| Fix security vulnerabilities? | no |
| **Change the database schema?** | **yes** |
| **Alter the API?** | **yes** |
-| Require attention to configuration options? | no |
+| **Require attention to configuration options?** | **yes** |
| **Fix problems installing or upgrading to a previous version?** | **yes** |
| **Introduce features?** | **yes** |
| **Fix bugs?** | **yes** |
### Core CiviCRM
-- **Re-Thinking our Crypto implementation (Work Towards
- [dev/core#2258](https://lab.civicrm.org/dev/core/-/issues/2258):
+- **Re-Thinking our Crypto implementation
+ ([dev/core#2258](https://lab.civicrm.org/dev/core/-/issues/2258):
+ [19236](https://github.com/civicrm/civicrm-core/pull/19236),
+ [19251](https://github.com/civicrm/civicrm-core/pull/19251),
+ [19239](https://github.com/civicrm/civicrm-core/pull/19239),
+ [19349](https://github.com/civicrm/civicrm-core/pull/19349),
[237](https://github.com/civicrm/civicrm-wordpress/pull/237),
[57](https://github.com/civicrm/civicrm-joomla/pull/57),
- [19349](https://github.com/civicrm/civicrm-core/pull/19349),
[125](https://github.com/civicrm/civicrm-backdrop/pull/125),
- [19239](https://github.com/civicrm/civicrm-core/pull/19239),
- [19251](https://github.com/civicrm/civicrm-core/pull/19251),
- [19236](https://github.com/civicrm/civicrm-core/pull/19236) and
- [635](https://github.com/civicrm/civicrm-drupal/pull/635))**
+ [635](https://github.com/civicrm/civicrm-drupal/pull/635), and
+ [57](https://github.com/civicrm/civicrm-drupal-8/pull/57))**
+
+ This adds a new framework for encrypting setting values that are stored in the
+ database. An encryption key is defined upon installation, and the key can be
+ rotated using APIv4. Keys can also be managed with a new
+ `hook_civicrm_crypto`. The system allows for old keys to be retained for
+ decrypting old values even as a new key is used for encrypting new ones.
- Work Towards rethinking the Crypto implementation specifically by:
+ The only setting that is changed at this point is the SMTP password, as that
+ was the only setting in core encrypted with `CRM_Utils_Crypt`. However, this
+ framework is available for extensions and will likely be adopted for other
+ sensitive settings.
- - Defining CIVICRM_CRED_KEYS during installation.
- - Adding an API and hook to rotate keys for encrypted fields.
- - Adding services to support encryption.
- - Reading + writing the SMTP password using 'crypto.token'.
+ You may optionally configure `CIVICRM_CRED_KEYS` in `civicrm.settings.php`
+ upon upgrade. Sites that define `smtpPassword` in their
+ `civicrm.settings.php` file may need to update the value. See
+ [pull request 19239](https://github.com/civicrm/civicrm-core/pull/19239) for
+ details.
+
+ Meanwhile, `CRM_Utils_Crypt` is retained (but deprecated) for compatibility
+ with the extensions that use it.
- **Add pre() and post() hooks for ufgroup entity
- ([18995](https://github.com/civicrm/civicrm-core/pull/18995))**
+ ([dev/core#2199](https://lab.civicrm.org/dev/core/-/issues/2199):
+ [18995](https://github.com/civicrm/civicrm-core/pull/18995))**
- Makes it so the pre and post hooks can be used with the entity `ufgroup`.
+ The pre and post hooks are now triggered when modifying profiles.
- **Add support for multi-value contact reference custom fields
([18941](https://github.com/civicrm/civicrm-core/pull/18941))**
- **Add missing state for South Korea
([19157](https://github.com/civicrm/civicrm-core/pull/19157))**
- Adds Sejong as a state for South Korea.
+ This adds the special self-governing city Sejong to the state/province table
+ for South Korea.
-- **CRM_Core_Key - Provide more debugging hints about mismatched`qfKey`s
+- **CRM_Core_Key - Provide more debugging hints about mismatched `qfKey` values
([19145](https://github.com/civicrm/civicrm-core/pull/19145))**
- Makes it easier to debug `qfKey` issues.
+ The qfKey now has a prefix that corresponds with the form name.
- **Add min-width to flex columns for responsive layout on small screens
([19235](https://github.com/civicrm/civicrm-core/pull/19235))**
- Adjusts 2-column layouts on the main CiviCRM dashboard and Search Kit to
+ This adjusts 2-column layouts on the main CiviCRM dashboard and Search Kit to
collapse to 1 column on small screens.
