Advertisement
Raising The Bar On Security
Raising The Bar On Security
Please use this thread to discuss the blog post "Raising The Bar On Security" (http://community.joomla.org/blogs/leade ... urity.html).
Advertisement
- alikon
- Joomla! Champion
- Posts: 5941
- Joined: Fri Aug 19, 2005 10:46 am
- Location: Roma
- Contact:
Re: Raising The Bar On Security
can you share estimates of how many hosting company are affected
discovering the astonishing number of major hosts that have servers that are running significantly outdated software
-
- Joomla! Enthusiast
- Posts: 101
- Joined: Thu May 07, 2009 7:48 am
- Location: Belgium
- Contact:
Re: Raising The Bar On Security
@alikon I wouldn't exactly worry about the well being of hosters that can't keep their server stack up to date. If they can't update PHP 5.3 to the latest version that might not be the only department they are lacking in. Run, clients, run!
Re: Raising The Bar On Security
@alikon - This can give some insight into the distribution of PHP 5 releases powering websites right now - http://w3techs.com/technologies/details/pl-php/5/all
Navigating down the report, you can see how much of that is PHP 5.3 based, then each release of 5.3. You can then see the numbers and estimate for yourself based on how many websites are powered by a release of PHP that will not be supported in Joomla 3.3.
Navigating down the report, you can see how much of that is PHP 5.3 based, then each release of 5.3. You can then see the numbers and estimate for yourself based on how many websites are powered by a release of PHP that will not be supported in Joomla 3.3.
-
- Joomla! Apprentice
- Posts: 16
- Joined: Sun Oct 23, 2011 9:57 pm
Re: Raising The Bar On Security
First of all I wanted to say that I fully support any efforts to increase security in Joomla and increasing the minimum requirement for PHP is a good idea. However, I think there is one problem that will be encountered:
Centos 6.5, the current stable release of Centos ships with PHP 5.3.3.
Centos 6.5, the current stable release of Centos ships with PHP 5.3.3.
Jamie Derrick - http://jderrick.co.uk
Joomla consultant and developer
Joomla consultant and developer
- jk1
- Joomla! Enthusiast
- Posts: 213
- Joined: Thu Sep 21, 2006 8:53 pm
Re: Raising The Bar On Security
I assume here in Germany quite a lot of hosters/website owners will be affected, because many of them still rely on the control panel Confixx, which was orginally developed by a german company and later bought by Parallels (Plesk), but unfortunately Parallels stopped the development of Confixx. The last official version does not support php 5.3 or 5.4 but many of these hosters applied unofficial patches to make it work with certain php 5.3 versions.
My webhoster, who provides an outstanding service for little money, is (afaik) currently using the latest Debian 6 package released in Fall 2013, which to the best of my knowledge comes with php 5.3.7 bundled. (That's the version my Joomla system information shows)
My webhoster, who provides an outstanding service for little money, is (afaik) currently using the latest Debian 6 package released in Fall 2013, which to the best of my knowledge comes with php 5.3.7 bundled. (That's the version my Joomla system information shows)
Last edited by jk1 on Thu Jan 30, 2014 2:41 pm, edited 1 time in total.
- DaveOzric
- Joomla! Ace
- Posts: 1591
- Joined: Sat May 22, 2010 10:29 pm
- Contact:
Re: Raising The Bar On Security
Thanks for pointing this out. I use a installer in cpanel and would not of known this.
I would assume that PHP 5.4 is fine?
Also I thought J 3.5 was coming out in March?
I would assume that PHP 5.4 is fine?
Also I thought J 3.5 was coming out in March?
Re: Raising The Bar On Security
Support for PHP 5.4 or 5.5 isn't affected by this change; only the minimum version of PHP 5.3 we will support starting with the 3.3 release.
It was slipped into the holiday break post in December that we would be releasing a 3.3 which changes the timeline for future releases. We plan at least one additional post outlining a bit more about what we plan to accomplish with 3.3 in the next 2 weeks.
