The current Joomla version in portage is 3.4.1, which is affected by multiple vulnerabilities: [20150601] - Core - Open Redirect: Inadequate checking of the return value allowed to redirect to an external page. http://developer.joomla.org/security-centre/617-20150601-core-open-redirect.html [20150602] - Core - CSRF Protection Lack of CSRF checks potentially enabled uploading malicious code. http://developer.joomla.org/security-centre/618-20150602-core-remote-code-execution.html CVE-2015-5397 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5397 ) At the moment of writing, the current Joomla release is 3.4.3, so a version bump would solve this. Reproducible: Always
Should I also create a version bump request?
You don't have to submit a version bump. I will fix it, but it might take a bit of time.
I have added joomla-3.4.3 to my overlay (hnaparst) and will ask to have it added to portage.
drop vulnerable version 3.4.1, and bumped 3.4.3 (proxy for Harold Naparst) @security team, please proceed
Maintainer(s), Thank you for your work. Closing noglsa.
CVE-2015-5397 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5397): Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload code via unknown vectors.