, and testing:

Ben Hubbard - Armadillo Security; Coleman Watts - CiviCRM; Cure53; Dave D;
Dennis Brinkrolf - RIPS Technologies; Eileen McNaughton - Wikipedia
Foundation; Jamie Novick - Compucorp; Jens Schuppe; Jude Hungerford - Asylum
Seekers Center; Karin Gerritsen - Semper IT; Kevin Cristiano - Tadpole
Collective; Mark Rogers; Mozilla Open Source Support (MOSS); Patrick Figel -
Greenpeace CEE; Pradeep Nayak - Circle Interactive; Rich Lott - Artful
Robot; Seamus Lee - CiviCRM and JMA Consulting; Sean Colsen - Left Join
Labs; Shitij Gugnai - Compucorp; Tim Otten - CiviCRM
Commit	Line	Data
c260ed5e SL	1	# CiviCRM 5.28.1
	2
	3	Released August 19, 2020
	4
	5	- [Security advisories](#security)
	6	- [Bugs Resolved](#bugs)
	7	- [Credits](#credits)
	8
	9	## <a name="synopsis"></a>Synopsis
	10
	11	\| Does this version...? \| \|
	12	\|:--------------------------------------------------------------- \|:-------:\|
	13	\| Fix security vulnerabilities? \| yes \|
	14	\| Change the database schema? \| no \|
	15	\| Alter the API? \| no \|
	16	\| Require attention to configuration options? \| no \|
	17	\| Fix problems installing or upgrading to a previous version? \| no \|
	18	\| Introduce features? \| no \|
8576f7a6	19	\| Fix bugs? \| yes \|
c260ed5e SL	20
	21	## <a name="security"></a>Security advisories
	22
8576f7a6	23	- [CIVI-SA-2020-09](https://civicrm.org/advisory/civi-sa-2020-09-privilege-escalation-acl-smart-groups): Privilege Escalation via Smart Groups
c260ed5e SL	24	- [CIVI-SA-2020-10](https://civicrm.org/advisory/civi-sa-2020-10-cross-site-scripting-activity-details): Cross Site Scripting in Activity Details
	25	- [CIVI-SA-2020-11](https://civicrm.org/advisory/civi-sa-2020-11-csrf-ckeditor-configuration-form): CSRF on CKEditor Configuration
	26	- [CIVI-SA-2020-12](https://civicrm.org/advisory/civi-sa-2020-12-xss-ckeditor-configuration): XSS in CKEditor Configuration
	27	- [CIVI-SA-2020-13](https://civicrm.org/advisory/civi-sa-2020-13-xss-event-summary): XSS in Event Summary
	28	- [CIVI-SA-2020-14](https://civicrm.org/advisory/civi-sa-2020-14-xss-profile-description-field): XSS in Profile Description
	29	- [CIVI-SA-2020-15](https://civicrm.org/advisory/civi-sa-2020-15-persistent-xss-contact-activity-tab): Persistant XSS in Contact Activity Tab
	30	- [CIVI-SA-2020-16](https://civicrm.org/advisory/civi-sa-2020-16-jquery-security-update-cve-2020-11022-cve-2020-11023): jQuery CVE-202-11022, CVE-2020-11023
8576f7a6	31	- [CIVI-SA-2020-17](https://civicrm.org/advisory/civi-sa-2020-17-harden-session-private-key): Harden Per-Session Private Key
c260ed5e	32	- [CIVI-SA-2020-18](https://civicrm.org/advisory/civi-sa-2020-18-html-injection-through-error-message): HTML Injection via Error Message
8576f7a6	33	- [CIVI-SA-2020-19](https://civicrm.org/advisory/civi-sa-2020-19-edit-permission-recurring-contributions): Edit Permission for Recurring Contributions
c260ed5e SL	34
	35	## <a name="bugs"></a>Bugs Resolved
	36
8576f7a6 TO	37	* **_Activities_: Exporting all activities from a "Find Activity" search as an ACLed user causes DB error ([dev/core#1952](https://lab.civicrm.org/dev/core/-/issues/1952):
	38	[#18017](https://github.com/civicrm/civicrm-core/pull/18017))**
	39	* **_CiviContribute_: Receipts display unlabeled price options as "null" ([dev/core#1936](https://lab.civicrm.org/dev/core/-/issues/1936):
c260ed5e	40	[#18124](https://github.com/civicrm/civicrm-core/pull/18124))**
8576f7a6	41	* **_CiviContribute_: Credit card fields are required even when the amount is 0 ([dev/core#1953](https://lab.civicrm.org/dev/core/-/issues/1953):
c260ed5e	42	[#18144](https://github.com/civicrm/civicrm-core/pull/18144), [#16163](https://github.com/civicrm/civicrm-core/pull/16163), [#18166](https://github.com/civicrm/civicrm-core/pull/16166))**
8576f7a6	43	* **_Dedupe_: Merging contacts with certain "Settings" produces error ([dev/core#1934](https://lab.civicrm.org/dev/core/-/issues/1934):
c260ed5e	44	[#18126](https://github.com/civicrm/civicrm-core/pull/18126))**
c260ed5e SL	45
	46	## <a name="credits"></a>Credits
	47
	48	This release was developed by the following people, who participated in
	49	various stages of reporting, analysis, development, review, and testing:
	50
8576f7a6 TO	51	Ben Hubbard - Armadillo Security; Coleman Watts - CiviCRM; Cure53; Dave D;
	52	Dennis Brinkrolf - RIPS Technologies; Eileen McNaughton - Wikipedia
	53	Foundation; Jamie Novick - Compucorp; Jens Schuppe; Jude Hungerford - Asylum
	54	Seekers Center; Karin Gerritsen - Semper IT; Kevin Cristiano - Tadpole
	55	Collective; Mark Rogers; Mozilla Open Source Support (MOSS); Patrick Figel -
	56	Greenpeace CEE; Pradeep Nayak - Circle Interactive; Rich Lott - Artful
	57	Robot; Seamus Lee - CiviCRM and JMA Consulting; Sean Colsen - Left Join
	58	Labs; Shitij Gugnai - Compucorp; Tim Otten - CiviCRM