Planning for Sept. 6 CiviCRM security update

Written By Allen Shaw

Well, the joke's on me.

Last week I told you CiviCRM would release a security update this week.

Nope. I just misread the announcement. That update is scheduled for Wednesday, September 6th. (See the original notice below.)

Silly mistakes aside, I'll still be applying CiviCRM updates this week for all the sites that Joinery manages.

Why?

Because most of those sites are running at the previous security release, which came out in February.

It's hard to know exactly everything that's changed in CiviCRM since then.

So there's a small chance that an update could cause some trouble.

That's true of any upgrade. There's always a chance — however slight — that you'll introduce some incompatibility with the CMS, or one of its plugins, or some CiviCRM extension.

That chance increases with the size of the gap between the installed version and the upgraded version. (One week between versions? Very small chance. One year between versions? Not-quite-as-small chance.)

So we have a choice:

  • Perform one big update — from the February version to the September version — right after the security update is released. In other words: do it when there's pressure to get it right for security reasons.

  • OR: Perform one almost-as-big update now — from the February version to the latest August version — when there's no such urgency, and then apply a smaller update to get the September version when it's released.

That second option has an obvious disadvantage: it means updating each side twice instead of once.

But it also has a important advantage: the larger update, which has a greater chance - however slight - of breaking something, will be applied when we're not under time pressure for security reasons.

If any incompatibility is found, we'll have more time to deal with it.

Of course we want to deal with it quickly, because nobody wants things to be broken.

But given the choice, I'd rather have that as the only concern. Not the additional concern of an outstanding security issue.

The second update — to get the security release — will have a much smaller gap of only a couple of weeks. It's much less likely that an incompatibility will appear in such a small update.

Here's the thing:

In the end, it's a judgment call. Everything has pros and cons.

But for a system that you own, it's good to be aware of potential issues and how best to prevent them.

For all the freedom that we love from owning our systems, there's no getting away from the responsibility that we take on as a result.

If you'll be handling your update yourself, give the above pros and cons of thought.

You might decide that a large update now, followed by a smaller security update later, is the way to go.

All the best,
A.

P.S. Below is a copy of the original email announcing the update. If you don’t have someone handling updates for you, I encourage you to head over to CiviCRM’s Security Policy & Announcements page to sign up for these emails.

On 8/17/23 15:15, CiviCRM wrote:

There will be a security release for CiviCRM on Wednesday, September 6 (US/Pacific Time). Updates will be provided for the following versions:

• CiviCRM v5.65 (current RC; see download at https://download.civicrm.org/latest/)

• CiviCRM v5.64 (current stable; see download at https://civicrm.org/download)

• CiviCRM v5.63 (current ESR; see https://civicrm.org/esr)

We expect the release to become available near the end of the day (TZ conversions).

Allen Shaw
Previous

Good planning for great membership management
Next

Owning vs renting: freedom and responsibility