Difference between revisions of "Security hotfixes for Joomla EOL versions"
From Joomla! Documentation
(Created page with "Although Joomla 1.5 has reached end of life, there is a security patch available at this link: http://joomlacode.org/gf/download/trackeritem/31626/83528/UploadFix15v3.zip h...") |
(Marked this version for translation) |
||
| (62 intermediate revisions by 15 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | <noinclude><languages /></noinclude> | |
| + | {{Warning|title=<translate><!--T:31--> Warning!</translate> | ||
| + | |'''<translate><!--T:1--> | ||
| + | Do not rely on all security issues being patched or reported for EOL (end of life) versions.</translate>'''}} | ||
| + | {{Joomla version|version={{CurrentSTSVer5|maintenance}}|comment=<translate><!--T:18--> | ||
| + | is the current version</translate>}} | ||
| + | <translate> | ||
| + | <!--T:2--> | ||
| + | This page is for Joomla! versions which have reached EOL('''end of life''') and are no longer being developed or supported by the Joomla! project. Issues and items are only listed on this page as a benefit to the users of EOL versions who have not migrated to a supported version yet. | ||
| + | </translate> | ||
| − | + | <translate> | |
| + | <!--T:3--> | ||
| + | It is '''strongly recommended you update your websites''' to a supported Joomla! version ASAP. | ||
| + | </translate> | ||
| + | __NOTOC__ | ||
| + | == Joomla! 3== | ||
| + | <translate> | ||
| + | ==== 20 February 2024 ==== <!--T:32--> | ||
| + | * There were several security issues found in Joomla 3. Here is a list of the issues:</translate> | ||
| + | <translate> | ||
| + | <!--T:33--> | ||
| + | ** Read the [https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html Announcement] for details on the issue in Joomla! 3.7.0 - 5.0.2. | ||
| + | ** Read the [https://developer.joomla.org/security-centre/927-20240203-core-xss-in-media-selection-fields.html Announcement] for details on the issue in Joomla! 1.6.0 - 5.0.2.</translate> | ||
| + | <translate> | ||
| + | <!--T:34--> | ||
| + | ** Read the [https://developer.joomla.org/security-centre/926-20240202-core-open-redirect-in-installation-application.html Announcement] for details on the issue in Joomla! 1.5.0 - 5.0.2. | ||
| + | ** Read the [https://developer.joomla.org/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html Announcement] for details on the issue in Joomla! 3.4.0 - 5.0.2.</translate> | ||
| + | <translate> | ||
| + | <!--T:35--> | ||
| + | * There is an installable patch for all known (these and previous) security issues for Joomla! 3.10.12 provided by Tom van der Laan from TLWebdesign for FREE. This patch is not tested nor endorsed by the Joomla! Security Task Force: [https://github.com/TLWebdesign/Joomla-3-EOL-Security-Fixes Joomla! 3 EOL Security Fixes]. | ||
| + | * You could also enroll in the paid ELTS program that will provide the same security fix as above but as a Joomla Update: [https://elts.joomla.org Joomla ELTS Program].</translate> | ||
| − | http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626 | + | <translate> |
| + | ==== 30 November 2023 ==== <!--T:36--> | ||
| + | * Read the [https://developer.joomla.org/security-centre/919-20231101-core-exposure-of-environment-variables.html Announcement] for details on the issue in Joomla! 1.6 - 4.4.0 and 5.0.0. | ||
| + | * There is an installable patch for the same issue in Joomla! 3.10.12 provided by Tom van der Laan from TLWebdesign for FREE. This patch is not tested nor endorsed by the Joomla! Security Task Force: [https://github.com/TLWebdesign/Joomla-3.10.12-languagehelper-hotfix Joomla 3.10.12 Language Helper Hotfix]. | ||
| + | * You could also enroll in the paid ELTS program that will provide the same security fix as above but as a Joomla Update: [https://elts.joomla.org Joomla ELTS Program]. | ||
| + | </translate> | ||
| + | |||
| + | <translate> | ||
