• News

    The latest info on JoomlaCamp and JoomlaDay Chicago

JoomlaDay Chicago and JoomlaCamp Chicago News

Keeping you in the know about all things JoomlaDay Chicago!

Joomla 3.9.8 Release

Joomla 3.9.8 is now available. This is a bug fix release for the 3.x series of Joomla which addresses one bug introduced into 3.9.7 which affects web sites using the French Help Server.

What's in 3.9.8?

Joomla 3.9.8 is fixing one bug introduced into Joomla 3.9.7, due to the removal of the French Help Server.

Visit GitHub for more information about this issue.

Download

Upgrade Packages

Upgrade Packages
Joomla 3 upgrade packages

Note: Please read the update instructions before updating.
Remember… Please clear your browser's cache after updating.
Found a bug? Report it on the Joomla Issue Tracker.
Questions? See the documentation wiki for FAQ’s regarding the 3.9.8 release.

Continue reading
  25 Hits
  0 Comments

Copyright

© Joomla.org

25 Hits
0 Comments

Joomla 3.9.7 Release

Joomla 3.9.7 is now available. This is a security fix release for the 3.x series of Joomla which addresses three security vulnerabilities and contains over 40 bug fixes and improvements.

What's in 3.9.7?

Joomla 3.9.7 includes three security vulnerability fixes and several bugs and improvements, including:

Security Issues Fixed

  • Low Priority - Core - CSV injection in com_actionlogs (affecting Joomla 3.9.0 through 3.9.6) More information »
  • Low Priority - Core - XSS in subform field (affecting Joomla 3.6.0 through 3.9.6) More information »
  • Low Priority - Core - ACL hardening of com_joomlaupdate (affecting Joomla 3.8.13 through 3.9.6) More information »

Bug fixes and Improvements

  • Batch system: Copy permissions of modules #24737 and categories #24730
  • Progessive cache improvements #20310
  • Fix to avoid duplicated custom fields in com_content #24516
  • RTL improvements #23107 #24722
  • Removal of the unofficial French Help Server #24927
  • TinyMCE improvements: #24978 #25037
  • RSS: Fix to display the right category #24932
  • Media Manager: Fix directory traversal for symlinked folders #24924
  • User registration: Correct http schema used #24089

Visit GitHub for the full list of bug fixes.

Download

Upgrade Packages

Upgrade Packages
Joomla 3 upgrade packages

Note: Please read the update instructions before updating.
Remember… Please clear your browser's cache after updating.
Found a bug? Report it on the Joomla Issue Tracker.
Questions? See the documentation wiki for FAQ’s regarding the 3.9.7 release.

Continue reading
  27 Hits
  0 Comments

Copyright

© Joomla.org

27 Hits
0 Comments

Marketing & Communication Department Coordinator Election Result

Rachel-Walraven

We are happy to announce that the election for the replacement for the Marketing & Communications Department Coordinator has been completed.

Marketing & Communications
Department Coordinator

Rachel Walraven


Reference:

Thank you!

  40 Hits
  0 Comments

Copyright

© joomla.org

40 Hits
0 Comments

JED Server Security Incident Report

breach

Following a server level compromise of the Joomla! Extensions Directory (JED), we would like to provide our community a postmortem summary of the events leading to this issue, the response from the Joomla project team members, and a plan of action moving forward to prevent a similar type of issue in the future.

In summary, this was a preventable compromise, and after analysis, we have no reason to believe that any user data has been accessed improperly.

Issue Notification

  • At approximately 09:30 UTC on 15 May 2019, a security researcher notified the Joomla Security Strike Team (JSST) that they had discovered an internal Jenkins CI server used by the JED to deploy updates to their live and staging websites and were able to exploit CVE-2018-1000861 on the server, providing a screenshot of a sensitive file as proof of the exploit.  
  • Upon notification, JSST members worked with JED team members to bring the affected Jenkins system offline and conduct an analysis of whether this server had been compromised in other ways.