It was slipped into the holiday break post in December that we would be releasing a 3.3 which changes the timeline for future releases. We plan at least one additional post outlining a bit more about what we plan to accomplish with 3.3 in the next 2 weeks.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Sat Feb 01, 2014 8:48 pm
Re: Raising The Bar On Security
Since you are going to make a change in this direction could also change the version to the latest Bootstrap: Bootstrap3.
Thanks,
Best regards,
Jose A.
Thanks,
Best regards,
Jose A.
- klipper
- Joomla! Apprentice
- Posts: 44
- Joined: Tue Nov 22, 2005 10:03 pm
- Location: Netherlands
Re: Raising The Bar On Security
I fully agree with raising minimum php requirement to php 5.3.10. It will help making our Joomla websites much more secure.
For hosting companies: hosting is dynamic business, not static. This means you should keep your hosting software up to date! Just as website-owners are expected to keep their Joomla versions and extensions up to date.
For hosting companies: hosting is dynamic business, not static. This means you should keep your hosting software up to date! Just as website-owners are expected to keep their Joomla versions and extensions up to date.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Feb 07, 2014 12:00 pm
- Contact:
Re: Raising The Bar On Security
How are you ensuring that your system doesn't stop installations on Debian based hostings?
We as one of the biggest dutch webhosters already got some questions from customers since we believe your check doesn't account for the way Debian works with patches (Upstream updates).
For instance, I can see a check immediately in the index.php
Our version currently is 5.3.3-7+squeeze18 as reported by phpinfo which includes the 5.3.10 patch.
So how are you ensuring that this check also works with Debian based PHP installations?
We're quite afraid that although we actually run 5.3.10 your system would cause installation issues for our users.
(The above check is an example of how your system checks the version. The actual check that currently shows the message about Joomla 3.3 may be a different one but I believe it works the same).
We as one of the biggest dutch webhosters already got some questions from customers since we believe your check doesn't account for the way Debian works with patches (Upstream updates).
For instance, I can see a check immediately in the index.php
Code: Select all
if (version_compare(PHP_VERSION, '5.3.1', '<'))
{
die('Your host needs to use PHP 5.3.1 or higher to run this version of Joomla!');
}
So how are you ensuring that this check also works with Debian based PHP installations?
We're quite afraid that although we actually run 5.3.10 your system would cause installation issues for our users.
(The above check is an example of how your system checks the version. The actual check that currently shows the message about Joomla 3.3 may be a different one but I believe it works the same).
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri Feb 07, 2014 5:58 pm
Re: Raising The Bar On Security
Agreeing with the CentOS poster, another problematic OS is RHEL 6 (and Scientific Linux). We have the very latest patches on the very latest RHEL OS, and, in October we will not be able to upgrade to Joomla 3.3 and will not receive security patches for the 3.2.x releases. There is no alternative for RHEL/CentOS/Scientific Linux users. These are enterprise OSes and should be supported by Joomla. I strongly suggest the Leadership team revise their policy of not "writing conditional tests and using software appropriate to the PHP features found" in this case.
This is a serious problem.
This is a serious problem.
Re: Raising The Bar On Security
We attempted to account for hosts running versions of PHP which report as <5.3.10 and that resulted in the major issues that were in the 3.2.0 release. Those systems which are reporting older PHP versions but have patched in fixes and features from newer releases cause problems because they are not the true PHP version they are reporting.
- jk1
- Joomla! Enthusiast
- Posts: 213
- Joined: Thu Sep 21, 2006 8:53 pm
Re: Raising The Bar On Security
Might be a stupid question (because I'm not a coder), but I'm curious if this library on Github could be used to lower the PHP requirement to 5.3.7 instead of 5.3.10:
https://github.com/ircmaxell/password_compat
https://github.com/ircmaxell/password_compat
Re: Raising The Bar On Security
We are using that library actually. We chose to set 5.3.10 as our minimum due to higher level security vulnerabilities that existed before that version of PHP.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Tue Mar 18, 2014 10:08 am
Re: Raising The Bar On Security
I have to agree with the former posters. This decision is pretty stupid for every distro with backported patches. The only options for hosters who would like to run newer versions of Joomla is:
1) Build their own RPMs
2) Use Red Hat Software Collections [1]
2) Use unofficial repo channels like IUS, remi etc.
