Joomla! Discussion Forums

I am pleased to announce the creation of a new security forum called "3rd Party/Non Joomla! Security Issues."  This new child forum will be used to discuss security issues related to 3rd party components and addons.  The current wave of vulnerabilities caused by 3rd party components has prompted the creation of this new board in order for the Joomla! team to keep a firm grasp and a clean division between security issues related to Joomla! core code and security issues related to 3rd party component code.  It is important to recognize that we are not responsible for security issues created by 3rd party components and addons.  As such, we can only do our best to warn of new vulnerabilities, forward information about new vulnerabilities to 3rd party component maintainers, and try to diagnose hacking attempts/successful break-ins but we will not be able to provide any official patches to secure the 3rd party components or addons.  That is the responsibility of the respective project maintainers.

I am also pleased to announce that I was asked to be the Moderator of the new forum and an additional Moderator of the Joomla! Security forum.  I consider it a great honor to serve as a Moderator on the Joomla! forums and I hope I can live up to the high standards set by the other Joomla! forum Moderators.

Please be aware that we will be doing some organizing in order to get the various threads in the proper forums so if you cannot find a thread that was previously in the Joomla! Security forum, make sure you check the 3rd Party/Non Joomla! Security Issues forum as well.  Additionally, given that many people who report hacking/hacking attempts are not aware of how their website were compromised, I envision many threads being started in the Joomla! Security forum and then being moved to the 3rd Party/Non Joomla! Security Issues forum as more information is discovered or a diagnoses is made.

Way to go RobS and congrats!!

ps. any news on getting a security email alert or backend notification system up and running?

The security mailing list is being discussed by the core members but that is all I really know.  I will be sure to let you guys know if I get any news about it. 

As for the backend notification system, I don't think that is something we will see for a while as J! 1.5 is now feature complete which means no additional features will be added to it between now and release.

We have been hearing quite a lot about J! 1.5, I am eagerly waiting for the release. Are all the security issues have been taken care of, considering the past releases and hacking problems upto 1.0.10 ?. When are we actually getting this release ?

Will all the 3Ps will be compatible with 1.5, as it is. Especially  components like extCalendar, the security issues of which are being discussed in many forums, and the component is NOT under further development.

I am quite excited about it too.  I would imagine many of the ongoing security issues are being dealt with in 1.5 though I cannot say for certain as I have had little time to experiment with it.  There is still no release date set but you can play with the latest version by downloading a nightly build from the 1.5 development page. 

As for the 3rd party components, I am not sure.  I have heard that some things might work without any modification but I have also heard there have been a lot of changes to the core framework and even some database structure changes so it is hard for me to say at this point what will work and what won't.

Cheers to Robs.

I've got to receive this notice.

Em

Congratulation! =)

Have a nice day
Gustavo

A security announcements list is a must if I'm to continue allowing Joomla to be used by users of my hosting service.  It's pretty ridiculous that people have been asking for this for so long and nothing's been done yet.  It would have spared many of us a lot of tears over the last few months.

Isn't that exactly what this thread is about?

Are you subscribed here: http://forum.joomla.org/index.php/topic,79477.0.html

And to main announcement forum here: http://forum.joomla.org/index.php?actio ... ;board=8.0

Not sure what else we can do for you...

This is a clunky and non-standard way of not following standard practice to have an announcements mailing list or a security list which one gets official announcements from of security releases as well as new releases.  I'm not suggesting this forum isn't a valuable resource, because it is. It's good stuff. It is not however, a substitute for a proper announcements list, which should not be a discussion containing all manner of other threads, like this one right here, because it serves a very specfic purpose.  If there is such a list, I couldn't find it.  It should be linked to right off the joomla.org homepage to encourage the entire Joomla community to be on that list. (In the admin section on the "check for new version" page would be super useful too.) Then, when there's a security release, like there just was about 2 weeks ago, everyone will know they have something important to be done.  People often already have procmail/maildrop/Thunderbird/Outlook filters that give these kinds of mails special handling so they stand out.  It's the Right Thing To Do(tm), and SourceForge provides the functionality required, someone just has to go turn it on, and someone with authority to speak for Joomla needs to post announcements to it when there's a new release/patch.  Fewer Joolma sites will be exploited, and everyone wins except the bad guys, who are the inadvertent beneficiaries of this missing functionality.