- **APIv4 - Add "Permission.get" for listing available permissions
Extends APIv4 to support relative date range inputs.
-- **Search kit: Rewrite input widget to support IN sets, relative dates, BETWEEN
- groups, etc. ([19229](https://github.com/civicrm/civicrm-core/pull/19229))**
-
- Overhauls the input widget for all fields in Search Kit so that they support:
- IN, BETWEEN etc.
-
-- **Search kit: Improve token support
- ([19260](https://github.com/civicrm/civicrm-core/pull/19260))**
-
- Adds a token selector to the Search Kit UI when configuring displays.
-
- **Free the joins! APIv4 explicit joins - can we remove the requirement for
specific columns in the "on" clause? (Work Towards
[dev/core#2271](https://lab.civicrm.org/dev/core/-/issues/2271):
Allows greater flexibility in how explicit joins are performed in APIv4.
-- **php 7.4 compatibility
- ([19355](https://github.com/civicrm/civicrm-core/pull/19355),
- [19350](https://github.com/civicrm/civicrm-core/pull/19350),
- [19331](https://github.com/civicrm/civicrm-core/pull/19331),
- [19353](https://github.com/civicrm/civicrm-core/pull/19353) and
- [19354](https://github.com/civicrm/civicrm-core/pull/19354))**
-
- Assorted changes to make the code compatible with php 7.4.
-
- **Non translatable fields in profile schema (Work Towards
[dev/core#527](https://lab.civicrm.org/dev/core/-/issues/527):
[19291](https://github.com/civicrm/civicrm-core/pull/19291))**
Makes it so developers can use the event ID to link pre/post Insert/Update
events for the same change.
+### Search Kit
+
+- **Search kit: Rewrite input widget to support IN sets, relative dates, BETWEEN
+ groups, etc. ([19229](https://github.com/civicrm/civicrm-core/pull/19229))**
+
+ Overhauls the input widget for all fields in Search Kit so that they support:
+ IN, BETWEEN etc.
+
+- **Search kit: Improve token support
+ ([19260](https://github.com/civicrm/civicrm-core/pull/19260))**
+
+ Adds a token selector to the Search Kit UI when configuring displays.
+
### WordPress Integration
- **Enhance CiviCRM's integration in WordPress
### Core CiviCRM
+- **jquery.validate.js update (includes CVE-2021-21252)
+ ([dev/core#2324](https://lab.civicrm.org/dev/core/-/issues/2324):
+ [19457](https://github.com/civicrm/civicrm-core/pull/19457))**
+
+ The jQuery Validate library contained a regular expression that was vulnerable
+ to ReDoS (Regular Expression Denial of Service).
+
+ ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting
+ poorly constructed and potentially inefficient regular expressions which can
+ make them perform extremely badly given a creatively constructed input string.
+
+ This offers security hardening by preventing a user from entering a string
+ that could tie up their browser in validating it.
+
- **Fix updating custom field schema when toggling search or multiple
([18939](https://github.com/civicrm/civicrm-core/pull/18939))**
- **Quick fix on summary actions conflict
([19067](https://github.com/civicrm/civicrm-core/pull/19067))**
- Ensures if multiple extensions have menu items with the same weight all menu
- items are displayed.
+ If multiple extensions insert items with the same weight into the contact
+ summary actions drop-down, this ensures all menu items are displayed.
- **Greenwich: Fix Select2 free-tagging css bug
([19225](https://github.com/civicrm/civicrm-core/pull/19225))**
[dev/core#365](https://lab.civicrm.org/dev/core/-/issues/365):
[19068](https://github.com/civicrm/civicrm-core/pull/19068))**
- Adds a `created_date` column to the `action_schedule` table.
+ This adds a `created_date` column to the `action_schedule` table. This is in
+ anticipation of a change to prevent a newly-created scheduled reminder from
+ triggering reminders that would be due to send prior to the creation of the
+ reminder.
- **Editing a smartgroup created through the search builder renders the new
block by force
Ensures notices appear based on the sites error reporting settings.
-- **Simplify decision as to whether to use a pdf on membership emails
- ([dev/financial#162](https://lab.civicrm.org/dev/financial/-/issues/162):
- [19165](https://github.com/civicrm/civicrm-core/pull/19165))**
-
- Makes decision to include a PDF in Membership emails dependent on settings
- instead of whether the tax-amount is non-zero.
