Joomla versions 3.4.0-3.4.3 are affected by a cross-site scripting vulnerability in login module due to inadequate escaping. The issue was fixed in Joomla 3.4.3, which is not yet in Portage. Reproducible: Always See the URL for the official Joomla security announcement.
Thank you for your report. Correction on it Fixed in Joomla-3.4.4.
As a heads-up, there's going to be a Joomla update to 3.4.5 on Thursday (22nd October) fixing a yet unnamed, high-profile security issue: https://www.joomla.org/announcements/release-news/5633-important-security-announcement-pre-release.html
(In reply to Dainius Masiliūnas from comment #2) > As a heads-up, there's going to be a Joomla update to 3.4.5 on Thursday > (22nd October) fixing a yet unnamed, high-profile security issue: Any updates on this?
I submitted a separate bug report for that one: https://bugs.gentoo.org/show_bug.cgi?id=563894
This got lost, no maintainers were cc'd
Cannot assign a security bug to a proxy maintainer. CC'd
I have added joomla-3.4.8 to my overlay hnaparst. Would the proxy-maint team please review this for inclusion into portage. I am the maintainer.
1. # Copyright 1999-2015 -> # Copyright 1999-2016 2. Leftover from the prior ebuild DESCRIPTION="Joomla is a powerful Open Source Content Management System" The DESCRIPTION should not have the name of the package in it So not your error reduce it to "A powerful Open Source Content Management System" SRC_URI="https://github.com/joomla/joomla-cms/releases/download/${MY_PV}/Joomla_${MY_PV}-Stable-Full_Package.tar.bz2" is a country mile long. Reduce it at least with https://github.com/${PN}/${PN}-cms/ and / or with a MY_PN="${${PN}-cms" https://github.com/${PN}/${MY_PN}/..... Similarly the ${MY_PV}/Joomla_${MY_PV}-Stable-Full_Package can be reduced with M_PN="Joomla_${MY_PV}-Stable-Full_Package" That would be enough. DEPEND="${DEPEND} ???????? Also a leftover from the prior ebuild. DEPEND="app-arch/unzip" is also now not needed now with .tar.bz2. You can delete DEPEND all together it seems. Rest looks fine. Rather than have us dish out en abuild from an overlay, can you submit a unified diff as an attachment, not the whole ebuild, here, or a complete git patch asan attachment. The I simply $ git apply <the patch> amd all done. Thanks
Created attachment 421900 [details, diff] Patch ebuild from 3.4.3 to 3.4.8 Changes per Ian Delaney.
commit 905dc2c9cb750fd3dc8a69187aadd99df5863e3c Author: Ian Delaney <idella4@gentoo.org> Date: Tue Jan 5 13:34:14 2016 +0800 www-apps/joomla: bump to vn. 3.4.8 ebuild prepared by main proxied maintainer, submitted via bugzilla Gentoo bug: #560240 Package has no stabilised version
commit 905dc2c9cb750fd3dc8a69187aadd99df5863e3c Author: Ian Delaney <idella4@gentoo.org> Date: Tue Jan 5 13:34:14 2016 +0800 www-apps/joomla: bump to vn. 3.4.8 ebuild prepared by main proxied maintainer, submitted via bugzilla Gentoo bug: #560240 commit b278d0e2f3a50cf0e0b2b9760a3e149a8c85316b Author: Ian Delaney <idella4@gentoo.org> Date: Tue Jan 5 13:34:14 2016 +0800 www-apps/joomla: bump to vn. 3.4.8 ebuild prepared by main proxied maintainer, submitted via bugzilla Gentoo bug: #560240 Package has no stabilised version
Thank you all. Closing as noglsa.