You should take in account that there might be websites that does NOT support PHP 5.4 on a server with a lot of clients. How do you keep both happy?
Running an enterprise distro with PHP 5.3.3 is perfectly fine with the password_compat library. You shouldn't force through newer versions, because you lack knowledge about frozen versions/don't care about the amount of headache this will cause in situations you might not have in mind when it was decided.
While I -do- support less vulnerable servers (either PHP or Joomla related), it's not your job to make PHP or hosts more secure, by screwing over those that is. If this was the case you might as well just stop supporting PHP 5.3 as it's basicly EOL...
References
1: https://www.redhat.com/about/news/press ... -databases
1) Build their own RPMs
2) Use Red Hat Software Collections [1]
2) Use unofficial repo channels like IUS, remi etc.
You should take in account that there might be websites that does NOT support PHP 5.4 on a server with a lot of clients. How do you keep both happy?
Running an enterprise distro with PHP 5.3.3 is perfectly fine with the password_compat library. You shouldn't force through newer versions, because you lack knowledge about frozen versions/don't care about the amount of headache this will cause in situations you might not have in mind when it was decided.
While I -do- support less vulnerable servers (either PHP or Joomla related), it's not your job to make PHP or hosts more secure, by screwing over those that is. If this was the case you might as well just stop supporting PHP 5.3 as it's basicly EOL...
References
1: https://www.redhat.com/about/news/press ... -databases
-
- Joomla! Fledgling
- Posts: 1
- Joined: Thu Mar 20, 2014 3:45 pm
Re: Raising The Bar On Security
Better security is good, but removing support for the most used distros (RHEL/CentOS/Debian) is a big no no.
You will end up with a worse senario if you don't allow PHP versions shipped with RHEL/CentOS/Debian. Either people will not use Joomla 3.3+ because their host don't support it (over 50%), or they wil use old vulnerable versions (<3.2.x). Both just as bad...
You will end up with a worse senario if you don't allow PHP versions shipped with RHEL/CentOS/Debian. Either people will not use Joomla 3.3+ because their host don't support it (over 50%), or they wil use old vulnerable versions (<3.2.x). Both just as bad...
-
- Joomla! Fledgling
- Posts: 1
- Joined: Fri May 02, 2014 2:25 pm
Re: Raising The Bar On Security
Hello mbabker,
It's definitely a great idea to set php version requirements to ensure a minimum of security patches have been applied, but...
Why can't Joomla do a more complex version check?
for example look for ANY of the following:
1 php 5.3.10+
2 Redhat backported php 5.3.3-5
3 Centos 6 backported php 5.3.3-7
3 Debian version...
A LOT of sites are on RHEL/CentOS/Debian and are fully up to date with security patches, but due to 'backporting' the version number is 'frozen' and will never pass your new test as it is currently written. It's not accurate to say that those versions of PHP are any less secure than 5.3.10.
Joomla! should also support those popular OS platforms. I know you don't want to encourage people to start custom compiling PHP because then it is unlikely that most of them will be properly maintained. This is why we use repositories; this is why there is backporting.
This problem can be simply solved by updating your minimum version criteria to account for backporting and thereby encompass these mainstream platforms.
Thanks for your consideration.
It's definitely a great idea to set php version requirements to ensure a minimum of security patches have been applied, but...
Why can't Joomla do a more complex version check?
for example look for ANY of the following:
1 php 5.3.10+
2 Redhat backported php 5.3.3-5
3 Centos 6 backported php 5.3.3-7
3 Debian version...
A LOT of sites are on RHEL/CentOS/Debian and are fully up to date with security patches, but due to 'backporting' the version number is 'frozen' and will never pass your new test as it is currently written. It's not accurate to say that those versions of PHP are any less secure than 5.3.10.
