JUGCN BLOG

News for and about Joomla!

Joomla 3.9.4 Release

Joomla 3.9.4 is now available. This is a security fix release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains 28 bug fixes and improvements.

What's in 3.9.4?

Joomla 3.9.4 includes 4 security vulnerabilities fixes and several bugs and improvements, including:

Security Issues Fixed

  • High Priority - Core - Missing ACL check in sample data plugins (affecting Joomla 3.8.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in com_config JSON handler (affecting Joomla 3.2.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in item_title layout (affecting Joomla 3.0.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in media form field (affecting Joomla 3.0.0 through 3.9.3) More information »

Bug fixes and Improvements

  • User Terms (#23787) and Privacy Consent (#23660) plugins: Layouts for the label and message added
  • Featured articles: Page subheading added #23583
  • Custom formfield layout paths simplified #22645
  • Com_contact: Contact name field moved out of the Contact Information block #23563
  • Custom module: Improvement of the frontend editing #23741
  • Action Logs improvement: Cache (#22739) and Purge/Export (#22740) actions are now logged

Visit GitHub for the full list of bug fixes.

Download

Upgrade Packages

Upgrade Packages
Joomla 3 upgrade packages

Note: Please read the update instructions before updating.
Remember… Please clear your browser's cache after updating.
Found a bug? Report it on the Joomla Issue Tracker.
Questions? See the documentation wiki for FAQ’s regarding the 3.9.4 release.

Continue reading

Copyright

© Joomla.org

  1497 Hits
  0 Comments

A Statement on the Recent Report by Check Point

A report by Check Point Research has been brought to our attention relating to a security vulnerability that was patched back in December 2015. This report has also been picked up by Threat Post.

Both reports contain a great deal of inaccuracies and intimate that the vulnerability detailed is a current one. 
This statement serves to clarify the facts surrounding this issue. Furthermore we would like to assure our user base that, much as these posts attempt to state that this is a current issue, the truth of the matter is far from that.

With this in mind, we would like to clarify a few points:

  • There is no current security issue with the JMail class.
  • The underlying issue, used to create and store the backdoor, is a PHP issue rather than a Joomla issue.
  • A successful attack is only possible with severely outdated PHP and Joomla versions that are more than 3 years out of date (PHP versions 5.4.45, 5.5.29, 5.6.13 and all higher versions are patched for this vulnerability). Please see our recent article about the importance of keeping your sites up to date here.
  • A mitigation for Joomla 1.5, 2.5 and 3 was released more than 3 years ago in December 2015. Patches for EOL versions were released alongside the Joomla 3.4.7 release. Patches for the other Joomla versions are still available here. The Joomla Project also distributed WAF rules to many shared hosting providers at the time of discovery to protect against common exploits of this vulnerability.
  • The file mentioned in Check Point's report is not a Joomla core file, it's a copy of the original class used by the attacker to obfuscate a backdoor.
  • The file does not "override" the core JMail class.

More information on the exploit

The pattern described by Check Point is a classic one - where an attacker exploits a well-known security issue. The issue is over 3 years old and stems from a security issue found in PHP, rather than the Joomla core.  More information on this issue can be found here:

By exploiting this issue an attacker can embed a backdoor in site, which can be used for malicious activity. In order to make detection as hard as possible, attackers often use copies of real application files (in this case a copy of Joomla's mailing class) to embed their exploit code. Those copies will never be used in normal application execution, so there's no "override" as claimed in the report, they simply used the file to obfuscate the actual backdoor.

Tags:

Copyright

© Joomla.org

  1419 Hits
  0 Comments

Joomla attended the CMS Security Summit at Google in Chicago

January 30th 2019 - It’s freezing cold in Chicago today and according to the news, it’s even colder than on the Mount Everest - so a perfect day to stay inside a warm building, sitting in front of your machine and having a (sorry, bad Everest joke) summit!

Read More ...

  1298 Hits
  0 Comments

Joomla 3.9.3 Release

Joomla 3.9.3 is now available. This is a security fix release for the 3.x series of Joomla which addresses 6 security vulnerabilities and contains 30 bug fixes and improvements.

Copyright

© Joomla.org

  1413 Hits
  0 Comments

Keeping your Joomla website up-to-date

As of release 3.5 Joomla is collecting stats data, thanks to the stats plugin (only works if it’s enabled), and it found too many websites are not using the currently supported release of 3.9.2. This data is based on the Joomla, PHP, and database version. These are some pretty alarming statistics, and should not be ignored! We have provided some links at the bottom of this article for your reference, review, and to even get the latest release of Joomla.

Copyright

© Joomla.org

  1434 Hits
  0 Comments

Joomla 3.9.2 Release

Joomla 3.9.2 is now available. This is a security release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains over 50 bug fixes and improvements.