Systems Audit

  • While investigating the Jenkins server compromise, it was found that a crypto-miner had been installed and was running on the server.  A crypto-miner is a software script used to create digital currencies via abuse of server resources (CPU and memory).
  • As part of the installed software, a script was found to have been added to the server’s crontab that would attempt to connect to other servers in the local network and install the same miner.  
  • Since the Jenkins server was used to deploy site updates, the script was able to access the production JED server and install itself there.
  • Once it had been discovered on the JED server, steps were taken immediately to bring all services on the affected servers offline and access was restricted to privileged individuals in order to conduct a full root-cause analysis and to begin executing a recovery plan.
  • In parallel, the other servers hosting the joomla.org architecture were audited to ensure they had not been compromised as well, and it was determined that only the JED’s servers were affected.
  • An analysis was performed on the production JED server to determine the scope of the compromise, including when the server was presumed to be breached and what resources may have been accessed.  
  • The analysis concluded that the crypto-miner had been installed on the evening of 11 May 2019 and that there was no evidence of improper data access (including access to uploaded extension packages sent to the JED Checker and the site’s database).
  • With the analysis concluded, the compromised server was decommissioned with a replacement server activated and a file backup from 10 May 2019 and database from 15 May 2019 restored to the new server.  
  • The restoration process was completed on 16 May 2019 with the JED team taking action to re-apply pertinent user actions performed between the backup date and the time the JED was discovered to be compromised.

Plan of Action

As a result of the server compromise, several steps are being taken to ensure the security of our servers and our user’s data.  

  • First, the compromised Jenkins server is scheduled to be permanently decommissioned with the JED migrating to one of the other CI servers used by Joomla in order to eliminate a redundant resource.  
  • Second, all administrative access (server level passwords and SSH keys) are being reset.  
  • Third, out of an abundance of caution, all remember me tokens will be invalidated, and all registered users will be required to reset their passwords.  
  • Lastly, we will be reviewing our internal workflows and procedures and improving our policies and the security features made available to our users across all joomla.org subdomains (such as enabling two-factor authentication on all sites).

Questions and Answers

Q: What was the cause of the compromise?
A: A Jenkins server used to deploy updates to the JED’s production and staging websites, had not been updated to apply a security patch, resulting in the Jenkins server and the JED production server being compromised.

Q: What was the objective of the compromise?
A: According to the analysis, the crypto-miner was installed on the evening of 11 May 2019 and ran until it was detected on 15 May 2019. The crypto-miner abused server resources (CPU and memory) to mine digital currency.

Continue reading
  39 Hits
  0 Comments

Copyright

© joomla.org

39 Hits
0 Comments

Joomla 3.9.6 Release

J

oomla 3.9.6 is now available. This is a security fix release for the 3.x series of Joomla which addresses two security vulnerabilities and contains over 25 bug fixes and improvements.

What's in 3.9.6?

Joomla 3.9.6 includes two security vulnerability fixes and several bugs and improvements, including:

Security Issues Fixed

  • Low Priority - Core - XSS in com_users ACL debug views (affecting Joomla 1.7.0 through 3.9.5) More information »
  • Low Priority - Core - By-passing protection of Phar Stream Wrapper Interceptor (affecting Joomla 3.9.3 through 3.9.5) More information »

Bug fixes and Improvements

  • Media Manager: Fix logic in file upload check introduced in 3.9.5 #24637
  • Edge Chromium support added #24379
  • User Notes: Fix date format #24529
  • Frontend editing: article category editable by Publishers and up #24640
  • Cache: Cache folder automatically created if it doesn’t exist #21952
  • PostgreSQL database improvements #24682 #24683 #24652

Visit GitHub for the full list of bug fixes.

