Joomla! has released the latest version, 3.4.7, of its free content management system software to address two reported security vulnerabilities.
The new version of Joomla!, which is used to create websites and online applications, strengthened the security of the MySQLi driver to help prevent object injection attacks.
Joomla said its Security Strike team has been following up on the critical security vulnerability patched last week.
“Since the recent update it has become clear that the root cause is a bug in PHP itself,” Joomla! reported on its website. “This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13.”
Joomla! pointed out the only Joomla sites affected by this bug are those that are hosted on vulnerable versions of PHP, and it corrected the flaw because not all hosts keep their PHP installations up to date.
Joomla! 3.4.7 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately.
This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release.
WHAT'S IN 3.4.7
Version 3.4.7 is released to address two reported security vulnerabilities and includes security hardening of the MySQLi driver to help prevent object injection attacks.
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). The only Joomla sites affected by this bug are those which are hosted on vulnerable versions of PHP. We are aware that not all hosts keep their PHP installations up to date so we are making this release to deal with this issue on vulnerable PHP versions.
SECURITY ISSUES FIXED
- High Priority - Core - Session Hardening (affecting Joomla 1.5 through 3.4.6) More information »
- Low Priority - Core - SQL Injection (affecting Joomla 3.0.0 through 3.4.6) More information »
Please see the documentation wiki for FAQ’s regarding the 3.4.7 release. It is important to note that due to some session changes you will not be able to edit items until you log out and log back in again. Please note that there has been a backwards compatibility break regarding how session management is handled. If you are using the documented Joomla API you will have no issues. The changes are fully documented in the release documentation.