Discuss Joomla! 3.9.25

[pe7er]

Here you can discuss about the release of Joomla 3.9.25

See Announcement: viewtopic.php?f=8&t=985109

[toivo]

Localhost test sites and remote sites updated smoothly, as usual. Kudos to the teams and individuals behind this update !

[PhilTaylor-Prazgod]

For balance, readers should also read https://www.akeeba.com/static-content/5 ... nyway.html which provides insight on two of the reported "vulnerabilities" fixed in this release.

[leolam]

@PhilTaylor +1

Leo

[gws]

Yes @Phil Taylor that is an interesting read on Security.

[darb]

@PhilTaylor +1

Leo

Interesting. why this confusing issues?

[PhilTaylor-Prazgod]

Also [3.9.25] breaks folder name validation because it assumes all folders must start with a-zA-Z

https://github.com/joomla/joomla-cms/issues/32567

[Maradona]

Hi,

Wrong link in 'Additional Information' under Joomla Update.

Thanks

[toivo]

Wrong link in 'Additional Information' under Joomla Update.

Thank you for reporting this. It has now been fixed.

[gsmela]

@PhilTaylor +1

[Maradona]

Thank you for reporting this. It has now been fixed.

Looks like it still going to the wrong link in all of my website

[toivo]

@Maradona, sorry - the link that was fixed was only in the 3.9.25 Announcement here in the forum.

The broken link 'Additional Information' in the Joomla! Update page on an actual website, for example http://example.com/administrator/index. ... omlaupdate, will now be raised as a new item in Joomla! Issue Tracker.

[xtremo54]

I notice there was an issue pointed out earlier......so is it OK to do the update or should I wait for a possible 3.9.26 to replace it?

[toivo]

I notice there was an issue pointed out earlier......so is it OK to do the update or should I wait for a possible 3.9.26 to replace it?

The information is available from the Github link. If your website does not use folder names starting with numbers, dots or national language characters outside the range a-z A-Z, you should update to 3.9.25 but otherwise wait.

[xtremo54]

I notice there was an issue pointed out earlier......so is it OK to do the update or should I wait for a possible 3.9.26 to replace it?

The information is available from the Github link. If your website does not use folder names starting with numbers, dots or national language characters outside the range a-z A-Z, you should update to 3.9.25 but otherwise wait.

Many thanks toivo......I'll hold off and see if there's any update.

[PhilTaylor-Prazgod]

I notice there was an issue pointed out earlier......so is it OK to do the update or should I wait for a possible 3.9.26 to replace it?

It doesn't seem that the Joomla Project is giving this any urgency at all and we are not seeing any flurry of activity for a new release urgently like previously.

@HLeithner has declared: "I will write a FAQ entry later today and propose a pr too."

https://github.com/joomla/joomla-cms/issues/32567

Previously they have stated that Joomla 3.9.24 was the last in the Joomla 3 series and only security releases would be considered after that. But here we are.

I would say, if you KNOW you never use folders with a starting char that is not a A-Z or a-z then you should upgrade asap to Joomla 3.9.25.

If you KNOW you DO use folders starting with other chars, including 0-9 or non-latin chars, then I would also say upgrade to Joomla 3.9.25 asap, and then modify the line in question to add your additional characters to the regex (or remove the "return false" in the regex check.

Remember that this is only one security fix amongst the nine fixed in Joomla 3.9.25 (although two others are contested).

There is a new Joomla 3.9.26 milestone created in GitHub, so there "will probably be" a Joomla 3.9.26, if the project so decides.

https://github.com/joomla/joomla-cms/milestone/67

[xtremo54]

I notice there was an issue pointed out earlier......so is it OK to do the update or should I wait for a possible 3.9.26 to replace it?

It doesn't seem that the Joomla Project is giving this any urgency at all and we are not seeing any flurry of activity for a new release urgently like previously.