| + | == Joomla! 2.5== <!--T:4--> | ||
| + | |||
| + | ==== 14 December 2016 ==== <!--T:28--> | ||
| + | * Read the [https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html Announcement] for details on the issue in Joomla! 3.6.4 and before. | ||
| + | * There is an installable patch for the same issue in Joomla! 2.5 provided by the VirtueMart team. This patch is not tested nor endorsed by the Joomla! Security Task Force: [https://virtuemart.net/news/latest-news/478-joomla-security-release-3-6-5-and-patch-for-joomla-2-5-28 14th December 2016 Issue Patch]. | ||
| + | |||
| + | === Remote Code Execution === <!--T:29--> | ||
| + | There is a security issue in Joomla! from Joomla 1.5 up until 3.4.5 related to remote code execution. This was followed up with some longer term fixes in Joomla 3.4.7 | ||
| + | </translate> | ||
| + | |||
| + | <translate> | ||
| + | ==== 21 December 2015 ==== <!--T:26--> | ||
| + | </translate> | ||
| + | <translate><!--T:20--> | ||
| + | * Read the [https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html Security Centre] for details. | ||
| + | * Download the [https://github.com/joomla/joomla-cms/releases/download/3.4.7/SessionHardening25v1.zip Session Hardening Patch] and manually apply per instructions.</translate> | ||
| + | |||
| + | <translate> | ||
| + | == Joomla! 1.5 == <!--T:22--> | ||
| + | </translate> | ||
| + | <translate><!--T:23--> | ||
| + | Although Joomla! 1.5 has reached EOL(end of life), if there is a critical security issue with a fix it may be reported here.</translate> | ||
| + | |||
| + | <translate> | ||
| + | === Remote Code Execution === <!--T:14--> | ||
| + | </translate> | ||
| + | <translate><!--T:15--> | ||
| + | There is a security issue in Joomla! from Joomla 1.5 up until 3.4.5 related to remote code execution. This was followed up with some longer term fixes in Joomla 3.4.7</translate> | ||
| + | |||
| + | <translate> | ||
| + | ==== 21 December 2015 ==== <!--T:27--> | ||
| + | </translate> | ||
| + | <translate><!--T:24--> | ||
| + | * Read the [https://developer.joomla.org/security-centre/639-20151206-core-session-hardening.html Security Centre] for details.</translate> | ||
| + | <translate><!--T:25--> | ||
| + | * Download the [https://github.com/joomla/joomla-cms/releases/download/3.4.7/SessionHardening15v1.zip Session Hardening Patch] and manually apply per instructions.</translate> | ||
| + | |||
| + | <translate> | ||
| + | === File Upload Security Patch === <!--T:6--> | ||
| + | </translate> | ||
| + | <translate><!--T:7--> | ||
| + | There is a security issue in all versions of Joomla! related to unauthorized file uploads. | ||
| + | * Read the [http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626 Issue Tracker Item] for details. | ||
| + | * Download the joomlacode.org/gf/download/trackeritem/31626/83528/UploadFix15v3.zip File Upload Security Patch (link dead) and manually apply per instructions.</translate> | ||
| + | <translate><!--T:8--> | ||
| + | :'''File Upload Security Patch Update Instructions:''' | ||
| + | :#Download & Unpack the security patch | ||
| + | :#Upload patch files via ftp directly to the root of your Joomla! installation, overwriting existing files.</translate> | ||
| + | |||
| + | <translate> | ||
| + | |||
| + | ===Flash Uploader=== <!--T:9--> | ||
| + | The flash uploader has been removed from Joomla! 2.5 and Joomla! 3 for security reasons. 1.5 users should do the same and can do so first by removing the file and then by setting the option for it to off. | ||
| + | </translate> | ||
| + | |||
| + | |||
| + | <noinclude> | ||
| + | <translate> | ||
| + | <!--T:11--> | ||
| + | [[Category:Security]] | ||
| + | [[Category:Joomla! 1.5]] | ||
| + | [[Category:Joomla! 2.5]] | ||
| + | [[Category:Joomla! 3.x]] | ||
| + | </translate> | ||
| + | </noinclude> | ||
Latest revision as of 02:32, 25 February 2024
Warning!
