Upstream has released several security advisories: http://developer.joomla.org/security/news/396-20120305-core-password-change.html CVE-2012-1598 http://developer.joomla.org/security/news/397-20120306-core-information-disclosure.html CVE-2012-1599 http://developer.joomla.org/security/news/398-20120307-core-information-disclosure.html CVE-2012-1611 http://developer.joomla.org/security/news/399-20120308-core-xss-vulnerability.html CVE-2012-1612
Lets add these to this bug too: http://developer.joomla.org/security/news/392-20120302-core-xss-vulnerability.html CVE-2012-1117 http://developer.joomla.org/security/news/391-20120301-core-sql-injection.html CVE-2012-1116
First thank you for your work and sorry for lagging behing way to much. immo, the best thing to do is to remove the actual Joomla package from the tree. The recommended upgrade procedure ([1], [2]) seems to use a Joomla extension to ease the process. Manual update seems to be still possible (at least 1.5 -> 2.5, for 1.7 -> 2.5 it is not listed as recommended [2]), is far more complex than a replacement of the files. I have the impression that all future Joomla upgrade are going to be done by an extension inside Joomla. I don't see the point of keeping installing files for Joomla with an ebuild. Nonetheless I think it's still makes sense to keep an ebuild in the tree that ensures correct dependencies (unzip and php[json,mysql,zlib,xml] atm). It would not install any files. The user can then install Joomla by unpacking it where he wants and let the software deal with the updates itself. Any comments ? [1] http://docs.joomla.org/Migrating_from_Joomla_1.5_to_Joomla_2.5 [2] http://docs.joomla.org/Upgrading_from_Joomla_1.7_to_Joomla_2.5
CVE-2012-1117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1117): Cross-site scripting (XSS) vulnerability in Joomla! 2.5.0 and 2.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. CVE-2012-1116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1116): SQL injection vulnerability in Joomla! 1.7.x and 2.5.x before 2.5.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE-2012-1599 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1599): Joomla! 1.5.x before 1.5.26 does not properly check permissions, which allows attackers to obtain sensitive "administrative back end information" via unknown vectors. NOTE: this might be a duplicate of CVE-2012-1611. CVE-2012-1598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1598): Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors related to "insufficient randomness" and a "password reset vulnerability."
(In reply to Olivier Huber from comment #2) > First thank you for your work and sorry for lagging behing way to much. > > immo, the best thing to do is to remove the actual Joomla package from the > tree. The recommended upgrade procedure ([1], [2]) seems to use a Joomla > extension > to ease the process. Manual update seems to be still possible (at least 1.5 > -> 2.5, for 1.7 -> 2.5 it is not listed as recommended [2]), is far more > complex than a replacement of the files. I have the impression that all > future Joomla upgrade are going to be done by an extension inside Joomla. I > don't see the point of keeping installing files for Joomla with an ebuild. > Nonetheless I think it's still makes sense to keep an ebuild in the tree > that ensures correct dependencies (unzip and php[json,mysql,zlib,xml] atm). > It would not install any files. The user can then install Joomla by > unpacking it where he wants and let the software deal with the updates > itself. > > Any comments ? Hi, I think it is useful to keep it in teh tree. If it is too much of a hassle, just disable upgrade of the package through emerge and webapp-config, BUT please provide ebuilds for current versions. For example, it is unhelpful to install 1.2.15 as of now and immediately realize that current versions are 2.5 and 3.1. So, me, as a new user has a question: Why did I newly install an old stuff? ;-) Yes, it helps to have an ebuild to handle the package dependencies, a lot. Another reason is that I want to play with multiple CMS tools and decide which is the best. So, ebuilds do help. Thanks
Well, what's the call? Will you be bumping the package or hardmasking it? We need a decision one way or the other.
plz just mask / remove bogus versions and leave a good ebuild in portage. 2.5.16 is a version im ok with, and 3.2.0. i really dont want to use joomla 1 or to install by hand this.
This package is currently masked for removal # William Hubbs <williamh@gentoo.org> (05 Aug 2014) # Masked by QA for removal in 30 days. # The unmasked version is very old, there are multiple open security # bugs and several version bumps. The package appears to be abandoned. # This will be removed on 5 Sep 2014 unless someone takes over # maintenance and brings it up to date. # See bug #518886 www-apps/joomla
version 3.3.3 bumped, vulnerable versions are dropped. see bug #518886 but I'd just leave @sec team to handle this bug.
(In reply to Yixun Lan from comment #9) > version 3.3.3 bumped, vulnerable versions are dropped. see bug #518886 > > but I'd just leave @sec team to handle this bug. Thank you. Closing this bug noglsa.