-
- **Unable to delete file with brackets in filename via ckeditor/kcfinder
([dev/user-interface#25](https://lab.civicrm.org/dev/user-interface/-/issues/25):
[304](https://github.com/civicrm/civicrm-packages/pull/304))**
-- **Membership renewal with 0 tax creating extra line item
- ([dev/core#2024](https://lab.civicrm.org/dev/core/-/issues/2024):
- [18838](https://github.com/civicrm/civicrm-core/pull/18838))**
-
- **Obsolete wkhtmltopdfPath causes hard fail in event registration due to
internal fatal error for the missing package
([dev/core#2028](https://lab.civicrm.org/dev/core/-/issues/2028):
[19311](https://github.com/civicrm/civicrm-core/pull/19311))**
+ If the setting for the path to wkhtmltopdf is set, but nothing is there at
+ that path, a system check message will appear and PDF generation will fall
+ back to domPDF.
+
- **Contact import by CSV fails when string ends with "à"
([dev/core#2127](https://lab.civicrm.org/dev/core/-/issues/2127):
[19241](https://github.com/civicrm/civicrm-core/pull/19241))**
+ In certain encodings, the à character can have the same byte as a
+ non-breaking space. This ensures that trimming non-breaking spaces does not
+ accidentally snag multi-byte characters that share the same `0xA0` byte.
+
- **Activity Summary report is missing pagination
([dev/core#2174](https://lab.civicrm.org/dev/core/-/issues/2174):
[19146](https://github.com/civicrm/civicrm-core/pull/19146))**
([dev/core#2242](https://lab.civicrm.org/dev/core/-/issues/2242):
[19199](https://github.com/civicrm/civicrm-core/pull/19199))**
-- **Fatal error Incorrect datetime value: '0' for column 'transaction_date' when
- editing a participant record and recording payment with no received date
- ([dev/core#2251](https://lab.civicrm.org/dev/core/-/issues/2251):
- [19307](https://github.com/civicrm/civicrm-core/pull/19307))**
-
- **Inline email edit form fails to set is_bulkmail flag
([dev/core#2254](https://lab.civicrm.org/dev/core/-/issues/2254):
[19224](https://github.com/civicrm/civicrm-core/pull/19224))**
'upgrade.finish' phase.
([19346](https://github.com/civicrm/civicrm-core/pull/19346))**
+ On Drupal and Backdrop sites, the system flush was triggered after each
+ incremental database update. It is now deferred until the end of the upgrade
+ process.
+
- **Fix APIv3 profile.getfields to return correctly keyed phone field
([19321](https://github.com/civicrm/civicrm-core/pull/19321))**
contacts to group
([19250](https://github.com/civicrm/civicrm-core/pull/19250))**
+ This disables full group by mode for reports that are not optimized to work
+ with it.
+
- **Stop passing ids as reference
([19204](https://github.com/civicrm/civicrm-core/pull/19204))**
-- **Enotice fix ([19201](https://github.com/civicrm/civicrm-core/pull/19201))**
-
-- **Fix notice error on using max() with only one variable
- ([19149](https://github.com/civicrm/civicrm-core/pull/19149))**
-
-- **Minor typos in schema files
- ([19142](https://github.com/civicrm/civicrm-core/pull/19142))**
-
-- **Allow overriding participant_status_id in Order API
- ([18096](https://github.com/civicrm/civicrm-core/pull/18096))**
-
-- **Allow Sendconfirmation api to override pay later receipt text
- ([19129](https://github.com/civicrm/civicrm-core/pull/19129))**
-
- **Fix extensions tabs following deprecation of old tab code
([19130](https://github.com/civicrm/civicrm-core/pull/19130))**
-- **Prevent "add_action" from being called multiple times
- ([19061](https://github.com/civicrm/civicrm-core/pull/19061))**
+- **php 7.4 compatibility
+ ([19355](https://github.com/civicrm/civicrm-core/pull/19355),
+ [19350](https://github.com/civicrm/civicrm-core/pull/19350),
+ [19331](https://github.com/civicrm/civicrm-core/pull/19331),
+ [19353](https://github.com/civicrm/civicrm-core/pull/19353) and
+ [19354](https://github.com/civicrm/civicrm-core/pull/19354))**
+
+ Assorted changes to make the code compatible with php 7.4.
### CiviCampaign
### CiviContribute
+- **Error creating thank you letter with multiple contributions
+ ([dev/core#2344](https://lab.civicrm.org/dev/core/-/issues/2344):
+ [19480](https://github.com/civicrm/civicrm-core/pull/19480),
+ [19481](https://github.com/civicrm/civicrm-core/pull/19481), and
+ [19482](https://github.com/civicrm/civicrm-core/pull/19482))**
+
+ This resolves an invalid currency error when generating a thank you letter
+ grouping multiple contributions per contact.