@HLeithner has declared: "I will write a FAQ entry later today and propose a pr too."

https://github.com/joomla/joomla-cms/issues/32567

Previously they have stated that Joomla 3.9.24 was the last in the Joomla 3 series and only security releases would be considered after that. But here we are.

I would say, if you KNOW you never use folders with a starting char that is not a A-Z or a-z then you should upgrade asap to Joomla 3.9.25.

If you KNOW you DO use folders starting with other chars, including 0-9 or non-latin chars, then I would also say upgrade to Joomla 3.9.25 asap, and then modify the line in question to add your additional characters to the regex (or remove the "return false" in the regex check.

Remember that this is only one security fix amongst the nine fixed in Joomla 3.9.25 (although two others are contested).

There is a new Joomla 3.9.26 milestone created in GitHub, so there "will probably be" a Joomla 3.9.26, if the project so decides.

https://github.com/joomla/joomla-cms/milestone/67

Thanks Phil!

I know for a fact that some sites will have image folders starting with numbers so I'm just going to hold off until we get some sort of update to this.

[PhilTaylor-Prazgod]

And to be clear. This is NOT just about image folders.

This is about any folder path that is validated by the joomla file path rule class.

This could effect 3rd party extensions if they implement that rule too.

[BillyS]

There is a saying in the United States "it takes a big man to admit when he's wrong" (and yes, I do wear a mask - and yes, I did consider moving out of the country - and yes, I am hesitant to even admit I live here after the last four years)

Based on my read of this situation, we have egos getting in the way of customer service. This shouldn't be about who is right and who is wrong but about providing the community with a quality product. I get that as a community we rely on great people to make Joomla a reality but I will leave with some food for thought.

If you were this same role and you introduced this bug to your paying customers, would you fix it immediately?

[yaanimai]

Do we know when they plan to release 3.9.26 to fix the bug introduced by 3.9.25? I prefer not to upgrade to a release that can introduce problems for a currently functioning website, Thanks for any info you can provide!

[xtremo54]

I find it odd that this announcement went out on Twitter yesterday:

A bug has been introduced in 3.9.25 and the Release Team is working on a fix. We are sorry for the inconvenience. Stay tuned!

But I can't see any official announcement here.

[toivo]

The release FAQ mentions the issue: Version 3.9.25 FAQ

[Fan33GR]

3 sites updated without any problem. Thanks Joomla! team!

[ribo]

Updating many joomla sites without any issue. Thank you joomla team

[gilplane]

About ten wesites updated to Joomla 3.9.25 from 3.9.24 with concern and apprehension in view of the above messages.
All went well. Configuration: Joomla, JCE;, Templates Yootheme warp 7, Hikashop, Widgetkit etc ...
Thanks to the Joomla team for this work!

[Jaydot]

20+ sites updated flawlessly.
(I didn't expect the bug to affect my sites - and as far as I can tell, it didn't).
Thanks, Joomla team.

[xtremo54]

I'm still holding off.....I'm not taking the risk.

[ribo]

I'm still holding off.....I'm not taking the risk.

There is not any risk if you always back up before.

[xtremo54]

I'm still holding off.....I'm not taking the risk.

There is not any risk if you always back up before.

I have many sites......it would take me all day to restore the lot.

Plus it would be disruption to business sites......that can't happen.

[leolam]

As posted on Github on the issue:

Why are we so stupid and ignorant @HLeithner not to simply do a quick release where thousands of website are broken because of this? i personally can add or remove line in a piece of code but many users cannot or don't care. A reference to a FAQ does not work since we all know that nobody reads the notes or FAQ...." If I have a problem how should I know that I have to look at FAQ's?" These are not posted on the Joomla forums so most users have no way to find out why the release broke their site

Get a release with a fix out ...you are in charge so do something quick for this community please? Typing many reactions here and elsewhere takes you more time then simply changing a few lines of code and releasing the patch! Get over your pride and spend 30 minutes to get this issue solved!!!

Leo