http://developer.joomla.org/security/news/387-20120201-core-information-disclosure.html http://developer.joomla.org/security/news/388-20120202-core-information-disclosure.html http://developer.joomla.org/security/news/389-20120203-core-information-disclosure.html
Thanks for the bug, Viorel. Please include a little information about the vulnerabilities when opening bugs. Thanks.
This came in on oss-security@lists.openwall.com and is also referenced at http://secunia.com/advisories/47847/. http://developer.joomla.org/security/news/387-20120201-core-information-disclosure.html Severity: Low Versions: 2.5.0 and 1.7.0 - 1.7.4 Exploit type: Information Disclosure Reported Date: 2012-January-29 Fixed Date: 2012-February-02 Description Inadequate validation leads to information disclosure in administrator. Affected Installs Joomla! version 2.5.0, 1.7.4, and all earlier 1.7.x versions Solution Upgrade to version 1.7.5 or 2.5.1 or higher ===== http://developer.joomla.org/security/news/388-20120202-core-information-disclosure.html Severity: Moderate Versions: 1.7.4 and all earlier 1.7.x versions Exploit type: Information Disclosure Reported Date: 2012-January-06 Fixed Date: 2012-February-02 Description On some servers the error log could be read by unauthorised users. Affected Installs Joomla! version 1.7.4 and all earlier 1.7.x versions Solution Upgrade to version 2.5.1 or 1.7.5 or higher ===== http://developer.joomla.org/security/news/389-20120203-core-information-disclosure.html Severity: Low Versions: 2.5.0 and 1.7.0 - 1.7.4 Exploit type: Information Disclosure Reported Date: 2012-January-29 Fixed Date: 2012-February-02 Description Inadequate validation leads to path disclosure in administrator. Affected Installs Joomla! version 2.5.0, 1.7.4, and all earlier 1.7.x versions Solution Upgrade to version 2.5.1 or 1.7.5 or higher
Can we get the hardmasked 1.7 bumped, please? Just to be safe.
This package is currently masked for removal # William Hubbs <williamh@gentoo.org> (05 Aug 2014) # Masked by QA for removal in 30 days. # The unmasked version is very old, there are multiple open security # bugs and several version bumps. The package appears to be abandoned. # This will be removed on 5 Sep 2014 unless someone takes over # maintenance and brings it up to date. # See bug #518886 www-apps/joomla
Version bumped to 3.3.3 and vulnerable versions are dropped, c.f bug #518886 and bug #410969 Closing noglsa.