+
- **fix email receipt flag for recurring record
([19299](https://github.com/civicrm/civicrm-core/pull/19299))**
- **Fix Contribution.create to not attempt to set contacts on activity update
([19202](https://github.com/civicrm/civicrm-core/pull/19202))**
+- **Allow Sendconfirmation api to override pay later receipt text
+ ([19129](https://github.com/civicrm/civicrm-core/pull/19129))**
+
### CiviEvent
- **New Event using a template - clicking "Continue" doesn't save custom data
([dev/core#2282](https://lab.civicrm.org/dev/core/-/issues/2282):
[19316](https://github.com/civicrm/civicrm-core/pull/19316))**
+ The iCalendar feed link now specifies that it is `text/calendar` so it will be
+ handled correctly if the icon is clicked.
+
+- **Import Participants fails
+ ([dev/core#2348](https://lab.civicrm.org/dev/core/-/issues/2348):
+ [19483](https://github.com/civicrm/civicrm-core/pull/19483))**
+
+ This was an unreleased regression in 5.34.beta.
+
- **Manage Event: avoid E_NOTICE in smarty
([19137](https://github.com/civicrm/civicrm-core/pull/19137))**
+- **Fatal error Incorrect datetime value: '0' for column 'transaction_date' when
+ editing a participant record and recording payment with no received date
+ ([dev/core#2251](https://lab.civicrm.org/dev/core/-/issues/2251):
+ [19307](https://github.com/civicrm/civicrm-core/pull/19307))**
+
+- **Allow overriding participant_status_id in Order API
+ ([18096](https://github.com/civicrm/civicrm-core/pull/18096))**
+
### CiviMail
- **Proposal replace PEAR mailer classes in core extension (Work Towards
Handles exceptions in Mail:send class.
+### CiviMember
+
+- **Simplify decision as to whether to use a pdf on membership emails
+ ([dev/financial#162](https://lab.civicrm.org/dev/financial/-/issues/162):
+ [19165](https://github.com/civicrm/civicrm-core/pull/19165))**
+
+ Makes decision to include a PDF in Membership emails dependent on settings
+ instead of whether the tax-amount is non-zero.
+
+- **Membership renewal with 0 tax creating extra line item
+ ([dev/core#2024](https://lab.civicrm.org/dev/core/-/issues/2024):
+ [18838](https://github.com/civicrm/civicrm-core/pull/18838))**
+
### CiviPledge
- **Rename PledgePayment create function
- **Allow wp-cli upgrade command to proceed when there is only a single settings
file ([224](https://github.com/civicrm/civicrm-wordpress/pull/224))**
+- **Prevent "add_action" from being called multiple times
+ ([dev/core#2217](https://lab.civicrm.org/dev/core/-/issues/2217):
+ [19061](https://github.com/civicrm/civicrm-core/pull/19061))**
+
## <a name="misc"></a>Miscellany
- **Membership BAO - do not require date fields to be passed in on update
circa Jan 1, 2021
([19305](https://github.com/civicrm/civicrm-core/pull/19305))**
+- **REF Bump the composer-compile-plugin version
+ ([19377](https://github.com/civicrm/civicrm-core/pull/19377))**
+
+- **Test framework - API4 DateTest::testRelativeDateRanges will fail on the last
+ day of Jan, Mar, May, Aug, Oct
+ ([dev/core#2339](https://lab.civicrm.org/dev/core/-/issues/2339):
+ [19466](https://github.com/civicrm/civicrm-core/pull/19466))**
+
+- **Fix for ReportTest when launching a pdf
+ ([19497](https://github.com/civicrm/civicrm-core/pull/19497))**
+
+ This fixes a unit test failure caused by a recent merge on testing Report
+ output.
+
+- **Enotice fix ([19201](https://github.com/civicrm/civicrm-core/pull/19201))**
+
+- **Fix notice error on using max() with only one variable
+ ([19149](https://github.com/civicrm/civicrm-core/pull/19149))**
+
+- **Minor typos in schema files
+ ([19142](https://github.com/civicrm/civicrm-core/pull/19142))**
+
## <a name="credits"></a>Credits
This release was developed by the following code authors:
Agileware - Justin Freeman; Artful Robot - Rich Lott; iXiam - Luciano Spiegel;
JMA Consulting - Joe Murray; Joinery - Allen Shaw; Nicol Wistreich; Semper IT -
-Karin Gerritsen; Third Sector Design - Michael McAndrew;
+Karin Gerritsen; Third Sector Design - Michael McAndrew
## <a name="feedback"></a>Feedback
projects / civicrm-core.git / commitdiff