From 7e841726b0d413e591146f3226e300000d8b9507 Mon Sep 17 00:00:00 2001 From: Seamus Lee Date: Sat, 16 Feb 2019 14:59:52 +1100 Subject: [PATCH] Add in 5.10.3 Security Release Notes --- release-notes/5.10.3.md | 63 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 release-notes/5.10.3.md diff --git a/release-notes/5.10.3.md b/release-notes/5.10.3.md new file mode 100644 index 0000000000..16fbff767f --- /dev/null +++ b/release-notes/5.10.3.md @@ -0,0 +1,63 @@ +# CiviCRM 5.10.3 + +Released February 20, 2019 + +- **[Synopsis](#synopsis)** +- **[Bugs resolved](#bugs)** +- **[Credits](#credits)** +- **[Feedback](#feedback)** + +## Synopsis + +| *Does this version...?* | | +|:--------------------------------------------------------------- |:-------:| +| **Fix security vulnerabilities?** | **yes** | +| Change the database schema? | no | +| Alter the API? | no | +| Require attention to configuration options? | no | +| Fix problems installing or upgrading to a previous version? | no | +| Introduce features? | no | +| **Fix bugs?** | **yes** | + +## Security advisories +- **[CIVI-SA-2019-01](https://civicrm.org/advisory/civi-sa-2019-01-weak-access-control-for-file-attachments)**: + Weak access-control for file attachments +- **[CIVI-SA-2019-02](https://civicrm.org/advisory/civi-sa-2019-02-sqli-in-prevnext-cache)**: + SQL Injection in "PrevNext" Cache +- **[CIVI-SA-2019-03](https://civicrm.org/advisory/civi-sa-2019-03-xss-in-logging-details-report)**: + Cross-Site Scripting in "Logging Details" Report +- **[CIVI-SA-2019-04](https://civicrm.org/advisory/civi-sa-2019-04-sqli-in-group-tag-filters)**: + SQL Injection in Group and Tag Filters +- **[CIVI-SA-2019-05](https://civicrm.org/advisory/civi-sa-2019-05-xss-in-new-pledge-form)**: + Cross-Site Scripting in "New Pledge" Form +- **[CIVI-SA-2019-06](https://civicrm.org/advisory/civi-sa-2019-06-xss-in-contact-entity-reference-fields)**: + Cross-Site Scripting in Contact Reference Fields +- **[CIVI-SA-2019-07](https://civicrm.org/advisory/civi-sa-2019-07-limit-cross-domain-execution-by-jquery)**: + Limit Cross-Domain Execution by jQuery + +## Bugs resolved + +### Core CiviCRM + +- **[dev/core#695](https://lab.civicrm.org/dev/core/issues/695) Custom Search + results selection failure and + [dev/core#679](https://lab.civicrm.org/dev/core/issues/679) Groups and Tags + affect search results when using Search Builder + ([13533](https://github.com/civicrm/civicrm-core/pull/13533))** + + This resolves some search regressions introduced in 5.9.0 relating to caching + and custom searches. + +- **[dev/core#737](https://lab.civicrm.org/dev/core/issues/737) Mass SMS not + sent when send time is set to immediately + ([13641](https://github.com/civicrm/civicrm-core/pull/13641))** + + This resolves an issue where if you selected to send a Bulk SMS immediately + it would not be sent because the scheduled date was set to NULL rather than + the current date and time. + +## Feedback + +These release notes are edited by Tim Otten and Andrew Hunt. If you'd like to +provide feedback on them, please login to https://chat.civicrm.org/civicrm and +contact `@agh1`. -- 2.25.1