Joomla! should also support those popular OS platforms. I know you don't want to encourage people to start custom compiling PHP because then it is unlikely that most of them will be properly maintained. This is why we use repositories; this is why there is backporting.
This problem can be simply solved by updating your minimum version criteria to account for backporting and thereby encompass these mainstream platforms.
Thanks for your consideration.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Tue May 06, 2014 3:10 pm
Re: Raising The Bar On Security
Found this thread through a google seach. As a new user to both CentOS 6.5 and Joomla! all I can say is this new requirement for the higher PHP version is tripping me up. I know the recommendations from the CentOS developers is to never update a package outside of the the stable release channel, and this is because all security fixes get back ported by people who know what they are doing to keep all the rest of us secure with a long term operating system. Living on the edge is fine for development operating systems like Fedora, but you need to drop back to a stable long term version on servers that will be around longer than 6 months at a time.
Just my two cents, wish I had the knowledge to suggest a better way of doing things, but I don't.
[edit] What a fully patched CentOS 6.5 system looks like, can't get rid of the Jommla! 3.3 upgrade notice
Just my two cents, wish I had the knowledge to suggest a better way of doing things, but I don't.
[edit] What a fully patched CentOS 6.5 system looks like, can't get rid of the Jommla! 3.3 upgrade notice
You do not have the required permissions to view the files attached to this post.
Re: Raising The Bar On Security
We tried with 3.2.0 and it failed massively. The only workable solution we could come up with was drawing the line at 5.3.7 minimum. We elected to raise to 5.3.10 because of a major security issue fixed between 5.3.7 and 5.3.10.meli3 wrote:Hello mbabker,
It's definitely a great idea to set php version requirements to ensure a minimum of security patches have been applied, but...
Why can't Joomla do a more complex version check?
for example look for ANY of the following:
1 php 5.3.10+
2 Redhat backported php 5.3.3-5
3 Centos 6 backported php 5.3.3-7
3 Debian version...
A LOT of sites are on RHEL/CentOS/Debian and are fully up to date with security patches, but due to 'backporting' the version number is 'frozen' and will never pass your new test as it is currently written. It's not accurate to say that those versions of PHP are any less secure than 5.3.10.
Joomla! should also support those popular OS platforms. I know you don't want to encourage people to start custom compiling PHP because then it is unlikely that most of them will be properly maintained. This is why we use repositories; this is why there is backporting.
This problem can be simply solved by updating your minimum version criteria to account for backporting and thereby encompass these mainstream platforms.
Thanks for your consideration.
-
- Joomla! Fledgling
- Posts: 2
- Joined: Mon Jul 27, 2009 2:02 pm
Re: Raising The Bar On Security
In my case, I have a lot of clients using websites with Joomla 1.5 and 2.5 and they don't want to pay for an upgrade of their websites to Joomla 3 because the websites are working perfectly, the server is secured and never had problems.
For some of them, I tested a new server with php 5.3.7 and that caused problems, so upgrading the entire server to php 5.3.10 or higher will cause me problems.
At this moment I manage multiple hosting accounts on different companies, the support is very good but the php version is 5.2-5.3, less than 5.3.10.
As most of the hosting companies does not offer 5.3.10 or higher, I will look for the Wordpress CMS for the future websites. You should consider that a big disappointment for one Joomla user with multiple websites. The decision is yours but the graphics shows worse for Joomla 3 as far as I can see.
For some of them, I tested a new server with php 5.3.7 and that caused problems, so upgrading the entire server to php 5.3.10 or higher will cause me problems.
At this moment I manage multiple hosting accounts on different companies, the support is very good but the php version is 5.2-5.3, less than 5.3.10.
As most of the hosting companies does not offer 5.3.10 or higher, I will look for the Wordpress CMS for the future websites. You should consider that a big disappointment for one Joomla user with multiple websites. The decision is yours but the graphics shows worse for Joomla 3 as far as I can see.
- gray_penguin
- Joomla! Apprentice
- Posts: 11
- Joined: Mon Aug 06, 2007 6:38 pm
Re: Raising The Bar On Security
Well, I have been a Joomla User since the Mambo days (11 years). This PHP "Security" requirement is a deal breaker for me. I run CentOS on all my servers. I will not be forced to custom build packages and make my servers less secure just because Joomla can not figure out that 5.3.3-27.el6_5 is basically the same as 5.3.10.
I guess I will have to try to find an alternative. Maybe PyroCMS....
I guess I will have to try to find an alternative. Maybe PyroCMS....
Re: Raising The Bar On Security
If anyone is aware of a highly reliable method in which these modified PHP 5.3.3 builds could be checked for compliance, we would be open to seeing if we could make them work. As I mentioned before, we have tried a check which used a combination of version number or features, specifically around the bcrypt changes in 5.3.7, and could not come up with a working solution.
- jk1
- Joomla! Enthusiast
- Posts: 213
- Joined: Thu Sep 21, 2006 8:53 pm
Re: Raising The Bar On Security
I suppose for CentOS users, two possible solutions are these:
http://webtatic.com/packages/php54/
http://rpms.famillecollet.com/enterprise/6/
http://webtatic.com/packages/php54/
http://rpms.famillecollet.com/enterprise/6/
-
- Joomla! Fledgling
- Posts: 1
- Joined: Thu May 08, 2014 2:02 pm
Re: Raising The Bar On Security
According to CVE Details, PHP 5.3.3, the version that is included in RHEL 5 (as php53) and RHEL 6 (as php) and the associated clones (CentOS, Scientific Linux, etc.) should have 61 vulnerabilities if unpatched. Since Red Hat backports patches, the version number doesn't tell the whole story when it comes to the security of the package.
What follows is a list of all 61 CVE vulnerabilities for PHP 5.3.3 and the associated information about that from Red Hat.
I started looking into all of these issues not knowing full well if Red Hat had addressed all of them, but I was confident that they had. Therefore, both RHEL 5 and RHEL 6 (and it's clones) have "raised the bar on security" and should be supported by Joomla 3.3.
What follows is a list of all 61 CVE vulnerabilities for PHP 5.3.3 and the associated information about that from Red Hat.
- CVE-2014-2497 Low Impact; Possible Future Fix
- CVE-2013-6420 Patch backported
- CVE-2013-4635 Not Vulnerable
- CVE-2013-4248 Patch backported
- CVE-2013-4113 Patch backported
- CVE-2013-2110 Not Vulnerable
- CVE-2013-1824 Not Vulnerable
- CVE-2013-1643 Patch backported
- CVE-2013-1635 Not a security issue
- CVE-2012-3450 Not a security issue
- CVE-2012-3365 Not a security issue
- CVE-2012-2688 Patch backported
- CVE-2012-2386 Patch backported
- CVE-2012-2376 Not Vulnerable
- CVE-2012-2336 Patch backported
- CVE-2012-2311 Not Vulnerable
- CVE-2012-2143 Patch backported
- CVE-2012-1823 Patch backported
- CVE-2012-1172 Patch backported
- CVE-2012-1171 Not a security issue
- CVE-2012-0831 Patch backported
- CVE-2012-0789 Patch backported
- CVE-2012-0788 Not a security issue
- CVE-2012-0057 Patch backported
- CVE-2011-4885 Patch backported
- CVE-2011-4718 Userland code changes required
- CVE-2011-3268 Not vulnerable
- CVE-2011-3267 Not vulnerable
- CVE-2011-3182 Not a security issue
- CVE-2011-2483 Patch backported
- CVE-2011-2202 Patch backported
- CVE-2011-1938 Patch backported
- CVE-2011-1471 Patch backported
- CVE-2011-1470 Not vulnerable
- CVE-2011-1469 Patch backported
- CVE-2011-1468 Patch backported
- CVE-2011-1467 Not a security issue
- CVE-2011-1466 Patch backported
