Joomla Releases 1.5.16
View Full Joomla 1.5.16 Release Announcement and Download HERE
The Joomla Project announces the immediate availability of Joomla 1.5.16 [Wojmamni ama busani]. It has been about six months since Joomla 1.5.15 was released on November 4, 2009.
Joomla! Bug Squad
Make sure to tell these folks Thanks for their dedicated efforts investigating reports, fixing problems, and applying patches to Joomla.
Active members of the Joomla Bug Squad during this last release cycle include: Ian MacLennan and Mark Dexter co-coordinators; Airton Torres, Alan Langford, Alessandro
Nadalin, Andrea Tarr, Christophe Demko, Dennis Hermacki, Edvard Ananyan,
Elin Waring, Flavia Silveira, Hannes Papenberg, Jean-Marie Simonet,
Jennifer Marriott, Joseph LeBlanc, Julio Pontes, Kevin Devine, Klas
Berlič, Koen Kuipers, Matt Thomas, Mustaq Sheikh, Niels Braczek, Ole
Bang Ottosen, Omar Ramos, Pete Nurse, Ron Severdia, Sam Moffatt, and
Will Mavis.
A warm welcome to the newest members of the Joomla Bug Squad: Alessandro Nadalin, Koen Kuipers, Matt Thomas, Michael McGinn, Mustaq Sheikh, and Ronald de Vries.
View Full Joomla! 1.5.16 Release Announcement and Download HERE
-
Comment by HarryB on April 24, 2010 at 7:17am -
FWIW...
Installed and running on my semi-famous SolarFlare II for 1.5 reference site. Believe it or not, there are still a good number of sites out there using this template.
-
Comment by Alessandro Nadalin aka Odino on April 24, 2010 at 10:43am -
i'm there :D
-
Comment by Robert Vining on April 24, 2010 at 10:47am -
Yep! thanks for your contribution! I hope we can get a few more to go do the 1.6 bugsquad push when it starts up soon!
-
Comment by Alessandro Nadalin aka Odino on April 24, 2010 at 10:53am
-
would be good not to wait 6 months this time... let's hope in .17 we could reduce this time
-
Comment by Beat on April 27, 2010 at 4:10am -
Joomla 1.5.16 has 2 major bugs. 1.5.17 said to come out today...
Plus we reported a security issue to JSST on 24.4.2010 (within hours of release). No reply received as of yet (except an auto-reply within minutes of report).
-
Comment by Amy Stephen on April 27, 2010 at 5:06am
-
Beat - I think we need to get third-party developers back into the Bug Squad so that you guys have a direct way to ask questions and work with project on these issues. I would like to see us organize a group of 3PD to get involved as part of the 1.6 Bug Squad/getting it ready to go and I hope you also join in.
I dropped a note in the Bug Squad about your concern. If you have a way to directly contact someone, that wouldn't hurt, either. As you have said, they hope to get 17 out today, so, if there is an issue that needs fixing, now is the time.
Thanks for reporting the problem.
-
-
Beat - trying to ping you on Skype but I think you are out in the Mountains with those cows with the big bells that I love so much! When you get a chance, I want to relay some information from Sam. They did get your message and have been working with it. They recognize there is a bug but do not see how it could be exploited. So, if we can get an example of a working exploit that would help. Ping me when you can! Thanks!
-
Comment by Sam Moffatt on April 27, 2010 at 6:07am -
Beat! My favourite security reporter! We got your security vulnerability, but it has puzzled us - well at least me anyway.
You sent in lots of details about a buggy bit of code for sure and for certain. The way it has mangled windows paths since 1.5.0 is atrocious but what we haven't been able to work out is how to exploit it! I mean I know I'm telling you stuff that you know as a you have a background in security but normally when people report an exploit they tell you how to, well, exploit it. Usually with a proof of concept or similar. So thanks for reporting a bug, we've got a bug tracker but we're still trying to work out the security vulnerability.
Would you mind sending a proof of concept on how to exploit it to the security address? Might make our life easier in replicating it. I know with your background in security you've got a POC sitting around for what you see as a high level directory traversal bug - you've just...forgotten to send it to us. So if you don't mind sending a quick POC over to us it'd be great, thanks! Preferably if you could exploit the plain Joomla! install that'd be great but if you need to you're welcome to write a component to demonstrate it if you can't use the unmodified core distribution to demonstrate the vulnerability.
Thanks again for the security report, look forward to seeing more information! We're also trying to work out what the function should actually be doing but that is just a plain boring bug.
-
Comment by Beat on April 27, 2010 at 10:39am
-
Hm, looks like communicating through here is faster than through the JSST ticket system (did not get the above information through JSST yet), so putting the following reply just made to JSST, temporarily here for Sam:
---
For me it is a vulnerability depending on the use of this unsafe function, and it is a regression bug in Joomla's library introduced in 1.5.16.
I didn't have lots of time over the week-end myself to do research on a PoC, and didn't want to delay until later this week, when I have more time, in reporting this potentially severe security issue, so I reported and documented all what I had at hand before leaving.
Interestingly, investigating the issue further for a quick PoC showed that Joomla! itself seems not to use that library function ! [function name already reported, provided in JSST report, but not here]
So basically, this change in Joomla! 1.5.16 at best breaks extensions using it (fortunately our extensions do not use that function, so we don't have any issue, except trying to contribute), and at worst creates a vulnerability in those using it.
So if you want to classify:
- Not an exploitable vulnerability for Joomla! itself. So not as bad as I thought.
- A potential vulnerability for extensions depending on their use of it. I'm sure anyone can write an example extension, written as well as that Joomla function is, and which gets exploitable.
Take it as a vulnerability, a bug, a badly implemented feature, I don't care, as long as it's fixed, as it has potential for opening vulnerabilities where there were not.
No need to delay Joomla 1.5.17 release for a classification of this imho.
---
Sorry for the lack of full PoC this week-end, will have more time for that if needed starting hopefully next week.
And, as 1.5.17 needs to get out fast, I wonder why bothering writing a so long and fun comment in here, when you have my contact details with my report and in the team.
-
-
Sam - thanks very much for responding.
Beat - it's much appreciated that you report these concerns. It's good to hear that you don't see this as critical to 17, either. So there is time to work out what is going on here.
We need to get third party developers back into the Bug Squad. I believe Mark said at the "Ask the Team" talk that he and Louis are going to issue a call for volunteers to help finalizing 1.6 with the Bug Squad. When that happens, we need to pull a good group together and answer that call.
I cannot tell you how valuable it is to be a part of that group so that you can run ideas and concerns past the development coordinators. It's also fun (for geeks like us! :) ) to fix bugs and be a part of releasing software. I'm looking forward to that time when it comes.
It's not critical that one be a developer, either, to help with the testing. Each issue has to be tested by at least two people and the testing instructions are provided. If you are interested in learning to code, or figuring out how the framework works, it's also a good place to be.
© 2012 Created by Amy Stephen.
You need to be a member of All Together, As A Whole to add comments!
Join All Together, As A Whole