Do not rely on all security issues being patched or reported for EOL (end of life) versions.
Joomla!
5.1.0
is the current version
This page is for Joomla! versions which have reached EOL(end of life) and are no longer being developed or supported by the Joomla! project. Issues and items are only listed on this page as a benefit to the users of EOL versions who have not migrated to a supported version yet.
It is strongly recommended you update your websites to a supported Joomla! version ASAP.
Joomla! 3[edit]
20 February 2024[edit]
- There were several security issues found in Joomla 3. Here is a list of the issues:
- Read the Announcement for details on the issue in Joomla! 3.7.0 - 5.0.2.
- Read the Announcement for details on the issue in Joomla! 1.6.0 - 5.0.2.
- Read the Announcement for details on the issue in Joomla! 1.5.0 - 5.0.2.
- Read the Announcement for details on the issue in Joomla! 3.4.0 - 5.0.2.
- There is an installable patch for all known (these and previous) security issues for Joomla! 3.10.12 provided by Tom van der Laan from TLWebdesign for FREE. This patch is not tested nor endorsed by the Joomla! Security Task Force: Joomla! 3 EOL Security Fixes.
- You could also enroll in the paid ELTS program that will provide the same security fix as above but as a Joomla Update: Joomla ELTS Program.
30 November 2023[edit]
- Read the Announcement for details on the issue in Joomla! 1.6 - 4.4.0 and 5.0.0.
- There is an installable patch for the same issue in Joomla! 3.10.12 provided by Tom van der Laan from TLWebdesign for FREE. This patch is not tested nor endorsed by the Joomla! Security Task Force: Joomla 3.10.12 Language Helper Hotfix.
- You could also enroll in the paid ELTS program that will provide the same security fix as above but as a Joomla Update: Joomla ELTS Program.
Joomla! 2.5[edit]
14 December 2016[edit]
- Read the Announcement for details on the issue in Joomla! 3.6.4 and before.
- There is an installable patch for the same issue in Joomla! 2.5 provided by the VirtueMart team. This patch is not tested nor endorsed by the Joomla! Security Task Force: 14th December 2016 Issue Patch.
Remote Code Execution[edit]
There is a security issue in Joomla! from Joomla 1.5 up until 3.4.5 related to remote code execution. This was followed up with some longer term fixes in Joomla 3.4.7
21 December 2015[edit]
- Read the Security Centre for details.
- Download the Session Hardening Patch and manually apply per instructions.
Joomla! 1.5[edit]
Although Joomla! 1.5 has reached EOL(end of life), if there is a critical security issue with a fix it may be reported here.
Remote Code Execution[edit]
There is a security issue in Joomla! from Joomla 1.5 up until 3.4.5 related to remote code execution. This was followed up with some longer term fixes in Joomla 3.4.7
21 December 2015[edit]
- Read the Security Centre for details.
- Download the Session Hardening Patch and manually apply per instructions.
File Upload Security Patch[edit]
There is a security issue in all versions of Joomla! related to unauthorized file uploads.
- Read the Issue Tracker Item for details.
- Download the joomlacode.org/gf/download/trackeritem/31626/83528/UploadFix15v3.zip File Upload Security Patch (link dead) and manually apply per instructions.
- File Upload Security Patch Update Instructions:
- Download & Unpack the security patch
- Upload patch files via ftp directly to the root of your Joomla! installation, overwriting existing files.
Flash Uploader[edit]
The flash uploader has been removed from Joomla! 2.5 and Joomla! 3 for security reasons. 1.5 users should do the same and can do so first by removing the file and then by setting the option for it to off.