Discuss Joomla! 3.4.6

A place to discuss recent announcements made by the Joomla! Core Team. Let's hear what you have to say.
User avatar
pe7er
Joomla! Master
Joomla! Master
Posts: 21851
Joined: Thu Aug 18, 2005 8:55 pm
Location: Nijmegen, The Netherlands
Contact:

Discuss Joomla! 3.4.6

Postby pe7er » Mon Dec 14, 2015 3:05 pm

Here you can discuss about the release of Joomla 3.4.6

See Announcement: viewtopic.php?f=8&t=902594
Kind Regards,
Peter Martin, Global Moderator
https://db8.nl - Joomla specialist, Nijmegen, Nederland
Developer of Options Manager Lite https://db8.eu/download/file/options-manager-lite

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 327
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: Discuss Joomla! 3.4.6

Postby yaanimai » Mon Dec 14, 2015 3:14 pm

Hi,

I have updated 3 Joomla 3.4.5 websites to Joomla 3.4.6

I have one other Joomla 3.4.5 website that says there are no updates to make, that I already have the latest version, even though it is 3.4.5

How do I manually apply the Joomla 3.4.6 fix if I can't do it through the Joomla Update component?

Thank you.

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 327
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: Discuss Joomla! 3.4.6

Postby yaanimai » Mon Dec 14, 2015 3:23 pm

I noticed that the 3 Joomla sites that I have updated all say in the System>Control Panel under the Maintenance section

Backup is up-to-date
Joomla! is up-to-date
All extensions are up-to-date

But the Jooma 3.4.5 website says

Backup is up-to-date
All extensions are up-to-date

There is no mention of the status of Joomla.

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 327
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: Discuss Joomla! 3.4.6

Postby yaanimai » Mon Dec 14, 2015 3:27 pm

I updated the website to Joomla 3.4.6 using my Watchful.li app. but the Joomla status in teh Control Panel Maintenance section is still missing?

yaanimai
Joomla! Explorer
Joomla! Explorer
Posts: 327
Joined: Thu Jun 14, 2007 2:48 pm
Location: Coppell, Texas
Contact:

Re: Discuss Joomla! 3.4.6

Postby yaanimai » Mon Dec 14, 2015 3:35 pm

Never Mind, I think I figured it out.

The "Quick Icon - Joomla! Update Notification" plugin was disabled for some reason. I enabled it & the Joomla status in the Control Panel>Maintenance section now says "Joomla! is up-to-date"

This was a user error on my part. You can delete my posts if you want to as they are not relevant to the 3.4.6 upgrade. Thank you!

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18466
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Discuss Joomla! 3.4.6

Postby leolam » Mon Dec 14, 2015 4:14 pm

Thank you for making patches available for Joomla users J1.5 and Joomla 2.5 despite these versions well beyond End Of Life! Great job! Thanks to Brain Teeman as well for the tests on J15 and J25!

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

Americandane
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Feb 13, 2015 4:25 pm

Re: Discuss Joomla! 3.4.6

Postby Americandane » Mon Dec 14, 2015 5:26 pm

We are just finishing 3.4.5 upgrade. Is there a manual patch or list of changed core files vis a vis 3.4.5

Americandane
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Fri Feb 13, 2015 4:25 pm

Re: Implications of the 3.4.5 vulnerability

Postby Americandane » Mon Dec 14, 2015 5:29 pm

What is the user consequence? I'm trying to assess if we need to close the site until the upgrade is accomplished.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18466
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Discuss Joomla! 3.4.6

Postby leolam » Mon Dec 14, 2015 5:31 pm

No need just hit the upgrade button and the site upgrades from3.4.5 to 3.4.6 in nano-seconds (It is only 62 K)

Leo 8)
Last edited by leolam on Tue Dec 15, 2015 6:29 am, edited 1 time in total.
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14348
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Discuss Joomla! 3.4.6

Postby mandville » Mon Dec 14, 2015 8:58 pm

if you can not see it in your "up date" on the extension panel, then you can clear the cache and manually run the joomla update from the components menu
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

anotart
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Apr 18, 2012 3:54 pm

Re: Discuss Joomla! 3.4.6

Postby anotart » Mon Dec 14, 2015 9:43 pm

leolam wrote:Thank you for making patches available for Joomla users J1.5 and Joomla 2.5 despite these versions well beyond End Of Life! Great job! Thanks to Brain Teeman as well for the tests on J15 and J25!

Leo 8)


I found the download for J2.5 (SessionFix25v1.zip), but can't find the instructions for the manual update. If I try to install using the extension manager, I get this message: JInstaller: :Install: Cannot find XML setup file.

Can you please help me see what I'm missing?

Thanks!