Download

Continue reading
  43 Hits
  0 Comments

Copyright

© Joomla.org

43 Hits
0 Comments

Joomla 3.9.5 Release

Joomla 3.9.5 is now available. This is a security fix release for the 3.x series of Joomla which addresses three security vulnerabilities and contains over 20 bug fixes and improvements.

What's in 3.9.5?

Joomla 3.9.5 includes three security vulnerabilities fixes and several bugs and improvements, including:

Security Issues Fixed

  • Low Priority - Core - Directory Traversal in com_media (affecting Joomla 1.5.0 through 3.9.4) More information »
  • High Priority - Core - Helpsites refresh endpoint callable for unauthenticated users (affecting Joomla 3.2.0 through 3.9.4) More information »
  • Moderate Priority - Core - Object.prototype pollution in JQuery $.extend (affecting Joomla 3.0.0 through 3.9.4) More information »

Bug fixes and Improvements

  • User Password: Add minimum lowercase rule for password validation #24230
  • Associations tab: Fix wrong behaviour of Indonesian language #24244
  • Debug language: Fix User Actions Log Manager #24178
  • New installation language: Kazakh #24233
  • Google Authenticator plugin (2FA): QR-code generator implemented #24255

Visit GitHub for the full list of bug fixes.

Download

Upgrade Packages

Upgrade Packages
Joomla 3 upgrade packages

Note: Please read the update instructions before updating.
Remember… Please clear your browser's cache after updating.
Found a bug? Report it on the Joomla Issue Tracker.
Questions? See the documentation wiki for FAQ’s regarding the 3.9.5 release.

Continue reading
  94 Hits
  0 Comments

Copyright

© Joomla.org

94 Hits
0 Comments

Because Open Source Matters … and Domains too!

It’s an exciting day for The Joomla Project and BRANDIT! 
As the consolidation and packaging of web services move forward, we are happy to announce the official launch of our domains platform (powered by BRANDIT), domains.joomla.org.

Every website starts with a domain name, and by offering domains directly from Joomla.org, our users gain a new way to help build their online presence whilst helping the project financially.  

Domains.joomla.org is a full domain registry service that gives Joomla a direct connection to TLD’s and Registrars. 
This partnership opens up new opportunities for sponsorship and special offers to the Joomla Community.  
As we launch the platform, two registrars have already sponsored several JoomlaDays, and BRANDIT has become a Platinum Sponsor of the Joomla Project.

Whether you are looking for a new domain name or to transfer your existing domain portfolio, domains.joomla.org is the perfect platform. Offering you a wide range of TLDs alongside a robust and intuitive industry leading control panel for domain management.  

It is that simple, get started today, together Joomla and BRANDIT make your domains feel at home!

Benefit from the special Offers for the launch!

.com

9.99€ for the first year and transfers

.club

0,99€ for the first year

.at

9.99€ for the first year
 
  104 Hits
  0 Comments

Copyright

© Joomla.org

104 Hits
0 Comments

Joomla 3.9.4 Release

Joomla 3.9.4 is now available. This is a security fix release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains 28 bug fixes and improvements.

What's in 3.9.4?

Joomla 3.9.4 includes 4 security vulnerabilities fixes and several bugs and improvements, including:

Security Issues Fixed

  • High Priority - Core - Missing ACL check in sample data plugins (affecting Joomla 3.8.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in com_config JSON handler (affecting Joomla 3.2.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in item_title layout (affecting Joomla 3.0.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in media form field (affecting Joomla 3.0.0 through 3.9.3) More information »

Bug fixes and Improvements

  • User Terms (#23787) and Privacy Consent (#23660) plugins: Layouts for the label and message added
  • Featured articles: Page subheading added #23583
  • Custom formfield layout paths simplified #22645
  • Com_contact: Contact name field moved out of the Contact Information block #23563
  • Custom module: Improvement of the frontend editing #23741
  • Action Logs improvement: Cache (#22739) and Purge/Export (#22740) actions are now logged

Visit GitHub for the full list of bug fixes.