- CVE-2011-1464 Not a security issue
- CVE-2011-1398 Patch backported
- CVE-2011-1153 Not a security issue
- CVE-2011-1148 Patch backported
- CVE-2011-1092 Not a security issue
- CVE-2011-0755 Not a security issue
- CVE-2011-0754 Not vulnerable; Windows only issue
- CVE-2011-0753 Not a security issue
- CVE-2011-0708 Patch backported
- CVE-2011-0421 No response
- CVE-2010-4700 Not vulnerable
- CVE-2010-4699 Not a security issue
- CVE-2010-4698 Not vulnerable
- CVE-2010-4697 Not a security issue
- CVE-2010-4645 Patch backported
- CVE-2010-4409 Not a security issue
- CVE-2010-4150 Not a security issue
- CVE-2010-3870 Patch backported
- CVE-2010-3710 Patch backported
- CVE-2010-3709 Patch backported
- CVE-2010-3436 Not a security issue
- CVE-2010-2950 Patch backported
- CVE-2006-7243 Patch backported
I started looking into all of these issues not knowing full well if Red Hat had addressed all of them, but I was confident that they had. Therefore, both RHEL 5 and RHEL 6 (and it's clones) have "raised the bar on security" and should be supported by Joomla 3.3.
-
- Joomla! Fledgling
- Posts: 1
- Joined: Mon May 12, 2014 11:22 am
Re: Raising The Bar On Security
Hi,
I am also running into the problem using RedHat Enterprise Linux 6 and being no longer able to use Joomla 3.3 and up.
We use RHEL because of their backporting policy. Having a company backporting security fixes without braking current behaviour is very important for us and that's what we actually pay for.
By forcing us to use Non-Standard-Packages, Joomla actually lowers the bar on security, as you force your customers to use not-so-well-tested Packages, where it is a bit unkown how often and for how long the will be updated by the maintainers.
Additionally, I can not easily swap in a new PHP Version as other Software that comes with the distribution except the RHEL Version of PHP. Software written for RHEL actually can except der RHEL Version, as stability is the core and the heart of Enterprise Distributions.
I strongly suggest to revise your decision and support RHEL/CentOS and so on throughout their Lifetime, as they can actually easily jump over the new height of the security bar.
best regards
florian
I am also running into the problem using RedHat Enterprise Linux 6 and being no longer able to use Joomla 3.3 and up.
We use RHEL because of their backporting policy. Having a company backporting security fixes without braking current behaviour is very important for us and that's what we actually pay for.
By forcing us to use Non-Standard-Packages, Joomla actually lowers the bar on security, as you force your customers to use not-so-well-tested Packages, where it is a bit unkown how often and for how long the will be updated by the maintainers.
Additionally, I can not easily swap in a new PHP Version as other Software that comes with the distribution except the RHEL Version of PHP. Software written for RHEL actually can except der RHEL Version, as stability is the core and the heart of Enterprise Distributions.
I strongly suggest to revise your decision and support RHEL/CentOS and so on throughout their Lifetime, as they can actually easily jump over the new height of the security bar.
best regards
florian
-
- Joomla! Apprentice
- Posts: 7
- Joined: Fri Feb 27, 2009 6:32 pm
Re: Raising The Bar On Security
I have a number of client sites hosted by a company who are very professional and offer me a very good business model.
Sadly some of my clients are now telling me I need to upgrade them to Joomla 3.3 - and I have to tell them I can't - because in common with many other Hosters they are running Centos/Plesk, fully patched, but as far as Joomla is concerned "at the wrong level". The security of the environment and installation is obviously important, but refusing to install and forcing the Joomla user to consider alternate setups is clearly not the way to go.
