(Nov 7) Updated java-1.7.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical [More…]
Comment
- Project: Joomla!
- SubProject: All
- Severity: Moderate
- Versions: 2.5.14 and earlier 2.5.x versions. 3.1.5 and earlier 3.x versions.
- Exploit type: XSS Vulnerability
- Reported Date: 2013-October-26
- Fixed Date: 2013-November-06
- CVE Number:
Description
Inadequate filtering leads to XSS vulnerability in com_contact.
Affected Installs
Joomla! version 2.5.14 and earlier 2.5.x versions; and version 3.1.5 and earlier 3.0.x versions.
Solution
Upgrade to version 2.5.16, 3.1.6 or 3.2.
Contact
The JSST at the Joomla! Security Center.
Reported By: Osanda Malith
The following functionalities were improved:
[*]Security improvements (PPPM-970)
[*]The parameter “OLD_LOGIN_NAME” was added for the following event handlers: “Domain deleted”, “Default domain, alias deleted”, “Domain alias deleted”, “Subdomain deleted”, and “Subdomain of a default domain deleted”. This parameter returns the username of the object owner.
[*]The administrator can now prohibit all customers from changing the name of their system user, even the customers granted the Hosting settings management permission. The following command can be used on Linux systems:
# plesk bin server_pref -forbid-ftp-user-rename <true|false|forced>
The following command can be used on Windows systems:
“%plesk_bin%”server_pref -forbid-ftp-user-rename <true|false|forced>
# plesk bin server_pref -forbid-ftp-user-rename <true|false|forced>
The following command can be used on Windows systems:
“%plesk_bin%”server_pref -forbid-ftp-user-rename <true|false|forced>
The following issue was resolved:
[-] File manager could not open files for viewing if these files contained umlauts or symbols encoded in CP1251. (PPPM-942)
Joomla! 2.5.16 Released
Nov07
The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.16. 2.5.16 addresses three critical issues reported after the release of 2.5.15 earlier today. Aside from the links to the download packages, the text of the rest of this article is the same as that of today’s 2.5.15 release.
For users on 2.5.15 who are unable to update to 2.5.16 via the core update component, please download the patch package from http://joomlacode.org/gf/download/frsrelease/18859/91475/Joomla_2.5.15_to_2.5.16-Stable-Patch_Package.zip and install it via your Extension Manager to update.
This is a security release addressing three security issues. The Production Leadership Team’s goal is to continue to provide regular, frequent updates to the Joomla community. Learn more about Joomla! development at the Developer Site.
The update process is very simple, and complete instructions are available here. Note that there are now easier and better ways of updating than copying the files with FTP.
Download
New Installations: Click here to download Joomla 2.5.16 (Full package) »
Update Package: Click here to download Joomla 2.5.16 (Update package) »
Note: Please read the update instructions before updating.
Instructions
*Please clear your browser’s cache after ugprading
Want to test drive Joomla? Try the online demo or the Joomla JumpBox. Documentation is available for beginners.
Release Notes
Check the Joomla 2.5.15 Post-Release FAQs to see if there are important items and helpful hints discovered after the release.
Statistics for the 2.5.15 release period
- Joomla 2.5.15 contains 3 security issues and 32 tracker issues fixed
See http://developer.joomla.org/version-2-5-15-release-notes.html for details of the tracker items fixed.
Security Issues Fixed
- High Priority – Core XSS Vulnerability More information »
- Medium Priority – Core XSS Vulnerability More information »
- Medium Priority – Core XSS Vulnerability More information »
Joomla! Bug Squad
Thanks to the Joomla Bug Squad for their dedicated efforts investigating reports, fixing problems, and applying patches to Joomla. If you find a bug in Joomla, please report it on the Joomla! CMS Issue Tracker.
Active members of the Joomla Bug Squad during past 3 months include: Achal Aggarwal, Adelene Teh, Aleksander Linkov, Angelika Reisiger, Anibal Sanchez, Anja Hage, Artur Alves, Ashan Fernando, Beat , Brian Teeman, Chad Windnagle, Constantin Romankiewicz, Daniel Kanchev, David Hurley, Dennis Hermacki, Dimitar Genchev, Duong Nguyen, Edwin Cheront, Elin Waring, George Wilson, Gunjan Patel, Hans Kuijpers, Hervé Boinnard, Hugh Messenger, Janich Rasmussen, Jason Rey, Jérôme GLATIGNY, Jean-Marie Simonet, Jern Wei Tan, Jerri Christiansen, Jozsef Tamas Herczeg, Khai Vu Dinh, klas 10, landor landor, Lao Neo, Lara Petersen, Le Van Thuyet, Loc Le Minh, Lu Nguyen, Marc Antoine Thevenet, Marijke Stuivenberg, Mario Proenca, Mark Dexter, Mark Lee, Matias Aguirre, Michael Babker, Mihail Irintchev, Mike Biolsi, Mike Veeckmans, Nha Bui, Nicholas Dionysopoulos, Nick Savov, Nik Faris Akmal, Ofer Cohen, Olaf Offick, Patrick Alt, Peter Martin, Peter van Westen, Peter Wiseman, Piotr Konieczny, Radek Suski, Richard McDaniel, Rob de Cleen, Robert Deutz, Robert Gastaud, Roberto Segura, Roland Dalmulder, Ronni Christiansen, Sam Teh, Sander Potjer, Sandra Thevenet, Sebastian Łuckoś, Sergio Iglesias, Seth Warburton, Shafiq Mazlan, Stefania Gaianigo, Thomas Hunziker, Tino Brackebusch, TJ Baker, Tobias Zulauf, tompap tompap, Troy Hall, Tu Diep The, Valentin Despa, Victor Drover, Viliam Kubis, Yiliang Yang.