Copyright

© Joomla.org

  1380 Hits
  0 Comments

Joomla! A Year in Review - 2018

As we countdown to 2019, we’ll be raising a glass (or two) to all our incredible volunteers who have made the leaps and bounds of 2018 possible.

Copyright

© Joomla.org

  1439 Hits
  0 Comments

Joomla 3.9.1 Release

Joomla 3.9.1 is now available. This is a bug fix release for the 3.x series of Joomla including over 40 bug fixes and improvements.

 

Copyright

© Joomla.org

  1426 Hits
  0 Comments

Joomla 3.9 is live!

It’s a good day for the Joomla Project, as today we proudly announce the release of Joomla 3.9 – ‘The Privacy Tool Suite’ - marking the tenth minor release in the 3.x series.

Copyright

© Joomla.org

  1464 Hits
  0 Comments

We Invite You to Write for JCM

write-for-jcm
The Joomla Community Magazine has always been supported by individuals who wanted to share their knowledge about the platform. This is an invitation to become part of the JCM Team and write about you know to help you others. Come join us!

Copyright

© Joomla.org

  1357 Hits
  0 Comments

Guilherme Razgriz: 3D Prototyping with Joomla

3d-prototyping
Guilherme Razgriz is a brazilian 3D prototyper, art director and a strong advocate of the use of open source tools to create graphics. Active participant of several projects of open source communities, he is the maintainer of the Gimp no Brazil portal. He spoke at Joomla Day Brasil 2018 about his project of using Joomla to control remotely a 3D printer.

Copyright

© Joomla.org

  1426 Hits
  0 Comments

Talking about a Modern Joomla

modern-joomla
There is an elephant in the room, the modernization of Joomla. The mobile world is transforming the web technology. There is an accumulated sum of innovations waiting to be interpreted. It has taken years to reach the present tipping point, but it is finally arriving as new features included in the evergreen browsers (Firefox, Google Chrome, Microsoft Edge, Opera). Beyond the fine detail, the general web landscape is changing, and that is what we need to address to modernize Joomla.
 

Copyright

© Joomla.org

  1347 Hits
  0 Comments

Custom Fields - Episode 3 : all the parameters one can wish for

custom-fields-episode-3
In this 3rd episode about Custom Fields: (1) we will first cover in detail all the possible parameters (2) then we will give an overview of some new exciting features which will ship with Joomla 3.9 (3) and finally, we will end up with an example of site making an interesting use of Custom Fields

Copyright

© Joomla.org

  1280 Hits
  0 Comments

Joomla on the move in the USA

joomla-on-the-move
The Joomla Capital team kicked off its winter USA conference schedule with two back to back conference/expo appearances in both Orlando, Florida and Houston, Texas. The Captial team started attending US conferences just three years ago at Hostingcon 2016 and have been using these events to showcase the platform and gain sponsorship for the project.

Copyright

© Joomla.org

  1333 Hits
  0 Comments

The First JoomlaCamp Chicago

jcc
The first JoomlaCamp Chicago was held on September 22, at DePaul University's Loop Campus. With a wide range of questions and answers covered, participants left feeling excited to put their expanded Joomla! knowledge to use on their own sites.  
 

Copyright

© Joomla.org

  1306 Hits
  0 Comments

Joomla 3.8.13 Release

Joomla 3.8.13 is now available. This is a security release for the 3.x series of Joomla which addresses 5 security vulnerabilities.

Copyright

© Joomla.org

  1398 Hits
  0 Comments

Pizza, Bugs & Fun 2018

On September 8th, 2018, a "Pizza, Bugs & Fun" (PBF) event took place in Germany, Austria, Italy, Netherlands and France with different local user groups, so-called Joomla User Groups (JUGs). Everyone could learn how they can contribute to the improvement of Joomla.

Read More ...

  1380 Hits
  0 Comments

Happy Translation Day!

Today we celebrate the International Translation Day and we would like to thank all our great translators.
They work hard and spend time to help the Joomla Community.

Read More ...

  1306 Hits
  0 Comments

Red alert, shields up - The work of the Joomla Security Team

A CMS-powered website has all the ingredients for an IT security nightmare: it is publicly accessible, it’s running on powerful machines with great connectivity and the underlying system is used countless times around the globe, making it an attractive target for attackers.
The Joomla Security Strike Team (JSST) is working hard to make sure that this nightmare doesn’t become reality for Joomla users!

Copyright

© Joomla.org

  1264 Hits
  0 Comments

JCM wants you!

jcmwantsyou
Joomla Community Magazine is looking for new contributors. From now on we will focus on improving the publication and reach out to the our community out there. Join us!
 

Copyright

© Joomla.org

  1387 Hits
  0 Comments