User avatar
andypooz
Joomla! Guru
Joomla! Guru
Posts: 677
Joined: Sat Dec 30, 2006 3:03 pm
Location: London, UK
Contact:

Re: Discuss Joomla! 3.4.6

Postby andypooz » Tue Dec 15, 2015 12:40 am

@anotart
From what I can tell it's just libraries/joomla/session/session.php that's been updated in the recent patch (to 2.5 EOL), so if you get this file from github https://github.com/PhilETaylor/Joomla2.5.999 and substitute it in in place of the old file (always saving the old file as a .bk in case) then I think you're OK. That's what I've done.
If this doesn't cut it, someone let me know and I'll need to take further action too!
Cheers
Andy
Andy Hickey
Bespoke Joomla Extension Developer
http://www.netamity.com

anotart
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Wed Apr 18, 2012 3:54 pm

Re: Discuss Joomla! 3.4.6

Postby anotart » Tue Dec 15, 2015 2:30 am

Thank you, Andy. That makes sense! I appreciate the help and will watch for someone to confirm the approach.

Anne

Update:

Yes, this is the correct process -- found this from OSTraining:

https://www.ostraining.com/blog/joomla/hotfixes/

artdecotech
I've been banned!
Posts: 2
Joined: Wed Nov 26, 2014 6:59 pm

Re: Discuss Joomla! 3.4.6 High Severity Vulnerability

Postby artdecotech » Tue Dec 15, 2015 3:33 pm

Sucuri has put out two blog posts discussing this update. The severity of the security issue should be highlighted and discussed... This one is already being exploited in the wild, fairly heavily.

Make sure you update ASAP! and check your Joomla site for malware if you were late to the update.

https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html

You can use a decent Website Firewall to virtually patch Joomla if you can't update for any reason.

Just want to make sure everyone is aware of the severity.

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18466
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Discuss Joomla! 3.4.6

Postby leolam » Tue Dec 15, 2015 3:42 pm

Securi is just one of the providers who earn big bucks of providing fear to users of all kinds of CMS solutions. Your post has no contribution to the issue since it is posted in the discussion about the patched software as posted by Joomla and is more a promotion of the Securi services since it is just a reaction to the official Joomla announcement..... Tell me what it actually contributes asides from the Joomla announcements?

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

artdecotech
I've been banned!
Posts: 2
Joined: Wed Nov 26, 2014 6:59 pm

Re: Discuss Joomla! 3.4.6

Postby artdecotech » Tue Dec 15, 2015 4:12 pm

Thanks Leo. Most users, average users, don't understand the importance of security updates. I was surprised to see there wasn't much discussion on this forum about the issue yet. Are you suggesting I shouldn't bring up security issues on this forum or specifically in this thread?

leolam wrote:Securi is just one of the providers who earn big bucks of providing fear to users of all kinds of CMS solutions. Your post has no contribution to the issue since it is posted in the discussion about the patched software as posted by Joomla and is more a promotion of the Securi services since it is just a reaction to the official Joomla announcement..... Tell me what it actually contributes asides from the Joomla announcements?

Leo 8)


I suggested using a WAF if you can't update... not Sucuri specifically. I think it's important to spread the word about vulnerabilities so that people know they should patch, and why it is so important. The official Joomla announcement doesn't have as much detail as the post I linked to, so I thought it would be valuable to people.

Is it better not to discuss the vulnerability? Just curious about your take on responsible disclosure.

I thought this would be the most appropriate place to post this since it is a discussion of the update.

wrongjon
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Thu Oct 11, 2007 2:59 pm

Re: Discuss Joomla! 3.4.6

Postby wrongjon » Wed Dec 16, 2015 12:20 am

Hi guys

Anyone know if i can just upload the Joomla 3.4.6 session.php file for a joomla 3.2.3 site as it will take a lot longer to upgrade it properly due to template/plugin issues.

Is there a patch for 3.2 sites

thanks

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18466
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Discuss Joomla! 3.4.6

Postby leolam » Wed Dec 16, 2015 3:55 am

@wronjon: That is a complete wrong approach since you miss out in that case on the High risk security issues that were patched with the release of Joomla 3.4.5. Actually your site is now highly vulnerable for multiple critical security issues. See the announcement for Joomla 3.4.5 viewtopic.php?f=8&t=896677
Your site could be whacked any moment at present. If you have hard coded your template changes and not used overrides as should be done it is a good moment to rectify that now (see https://docs.joomla.org/Understanding_Output_Overrides)

But you need to upgrade otherwise you will be hacked at any moment for sure!

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

wrongjon
Joomla! Apprentice
Joomla! Apprentice
Posts: 34
Joined: Thu Oct 11, 2007 2:59 pm

Re: Discuss Joomla! 3.4.6

Postby wrongjon » Wed Dec 16, 2015 1:49 pm

Thanks Leolam
Yes you are correct I need to set aside time to get that site fully upgraded ASAP

cheers
Jonathan

0zz1
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Mon May 07, 2007 5:01 am

Re: Discuss Joomla! 3.4.6

Postby 0zz1 » Wed Dec 16, 2015 2:30 pm

What are the files that changed in between 3.4.5 and 3.4.6 ...

my site is closed by the host due to suspicious activity. Im not 100% sure but i think this suspicious activity was the update i did using Watchful.fi app. Can someone confirm it these are the files the patch updates or likewise if its not then would be also great to know as then i might be hacked.