Bug Squad Leadership: Mark Dexter and Nick Savov, Co-Coordinators.
Joomla! Security Strike Team
A big thanks to the Joomla! Security Strike Team for their ongoing work to keep Joomla secure. Members include: Airton Torres, Alan Langford, Beat, Bill Richardson, David Hurley, Don Gilbert, Elin Waring, Gary Brooks, Jason Kendall, Jean-Marie Simonet, Marijke Stuivenberg, Mark Boos, Mark Dexter, Matias Griese, Michael Babker, Nick Savov, Pushapraj Sharma, Rouven Weßling.
Joomla! 2.5.15 Released
Nov06
The Joomla Project is pleased to announce the immediate availability of Joomla 2.5.15. This is a security release addressing three security issues. The Production Leadership Team’s goal is to continue to provide regular, frequent updates to the Joomla community. Learn more about Joomla! development at the Developer Site.
The update process is very simple, and complete instructions are available here. Note that there are now easier and better ways of updating than copying the files with FTP.
Download
New Installations: Click here to download Joomla 2.5.15 (Full package) »
Update Package: Click here to download Joomla 2.5.15 (Update package) »
Note: Please read the update instructions before updating.
Instructions
*Please clear your browser’s cache after ugprading
Want to test drive Joomla? Try the online demo. Documentation is available for beginners.
Release Notes
Check the Joomla 2.5.15 Post-Release FAQs to see if there are important items and helpful hints discovered after the release.
Statistics for the 2.5.15 release period
- Joomla 2.5.15 contains 3 security issues and 32 tracker issues fixed
See http://developer.joomla.org/version-2-5-15-release-notes.html for details of the tracker items fixed.
Security Issues Fixed
- High Priority – Core XSS Vulnerability More information »
- Medium Priority – Core XSS Vulnerability More information »
- Medium Priority – Core XSS Vulnerability More information »
Joomla! Bug Squad
Thanks to the Joomla Bug Squad for their dedicated efforts investigating reports, fixing problems, and applying patches to Joomla. If you find a bug in Joomla, please report it on the Joomla! CMS Issue Tracker.
Active members of the Joomla Bug Squad during past 3 months include: Achal Aggarwal, Adelene Teh, Aleksander Linkov, Angelika Reisiger, Anibal Sanchez, Anja Hage, Artur Alves, Ashan Fernando, Beat , Brian Teeman, Chad Windnagle, Constantin Romankiewicz, Daniel Kanchev, David Hurley, Dennis Hermacki, Dimitar Genchev, Duong Nguyen, Edwin Cheront, Elin Waring, George Wilson, Gunjan Patel, Hans Kuijpers, Hervé Boinnard, Hugh Messenger, Janich Rasmussen, Jason Rey, Jérôme GLATIGNY, Jean-Marie Simonet, Jern Wei Tan, Jerri Christiansen, Jozsef Tamas Herczeg, Khai Vu Dinh, klas 10, landor landor, Lao Neo, Lara Petersen, Le Van Thuyet, Loc Le Minh, Lu Nguyen, Marc Antoine Thevenet, Marijke Stuivenberg, Mario Proenca, Mark Dexter, Mark Lee, Matias Aguirre, Michael Babker, Mihail Irintchev, Mike Biolsi, Mike Veeckmans, Nha Bui, Nicholas Dionysopoulos, Nick Savov, Nik Faris Akmal, Ofer Cohen, Olaf Offick, Patrick Alt, Peter Martin, Peter van Westen, Peter Wiseman, Piotr Konieczny, Radek Suski, Richard McDaniel, Rob de Cleen, Robert Deutz, Robert Gastaud, Roberto Segura, Roland Dalmulder, Ronni Christiansen, Sam Teh, Sander Potjer, Sandra Thevenet, Sebastian Łuckoś, Sergio Iglesias, Seth Warburton, Shafiq Mazlan, Stefania Gaianigo, Thomas Hunziker, Tino Brackebusch, TJ Baker, Tobias Zulauf, tompap tompap, Troy Hall, Tu Diep The, Valentin Despa, Victor Drover, Viliam Kubis, Yiliang Yang.
Bug Squad Leadership: Mark Dexter and Nick Savov, Co-Coordinators.
Joomla! Security Strike Team
A big thanks to the Joomla! Security Strike Team for their ongoing work to keep Joomla secure. Members include: Airton Torres, Alan Langford, Beat, Bill Richardson, David Hurley, Don Gilbert, Elin Waring, Gary Brooks, Jason Kendall, Jean-Marie Simonet, Marijke Stuivenberg, Mark Boos, Mark Dexter, Matias Griese, Michael Babker, Nick Savov, Pushapraj Sharma, Rouven Weßling.