Joomla 3.4.6 released, with one high severity security fix and two low priority ones: https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html [20151214] - Core - Remote Code Execution Vulnerability Severity: High Versions: 1.5.0 through 3.4.5 Exploit type: Remote Code Execution Vulnerability CVE Number: requested Description: Browser information are not filtered properly while saving the session values into the database what leads to a Remote Code Execution vulnerability. Affected Installs: Joomla! CMS versions 1.5.0 through 3.4.5 Solution: Upgrade to version 3.4.6 https://developer.joomla.org/security-centre/634-20151214-core-directory-traversal.html [20151214] - Core - Directory Traversal Severity: Low Versions: 3.4.0 through 3.4.5 Exploit type: XML File Read Issue CVE Number: requested Description: Fails to properly sanitise input data from the XML install file located within the package archive. Affected Installs: Joomla! CMS versions 3.4.0 through 3.4.5 Solution: Upgrade to version 3.4.6 https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardening.html [20151214] - Core - CSRF Hardening Severity: Low Versions: 3.2.0 through 3.4.5 Exploit type: CSRF CVE Number: requested Description: Add additional CSRF hardening in com_templates. Affected Installs: Joomla! CMS versions 3.2.0 through 3.4.5 Solution: Upgrade to version 3.4.6
You are welcome to use joomla-3.4.8 in my overlay (hnaparst) I am the maintainer.
This is now fixed by version bump in commit b278d0e2f3a50cf0e0b2b9760a3e149a8c85316b. (In reply to Harold Naparst from comment #1) > You are welcome to use joomla-3.4.8 in my overlay (hnaparst) I know that, but others wouldn't, and in general having vulnerable versions of software in the main gentoo repository is not a good idea.
CVE-2015-8565 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8565): Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via unknown vectors. CVE-2015-8564 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8564): Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows remote attackers to have unspecified impact via directory traversal sequences in the XML install file in an extension package archive. CVE-2015-8563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8563): Cross-site request forgery (CSRF) vulnerability in the com_templates component in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.6 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. CVE-2015-8562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8562): Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, as exploited in the wild in December 2015.