(i did check all the files below and they look identically to 3.4.6 fresh download).

public_html/index.php : The value has been modified
public_html/administrator/index.php : The value has been modified
public_html/templates/beez3/index.php : The value has been modified
public_html/administrator/templates/hathor/index.php : The value has been modified
public_html/templates/protostar/index.php : The value has been modified
public_html/administrator/templates/isis/index.php : The value has been modified

by the way, anyone else thinking that the admin template name isis might be a bit bad idea?

User avatar
leolam
Joomla! Master
Joomla! Master
Posts: 18466
Joined: Mon Aug 29, 2005 10:17 am
Location: Netherlands/ UK/ S'pore/Jakarta/ North America
Contact:

Re: Discuss Joomla! 3.4.6

Postby leolam » Wed Dec 16, 2015 3:21 pm

0zz1 wrote:What are the files that changed in between 3.4.5 and 3.4.6 ...
None in what you post. The entire update in zipped file is 62K and is related to the session.php

Change host if they block you for a Joomla security update!

Also The ISIS-template is with us since Joomla 2.5 January 2012. You must know that the current Islamic terrorist group that is referred to as "isis' is established way later than template 'isis' was released.

Leo 8)
Celebrating 12-Years of Professional Joomla Support Services
- Joomla Professional Support:https://gws-desk.com -
- Joomla Specialized Hosting Solutions:https://gws-host.com -
- Member Joomla Bug Squad & J-CMS Release Team

Maggiecassella
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Dec 17, 2015 3:32 am

Re: Discuss Joomla! 3.4.6 - No front end after updating!

Postby Maggiecassella » Thu Dec 17, 2015 3:40 am

Hi there,

I'm at a total loss. I got the security notice update and ran the update from 3.4.5 to 3.4.6 and now my front end is completely gone When you got to my website you get this message 0 - No HTTP response code found. I've called my host they are stumped. Is this on the Joomla end? I have another site I did not run the update on and the front end is fine so obviously I'm assuming it's the update. But I can not find anyone else with this problem. Anybody? Any help would be greatly appreciated.

Thanks in advance

Maggie Cassella

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4004
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: Discuss Joomla! 3.4.6

Postby itoctopus » Thu Dec 17, 2015 6:05 am

I think what Sucuri did was horrible - since they made the issue public and almost at the same time they informed the Joomla team. They should have informed the Joomla team in advance and shouldn't have published that blog post where they explained, in details, how one of their websites was exploited (thus spreading the knowledge of how to hack Joomla websites < 3.4.6).

The amount of websites exploited due to their blog post is just sad - and literally every Joomla website is under attack at the moment (all the websites that we manage have that fake user agent in the logs every few minutes from a different IP).

Interestingly, Apache's ModSecurity were very proactive, and released a patch almost immediately that blocked these malicious user agents for 40 minutes by default. Take a look at this line from ModSecurity's log:

Code: Select all

Message: Access denied with code 500 (phase 2). Pattern match "jdatabase driver mysql" at REQUEST_HEADERS:User-Agent. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "960"] [id "5000306"]


By the way, I found it really odd that most of the IPs attacking our clients where from Manchester, UK - I expected the attacks to come from the "usual" places - but not this time.

I think the Joomla team did a fantastic job of patching this issue almost instantly but this whole mess wouldn't be such a big mess if Sucuri chose not to disclose the details of the attack in their blog post.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter

User avatar
yellowwebmonkey
Joomla! Explorer
Joomla! Explorer
Posts: 324
Joined: Tue Nov 17, 2009 4:22 am
Location: Central Texas
Contact:

Re: Discuss Joomla! 3.4.6

Postby yellowwebmonkey » Thu Dec 17, 2015 8:20 pm

Is there anything in the update to 3.4.6 that causes/changes files written to /administrator/cache/_system/ or /cache/_system/? The latest release of RSFirewall is detecting them as malware for Possible PHP injection. I am trying to determine what is causing it and if it is in fact malware.

Thanks!
Last edited by yellowwebmonkey on Thu Dec 17, 2015 10:56 pm, edited 1 time in total.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11454
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Discuss Joomla! 3.4.6

Postby brian » Thu Dec 17, 2015 9:00 pm

itoctopus wrote:I think what Sucuri did was horrible - since they made the issue public and almost at the same time they informed the Joomla team.


They did not inform Joomla. They didnt know anything about it until AFTER Joomla announced it and AFTER someone else had reported it to the Joomla team.
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

dedmonds
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Dec 18, 2015 6:59 pm

Re: Discuss Joomla! 3.4.6

Postby dedmonds » Fri Dec 18, 2015 7:06 pm

My Provider - heartinternet - has suspended my website. They won't update to the new version without me deleting all content meaning I will have to re-build the entire website from scratch!!! anybody know why they are suggesting this please?

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 11454
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: Discuss Joomla! 3.4.6

Postby brian » Fri Dec 18, 2015 7:09 pm

Because they are idiots
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Return to “Announcements Discussions”

Who is online

Users browsing this forum: No registered users and 6 guests