Download

Upgrade Packages

Upgrade Packages
Joomla 3 upgrade packages

Note: Please read the update instructions before updating.
Remember… Please clear your browser's cache after updating.
Found a bug? Report it on the Joomla Issue Tracker.
Questions? See the documentation wiki for FAQ’s regarding the 3.9.4 release.

Continue reading
  103 Hits
  0 Comments

Copyright

© Joomla.org

103 Hits
0 Comments

Joomla! World Conference Nov 8-10, 2019 in London

jwc-2019

 

Joomla World Conference (JWC) will be held in London, UK, from November 8th to 10th, 2019. The Conference will bring the brightest Joomla minds together to share their experiences, connect with others, and learn more about Joomla and its community.

​What is JWC?

"Joomla! World Conference (JWC) is an annual user conference aimed at users of the award winning Joomla! content management system. Joomla! powers over 3% of the entire world's websites and is used by individuals, multi-national corporations, governments and charities to serve and manage their online presence in an efficient, flexible and expandable way. With over 10,000 extensions to further extend Joomla! capabilities as well as a support network of thousands of developers, integrators and designers, the JWC is the place to be to meet, learn, share and connect."  - ​conference.joomla.org

The Joomla World Conference (JWC) started in 2012 and is in a different venue/city each time around the world.  This three-day conference will include a mix of keynotes, presentations, workshops and sessions.  Each JWC is brought to you by a team of volunteers and the Joomla! Project. Joomla!® is the trademark of Open Source Matters, Inc. in the United States and other countries.

Continue reading
  65 Hits
  0 Comments
65 Hits
0 Comments

A Statement on the Recent Report by Check Point

 

A report by Check Point Research has been brought to our attention relating to a security vulnerability that was patched back in December 2015. This report has also been picked up by Threat Post.

Both reports contain a great deal of inaccuracies and intimate that the vulnerability detailed is a current one. 
This statement serves to clarify the facts surrounding this issue. Furthermore we would like to assure our user base that, much as these posts attempt to state that this is a current issue, the truth of the matter is far from that.

With this in mind, we would like to clarify a few points:

  • There is no current security issue with the JMail class.
  • The underlying issue, used to create and store the backdoor, is a PHP issue rather than a Joomla issue.
  • A successful attack is only possible with severely outdated PHP and Joomla versions that are more than 3 years out of date (PHP versions 5.4.45, 5.5.29, 5.6.13 and all higher versions are patched for this vulnerability). Please see our recent article about the importance of keeping your sites up to date here.
  • A mitigation for Joomla 1.5, 2.5 and 3 was released more than 3 years ago in December 2015. Patches for EOL versions were released alongside the Joomla 3.4.7 release. Patches for the other Joomla versions are still available here. The Joomla Project also distributed WAF rules to many shared hosting providers at the time of discovery to protect against common exploits of this vulnerability.
  • The file mentioned in Check Point's report is not a Joomla core file, it's a copy of the original class used by the attacker to obfuscate a backdoor.
  • The file does not "override" the core JMail class.

More information on the exploit

The pattern described by Check Point is a classic one - where an attacker exploits a well-known security issue. The issue is over 3 years old and stems from a security issue found in PHP, rather than the Joomla core.  More information on this issue can be found here:

Continue reading
  62 Hits
  0 Comments

Copyright

© Joomla.org

62 Hits
0 Comments

Joomla accepted to Google Summer of Code 2019

Joomla did it for the 12th time! We are proud to announce that our application as mentoring organization for the 2019 Google Summer of Code™ program (GSoC) has been accepted!

GSoC helps support university level students who get the opportunity to work with mentors on a variety of coding projects that will all be contributed back to the student's mentoring organization. More than an opportunity to find new talents for Joomla and improve the software, GSoC is a big reunion of open source lovers where we can share, learn, teach and have fun.

This year's Joomla! GSoC application was led by Puneet Kala, Sandra Decoux, Yves Hoppe and Tobias Zulauf.

