Das beliebte Open-Source CMS, Joomla, ist heute in Version 3.6.5 erschienen. Dies ist in erster LInie ein Security Release, behebt aber auch drei Bugs und härtet diverse Bereiche.
Joomla 3.6.5 Release Notes
Joomla 3.6.5 Update
- High Priority – Core – Elevated Privileges (affecting Joomla! 1.6.0 through 3.6.4) More information »
- Low Priority – Core – Shell Upload (affecting Joomla! 3.0.0 through 3.6.4) More information »
- Low Priority – Core – Information Disclosure (affecting Joomla! 3.0.0 through 3.6.4) More information »
- Security Hardening
[20161204] – Misc. Security Hardening
- Project: Joomla!
- SubProject: CMS
Description
Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user’s ability to make potentially damaging configuration changes. This includes restricting the ability to set the “New User Registration Group” and “Guest User Group” to a group with Super User permissions and restricting the ability for a lesser privileged user to make user group assignment changes to users in a Super User group.
Additionally, we have modified the behavior of JUser::authorise() to only return a boolean value. Previously, this method could return either a boolean value or null because the underlying call to JAccess::check() can also return a null value; neither JUser::authorise() or JAccess::check()documented this though. We have determined that based on how the API is used that JUser::authorise() should only return a boolean value. If a developer requires the previous behavior of a null return value (which indicates an “implicit” denied state versus “explicit” signified by boolean false), they should use JAccess::check() instead. The documentation for JAccess::check() has been updated to indicate the null return value as well.