A Warning message clearly stating "This installation is insecure if not supported by PHP version x.y.z" should be flagged up and echoed in the configuration panel, but blocking installation is counter-productive.
Joomla can only ever be as secure as the environment in which it 'sits' and should be inherently secure within the constraints of that environment, but it should not be the Joomla team who mandate what security is run on the host.
Very disappointed, and like Florian, I hope a workaround for this enterprise class setup arrives soon...
Sadly some of my clients are now telling me I need to upgrade them to Joomla 3.3 - and I have to tell them I can't - because in common with many other Hosters they are running Centos/Plesk, fully patched, but as far as Joomla is concerned "at the wrong level". The security of the environment and installation is obviously important, but refusing to install and forcing the Joomla user to consider alternate setups is clearly not the way to go.
A Warning message clearly stating "This installation is insecure if not supported by PHP version x.y.z" should be flagged up and echoed in the configuration panel, but blocking installation is counter-productive.
Joomla can only ever be as secure as the environment in which it 'sits' and should be inherently secure within the constraints of that environment, but it should not be the Joomla team who mandate what security is run on the host.
Very disappointed, and like Florian, I hope a workaround for this enterprise class setup arrives soon...
-
- Joomla! Apprentice
- Posts: 28
- Joined: Sat Nov 09, 2013 3:44 pm
- Location: Polska
- Contact:
Re: Raising The Bar On Security
In some of hosts users can choose which version of PHP they want to use, simply by writing one line of code in .htaccess:
# Use PHP 5.4
AddHandler application/x-httpd-php54 .php
I believe, that this would be the best solution for everybody.
# Use PHP 5.4
AddHandler application/x-httpd-php54 .php
I believe, that this would be the best solution for everybody.
-
- Joomla! Fledgling
- Posts: 3
- Joined: Mon May 19, 2014 12:52 pm
Re: Raising The Bar On Security
Raising The Bar On Security!
I would say, that it should be better known for "Joomla - Raising the bar on taking down sites!"
The joomla upgrade should have had a server check in the upgrade process, which would stop the upgrade if the correct version of php was NOT installed.
We are using servers from one of the largest (and best in my eyes) server providers in the world. Even a new server purchased and setup with all security patches preloaded on yesterday (about 3 weeks after the release of Joomla 3.3), does not have php 5.3.10.
I wonder how many Joomla sites are already now down due to this raising of the bar?
How many more will go down when clients press update and the server does not have the correct version of php, but Joomla does the upgrade anyways, and then takes down the site?
Brad
I would say, that it should be better known for "Joomla - Raising the bar on taking down sites!"
The joomla upgrade should have had a server check in the upgrade process, which would stop the upgrade if the correct version of php was NOT installed.
We are using servers from one of the largest (and best in my eyes) server providers in the world. Even a new server purchased and setup with all security patches preloaded on yesterday (about 3 weeks after the release of Joomla 3.3), does not have php 5.3.10.
I wonder how many Joomla sites are already now down due to this raising of the bar?
How many more will go down when clients press update and the server does not have the correct version of php, but Joomla does the upgrade anyways, and then takes down the site?
Brad
-
- Joomla! Apprentice
- Posts: 7
- Joined: Fri Feb 27, 2009 6:32 pm
Re: Raising The Bar On Security
@zjoomla22 - I think you might be getting a bit excited.
On all of my existing sites, clicking the upgrade button does NOT upgrade to 3.3. It upgrades to 3.2.4 and leaves the message "you should upgrade to 3.3" on the site - annoying, but not in all fairness, fatal.
I would be very interested in which 'world class provider' you are using, and also, if you were upgrading or installing from scratch?
On all of my existing sites, clicking the upgrade button does NOT upgrade to 3.3. It upgrades to 3.2.4 and leaves the message "you should upgrade to 3.3" on the site - annoying, but not in all fairness, fatal.
I would be very interested in which 'world class provider' you are using, and also, if you were upgrading or installing from scratch?
Advertisement