After learning of Joomla's acceptance into GSoC, Puneet said:

Selection for GSoC is a great news to start 2019 for Joomla. We are on the edge of Joomla 4 release and the projects we have this year are going to focus on this area. 
This will be our 4th consecutive year of selection into GSoC after we were declined in 2015, which clearly indicates we have been working in the right direction. 
The team is really happy & ready to make this year productive and have even better results than last year. A great amount of our success also goes to the mentors. They have done a tremendous job and consistently pushed the standards for our GSoC participation.

Students, apply to Joomla GSoc Project

Talented and committed students, we are looking forward to hearing from you! We invite you to go through the program details and apply to participate in GSoC. It’s a fantastic opportunity to write code, learn about open source development, meet great people, while earning a stipend! All information about Joomla GSoC participation can be found here.

Continue reading
  67 Hits
  0 Comments
67 Hits
0 Comments

Joomla attended the CMS Security Summit at Google in Chicago

January 30th 2019 - It’s freezing cold in Chicago today and according to the news, it’s even colder than on the Mount Everest - so a perfect day to stay inside a warm building, sitting in front of your machine and having a (sorry, bad Everest joke) summit!

Read More on Joomla.org

  65 Hits
  0 Comments

Copyright

© Joomla.org

65 Hits
0 Comments

Joomla 3.9.3 Release

Joomla 3.9.3 is now available. This is a security fix release for the 3.x series of Joomla which addresses 6 security vulnerabilities and contains 30 bug fixes and improvements.

 

  64 Hits
  0 Comments

Copyright

© Joomla.org

64 Hits
0 Comments

Joomla 3.9.2 Release

Joomla 3.9.2 is now available. This is a security release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains over 50 bug fixes and improvements.

  87 Hits
  0 Comments

Copyright

© Joomla.org

87 Hits
0 Comments

Joomla! A Year in Review - 2018

As we countdown to 2019, we’ll be raising a glass (or two) to all our incredible volunteers who have made the leaps and bounds of 2018 possible.

  100 Hits
  0 Comments

Copyright

© Joomla.org

100 Hits
0 Comments

Joomla 3.9.1 Release

Joomla 3.9.1 is now available. This is a bug fix release for the 3.x series of Joomla including over 40 bug fixes and improvements.

 
  123 Hits
  0 Comments

Copyright

© Joomla.org

123 Hits
0 Comments

The First JoomlaCamp Chicago

JoomlaCampLogo_568x178
The first JoomlaCamp Chicago was held on September 22, at DePaul University's Loop Campus. With a wide range of questions and answers covered, participants left feeling excited to put their expanded Joomla! knowledge to use on their own sites.  
  101 Hits
  0 Comments

Copyright

© Joomla.org

101 Hits
0 Comments

Joomla Day Brasil 2018 Recap

jdaybrasilrecap
After a few years of absence, Joomla Day Brazil has returned in 2018. The event took place in the city of Guarulhos and was organized by JUG São Paulo and offered a diversity in the program that reflected how diverse the Joomla community is.
 
  182 Hits
  0 Comments

Copyright

© Joomla.org

182 Hits
0 Comments

Students of THM Gießen support Joomla - 10 years of Web Programming Weeks

THM Gießen has been organising "Web Programming Weeks" for 10 years. On the occasion of this year's anniversary, the Faculty of Mathematics, Natural Sciences and Computer Science (MNI) once again offered the opportunity to work intensively with the Joomla CMS.

Continue Reading on Joomla.org

  192 Hits
  0 Comments

Copyright

© Joomla.org

192 Hits
0 Comments

Joomla 3.8.12 Release

Joomla 3.8.12 is now available. This is a security release for the 3.x series of Joomla which addresses 3 security vulnerabilities and contains over 20 bug fixes and improvements.

  208 Hits
  0 Comments

Copyright

© Joomla.org

208 Hits
0 Comments