Joomla! 3.6.5 Released

Joomla! 3.6.5 is now available. This is a security release for the 3.x series of Joomla! which addresses three security vulnerabilities, miscellaneous security hardening and three bug fixes; no further changes have been made compared to the Joomla! 3.6.4 release. We strongly recommend that you update your sites.

Joomla Security Release

What's in 3.6.5

Version 3.6.5 is released to address three security issues, miscellaneous security hardening and three bugs.

Security Issues Fixed

[20161201] - Core - Elevated Privileges

  • Project: Joomla!
  • SubProject: CMS
  • Severity: High
  • Versions: 1.6.0 through 3.6.4
  • Exploit type: Elevated Privileges
  • Reported Date: 2016-November-04
  • Fixed Date: 2016-December-06
  • CVE Number: CVE-2016-9838

Description

Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.6.4

Solution

Upgrade to version 3.6.5

[20161202] - Core - Shell Upload

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.0.0 through 3.6.4
  • Exploit type: Shell Upload
  • Reported Date: 2016-October-26
  • Fixed Date: 2016-December-06
  • CVE Number: CVE-2016-9836

Description

Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.6.4

Solution

Upgrade to version 3.6.5

[20161203] - Core - Information Disclosure

  • Project: Joomla!
  • SubProject: CMS
  • Severity: Low
  • Versions: 3.0.0 through 3.6.4
  • Exploit type: Information Disclosure
  • Reported Date: 2016-April-15
  • Fixed Date: 2016-December-06
  • CVE Number: CVE-2016-9837

Description

Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.6.4

Solution

Upgrade to version 3.6.5

[20161204] - Misc. Security Hardening

  • Project: Joomla!
  • SubProject: CMS

Description

Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user's ability to make potentially damaging configuration changes. This includes restricting the ability to set the "New User Registration Group" and "Guest User Group" to a group with Super User permissions and restricting the ability for a lesser privileged user to make user group assignment changes to users in a Super User group.

Additionally, we have modified the behavior of JUser::authorise() to only return a boolean value. Previously, this method could return either a boolean value or null because the underlying call to JAccess::check() can also return a null value; neither JUser::authorise() or JAccess::check()documented this though. We have determined that based on how the API is used that JUser::authorise() should only return a boolean value. If a developer requires the previous behavior of a null return value (which indicates an "implicit" denied state versus "explicit" signified by boolean false), they should use JAccess::check() instead. The documentation for JAccess::check() has been updated to indicate the null return value as well.

Bug Fixes

  • [#12817] Fix Joomla Updater for Windows Users
  • [#12984] Fix installation language for sr-YU
  • [#12589] and [#13127] Fix default values for user creation on installation

Please see the documentation wiki for FAQ’s regarding the 3.6.5 release.

Download

Upgrade Packages:

Upgrade Packages
Joomla! 3 upgrade packages

Note: Please read the update instructions before updating.

Please remember to clear your browser's cache and any webhost or CDN caching after updating.

A Huge Thank You!

Thank you to the Joomla! Security Strike Team for their swift resolution of this issue.

Joomla! Security Strike Team

A big thanks to the Joomla! Security Strike Team for their ongoing work to keep Joomla! secure. 
Members include: Beat B., Brian Teeman, Mark Boos, Luca Marzo, Marco Dings, Thomas Hunziker, David Jardin, Alan Langford, Jean-Marie Simonet, Phil Taylor, Viktor Vogel, George Wilson, Davide Tampellini, André Pereira da Silva, Peter Martin, Claire Mandville and Yves Hoppe.

Security Team Leadership: Michael Babker, Coordinator

Joomla! CMS Release Team

A big thanks to the CMS Release Team for their ongoing work testing the pre-releases. 
Members include: Alessandro Rossi, Leo Lammerink, Marc Antoine Thevenet, Philip Walton, Roland Dalmulder, Ilagnayeru Manickam and Tobias Zulauf.

CMS Release Team Leadership: Robert Deutz, Coordinator

Image Credit: Elisa Foltyn and Tiziana Schuster

Tags: