Joomla! 3.4.7 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately.
This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release.
Version 3.4.7 is released to address two reported security vulnerabilities and includes security hardening of the MySQLi driver to help prevent object injection attacks.
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). The only Joomla sites affected by this bug are those which are hosted on vulnerable versions of PHP. We are aware that not all hosts keep their PHP installations up to date so we are making this release to deal with this issue on vulnerable PHP versions.
Security Issues Fixed
- High Priority – Core – Session Hardening (affecting Joomla 1.5 through 3.4.6) More information »
- Low Priority – Core – SQL Injection (affecting Joomla 3.0.0 through 3.4.6) More information »
Please see the documentation wiki for FAQ’s regarding the 3.4.7 release. It is important to note that due to some session changes you will not be able to edit items until you log out and log back in again. Please note that there has been a backward compatibility break regarding how session management is handled. If you are using the documented Joomla API you will have no issues. The changes are fully documented in the release documentation.
Joomla 1.5 and 2.5
Joomla does not release updates for EOL versions however we have made patches available for download which can be found at https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions.