J3.x:Update fails with an error message

Errors reported

When you are updating your Joomla! website to the Joomla! 3.6.1 version using the built in Joomla! Update extension, the following error message will appear:

Versions affected

What is the cause?

3.6.1 introduced a CSRF token check to the update component as an extra level of security. 3.6.0 down to 2.5.4 (every version with the update component) will hit the issue with the CSRF token because those versions don't generate the needed code to pass the check. Future updates will work correctly

How to fix?

Updating from Joomla! 3.6.0

• Go back to your administration panel example.com/administrator
• Then go to Extensions  →  Manage  →  Database
• You should see a message that the dababase is out of date
• Click on the Fix button in the toolbar.

Updating from Joomla! UNDER 3.6.0

If you are running a version under 3.6.0:

• Update first to Joomla! 3.6.0 and NOT directly to Joomla! 3.6.1
  
• Update the com_joomlaupdate via the extension manager
  
• and then run your update from Joomla! 3.6.0 to Joomla! 3.6.1.

The new version of the com_joomlaupdate is available in the backend through the regular extension updater.

Note: If your website is running with PHP 5.3, this error message may be displayed when trying to log in:
0 Failed to start the session: already started by PHP ($_SESSION is set).
Joomla! 3.6.2 will fix this issue. See Fix logging in in PHP 5.3.