| 1 | # CiviCRM 5.35.1 |
| 2 | |
| 3 | Released March 17, 2021 |
| 4 | |
| 5 | - **[Synopsis](#synopsis)** |
| 6 | - **[Bugs resolved](#bugs)** |
| 7 | - **[Credits](#credits)** |
| 8 | - **[Feedback](#feedback)** |
| 9 | |
| 10 | ## <a name="synopsis"></a>Synopsis |
| 11 | |
| 12 | | *Does this version...?* | | |
| 13 | | --------------------------------------------------------------- | -------- | |
| 14 | | Change the database schema? | no | |
| 15 | | Alter the API? | no | |
| 16 | | Require attention to configuration options? | no | |
| 17 | | **Fix problems installing or upgrading to a previous version?** | **yes** | |
| 18 | | Introduce features? | no | |
| 19 | | **Fix bugs?** | **yes** | |
| 20 | |
| 21 | ## <a name="security"></a>Security advisories |
| 22 | |
| 23 | - **[CIVI-SA-2021-01](https://civicrm.org/advisory/civi-sa-2021-01-reflected-cross-site-scripting-uploaded-csvs)**: Reflected Cross Site Scripting via Uploaded CSVs |
| 24 | - **[CIVI-SA-2021-02](https://civicrm.org/advisory/civi-sa-2021-02-web-executable-utility-scripts)**: Web Executable Utility Scripts |
| 25 | - **[CIVI-SA-2021-03](https://civicrm.org/advisory/civi-sa-2021-03-cross-site-scripting-manage-extensions)**: Cross Site Scripting in "Manage Extensions" |
| 26 | - **[CIVI-SA-2021-04](https://civicrm.org/advisory/civi-sa-2021-04-cross-site-scripting-apiv4-explorer)**: Cross Site Scripting in the APIv4 Explorer |
| 27 | - **[CIVI-SA-2021-05](https://civicrm.org/advisory/civi-sa-2021-05-reflected-cross-site-scripting-personal-campaign-pages)**: Reflected Cross Site Scripting in Personal Campaign Pages |
| 28 | - **[CIVI-SA-2021-06](https://civicrm.org/advisory/civi-sa-2021-06-timing-attacks-against-site-key)**: Timing Attacks Against the Site Key |
| 29 | - **[CIVI-SA-2021-07](https://civicrm.org/advisory/civi-sa-2021-07-sql-injection-joomla-user-integration)**: SQL injection in Joomla user integration |
| 30 | |
| 31 | ## <a name="bugs"></a>Bugs resolved |
| 32 | |
| 33 | * **_CiviCampaign_: Fix error when reserving respondents for a survey ([#19811](https://github.com/civicrm/civicrm-core/pull/19811))** |
| 34 | * **_Upgrader_: Fix handling of "group_title" in certain upgrade-paths ([dev/translation#58](https://lab.civicrm.org/dev/translation/-/issues/58): [#19740](https://github.com/civicrm/civicrm-core/pull/19740))** |
| 35 | * **_D8 / Asset Builder_: Fail gracefully when certain resources cannot be generted ([dev/core#2137](https://lab.civicrm.org/dev/core/-/issues/2137): [#18830](https://github.com/civicrm/civicrm-core/pull/18830))** |
| 36 | |
| 37 | A common misconfiguration on Drupal 8+ is to omit `enable-patching`. This currently manifests as an error about `crm-menubar.css`. The change does not fix the misconfiguration, but it makes the error more manageable. |
| 38 | |
| 39 | ## <a name="credits"></a>Credits |
| 40 | |
| 41 | Special support from Deutsche Gesellschaft für Internationale Zusammenarbeit |
| 42 | GmbH contributed significantly to this release and other contemporaneous |
| 43 | security improvements. |
| 44 | |
| 45 | This release was developed by the following authors and reviewers: |
| 46 | |
| 47 | Wikimedia Foundation - Eileen McNaughton; Stephen Palmstrom; Semper IT - Karin |
| 48 | Gerritsen; Progressive Technology Project - Jamie McClelland; Megaphone Technology |
| 49 | Consulting - Jon Goldberg; MJW Consulting - Matthew Wire; MJCO - Mikey O'Toole; JMA |
| 50 | Consulting - Seamus Lee, Monish Deb; Fuzion - Luke Stewart; Dmitry Smirnov; Dave D; |
| 51 | CiviCRM - Tim Otten, Coleman Watts; Circle Interactive - Pradeep Nayak; Blackfly |
| 52 | Solutions - Alan Dixon; Artful Robot - Rich Lott; AGH Strategies - Andie Hunt |
| 53 | |
| 54 | ## <a name="feedback"></a>Feedback |
| 55 | |
| 56 | These release notes are edited by Tim Otten and Andie Hunt. If you'd like to |
| 57 | provide feedback on them, please login to https://chat.civicrm.org/civicrm and |
| 58 | contact `@agh1`. |