[civicrm-core.git] / release-notes / 5.35.1.md

# CiviCRM 5.35.1

Released March 17, 2021

- **[Synopsis](#synopsis)**
- **[Bugs resolved](#bugs)**
- **[Credits](#credits)**
- **[Feedback](#feedback)**

## <a name="synopsis"></a>Synopsis

| *Does this version...?*                                         |          |
| --------------------------------------------------------------- | -------- |
| Change the database schema?                                     | no       |
| Alter the API?                                                  | no       |
| Require attention to configuration options?                     | no       |
| **Fix problems installing or upgrading to a previous version?** | **yes**  |
| Introduce features?                                             | no       |
| **Fix bugs?**                                                   | **yes**  |

## <a name="security"></a>Security advisories

- **[CIVI-SA-2021-01](https://civicrm.org/advisory/civi-sa-2021-01-reflected-cross-site-scripting-uploaded-csvs)**: Reflected Cross Site Scripting via Uploaded CSVs
- **[CIVI-SA-2021-02](https://civicrm.org/advisory/civi-sa-2021-02-web-executable-utility-scripts)**: Web Executable Utility Scripts
- **[CIVI-SA-2021-03](https://civicrm.org/advisory/civi-sa-2021-03-cross-site-scripting-manage-extensions)**: Cross Site Scripting in "Manage Extensions"
- **[CIVI-SA-2021-04](https://civicrm.org/advisory/civi-sa-2021-04-cross-site-scripting-apiv4-explorer)**: Cross Site Scripting in the APIv4 Explorer
- **[CIVI-SA-2021-05](https://civicrm.org/advisory/civi-sa-2021-05-reflected-cross-site-scripting-personal-campaign-pages)**: Reflected Cross Site Scripting in Personal Campaign Pages
- **[CIVI-SA-2021-06](https://civicrm.org/advisory/civi-sa-2021-06-timing-attacks-against-site-key)**: Timing Attacks Against the Site Key
- **[CIVI-SA-2021-07](https://civicrm.org/advisory/civi-sa-2021-07-sql-injection-joomla-user-integration)**: SQL injection in Joomla user integration

## <a name="bugs"></a>Bugs resolved

* **_CiviCampaign_: Fix error when reserving respondents for a survey ([#19811](https://github.com/civicrm/civicrm-core/pull/19811))**
* **_Upgrader_: Fix handling of "group_title" in certain upgrade-paths ([dev/translation#58](https://lab.civicrm.org/dev/translation/-/issues/58): [#19740](https://github.com/civicrm/civicrm-core/pull/19740))**
* **_D8 / Asset Builder_: Fail gracefully when certain resources cannot be generted ([dev/core#2137](https://lab.civicrm.org/dev/core/-/issues/2137): [#18830](https://github.com/civicrm/civicrm-core/pull/18830))**

  A common misconfiguration on Drupal 8+ is to omit `enable-patching`. This currently manifests as an error about `crm-menubar.css`. The change does not fix the misconfiguration, but it makes the error more manageable.

## <a name="credits"></a>Credits

Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit
GmbH contributed significantly to this release and other contemporaneous
security improvements.

This release was developed by the following authors and reviewers:

Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin
Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology
Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA
Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D;
CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly
Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andrew Hunt

## <a name="feedback"></a>Feedback

These release notes are edited by Tim Otten and Andrew Hunt.  If you'd like to
provide feedback on them, please login to https://chat.civicrm.org/civicrm and
contact `@agh1`.
Commit	Line	Data
6699cc13 TO	1	# CiviCRM 5.35.1
	2
	3	Released March 17, 2021
	4
	5	- [Synopsis](#synopsis)
	6	- [Bugs resolved](#bugs)
	7	- [Credits](#credits)
	8	- [Feedback](#feedback)
	9
	10	## <a name="synopsis"></a>Synopsis
	11
	12	\| Does this version...? \| \|
	13	\| --------------------------------------------------------------- \| -------- \|
	14	\| Change the database schema? \| no \|
	15	\| Alter the API? \| no \|
	16	\| Require attention to configuration options? \| no \|
	17	\| Fix problems installing or upgrading to a previous version? \| yes \|
	18	\| Introduce features? \| no \|
	19	\| Fix bugs? \| yes \|
	20
	21	## <a name="security"></a>Security advisories
	22
	23	- [CIVI-SA-2021-01](https://civicrm.org/advisory/civi-sa-2021-01-reflected-cross-site-scripting-uploaded-csvs): Reflected Cross Site Scripting via Uploaded CSVs
	24	- [CIVI-SA-2021-02](https://civicrm.org/advisory/civi-sa-2021-02-web-executable-utility-scripts): Web Executable Utility Scripts
	25	- [CIVI-SA-2021-03](https://civicrm.org/advisory/civi-sa-2021-03-cross-site-scripting-manage-extensions): Cross Site Scripting in "Manage Extensions"
	26	- [CIVI-SA-2021-04](https://civicrm.org/advisory/civi-sa-2021-04-cross-site-scripting-apiv4-explorer): Cross Site Scripting in the APIv4 Explorer
	27	- [CIVI-SA-2021-05](https://civicrm.org/advisory/civi-sa-2021-05-reflected-cross-site-scripting-personal-campaign-pages): Reflected Cross Site Scripting in Personal Campaign Pages
	28	- [CIVI-SA-2021-06](https://civicrm.org/advisory/civi-sa-2021-06-timing-attacks-against-site-key): Timing Attacks Against the Site Key
	29	- [CIVI-SA-2021-07](https://civicrm.org/advisory/civi-sa-2021-07-sql-injection-joomla-user-integration): SQL injection in Joomla user integration
	30
	31	## <a name="bugs"></a>Bugs resolved
	32
	33	* _CiviCampaign_: Fix error when reserving respondents for a survey ([#19811](https://github.com/civicrm/civicrm-core/pull/19811))
	34	* _Upgrader_: Fix handling of "group_title" in certain upgrade-paths ([dev/translation#58](https://lab.civicrm.org/dev/translation/-/issues/58): [#19740](https://github.com/civicrm/civicrm-core/pull/19740))
	35	* _D8 / Asset Builder_: Fail gracefully when certain resources cannot be generted ([dev/core#2137](https://lab.civicrm.org/dev/core/-/issues/2137): [#18830](https://github.com/civicrm/civicrm-core/pull/18830))
	36
	37	A common misconfiguration on Drupal 8+ is to omit `enable-patching`. This currently manifests as an error about `crm-menubar.css`. The change does not fix the misconfiguration, but it makes the error more manageable.
	38
	39	## <a name="credits"></a>Credits
	40
	41	Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit
	42	GmbH contributed significantly to this release and other contemporaneous
	43	security improvements.
	44
	45	This release was developed by the following authors and reviewers:
	46
	47	Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin
	48	Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology
	49	Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA
	50	Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D;
	51	CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly
	52	Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andrew Hunt
	53
	54	## <a name="feedback"></a>Feedback
	55
	56	These release notes are edited by Tim Otten and Andrew Hunt. If you'd like to
	57	provide feedback on them, please login to https://chat.civicrm.org/civicrm and
	58	contact `@agh1`.