Menu
Hurry! Wait! Go! Joomla stumbles with patch for serious vulnerability

Hurry! Wait! Go! Joomla stumbles with patch for serious vulnerability

Joomla patches were reissued after the first versions broke the update process of existing installations

The Joomla project pushed out new updates for its popular content management system Wednesday after a glitch was found in the high-priority security patches it released a day before.

Joomla versions 3.3.5, 3.2.6 and 2.5.26 were released Tuesday to patch a moderate-risk remote file inclusion vulnerability and a denial-of-service issue. However, hours after the updates were made available, Joomla's developers issued an urgent request for users to delay upgrading.

"Unfortunately, due to a small technical issue we need to release another version very soon," the project said on Facebook, apologizing for the situation.

New Joomla versions 3.3.6, 3.2.7 and 2.5.27 were released Wednesday to address the newly identified issue and a few others.

"This release addresses an issue related to the core update component, one regression in the user password reset process, and adds a fallback upgrade mechanism for the update component," the Joomla Project said in the new release notes.

Users who already deployed Tuesday's patches will not be able to upgrade to new Joomla versions through the normal update component, and will have to use the Extension Manager instead.

Remote file inclusion vulnerabilities are dangerous because they can allow attackers to install backdoors on vulnerable sites and modify files hosted on site servers. However, in the case of this particular Joomla flaw the risk is reduced because the attacker needs to time an attack for exactly when a Joomla package is being extracted during an update operation.

According to Web software development firm Akeeba, whose products are also affected by the issue, the attack window is typically five to 90 seconds and requires the attacker to know when this operation will occur.

"Due to the special conditions required merely having the affected software installed DOES NOT make your site vulnerable," the firm said in a security advisory. "However, this security issue can be used for targeted attacks against valuable targets."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchessecurityAkeebajoomlapatch managementExploits / vulnerabilities

Featured

Slideshows

Educating from the epicentre - Why distributors are the pulse checkers of the channel

Educating from the epicentre - Why distributors are the pulse checkers of the channel

​As the channel changes and industry voices deepen, the need for clarity and insight heightens. Market misconceptions talk of an “under pressure” distribution space, with competitors in that fateful “race for relevance” across New Zealand. Amidst the cliched assumptions however, distribution is once again showing its strength, as a force to be listened to, rather than questioned. Traditionally, the role was born out of a need for vendors and resellers to find one another, acting as a bridge between the testing lab and the marketplace. Yet despite new technologies and business approaches shaking the channel to its very core, distributors remain tied to the epicentre - providing the voice of reason amidst a seismic industry shift. In looking across both sides of the vendor and partner fences, the middle concept of the three-tier chain remains centrally placed to understand the metrics of two differing worlds, as the continual pulse checkers of the local channel. This exclusive Reseller News Roundtable, in association with Dicker Data and rhipe, examined the pivotal role of distribution in understanding the health of the channel, educating from the epicentre as the market transforms at a rapid rate.

Educating from the epicentre - Why distributors are the pulse checkers of the channel
Kiwi channel reunites as After Hours kicks off 2017

Kiwi channel reunites as After Hours kicks off 2017

After Hours made a welcome return to the channel social calendar last night, with a bumper crowd of distributors, vendors and resellers descending on The Jefferson in Auckland to kickstart 2017. Photos by Maria Stefina.

Kiwi channel reunites as After Hours kicks off 2017
Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow exclusively introduces Tenable Network Security to A/NZ channel

Arrow Electronics introduced Tenable Network Security to local resellers in Sydney last week, officially launching the distributor's latest security partnership across Australia and New Zealand. Representing the first direct distribution agreement locally for Tenable specifically, the deal sees Arrow deliver security solutions directly to mid-market and enterprise channel partners on both sides of the Tasman.

Arrow exclusively introduces Tenable Network Security to A/NZ channel
Show Comments