Das beliebte Open-Source CMS, Joomla, ist heute in Version 3.6.5 erschienen. Dies ist in erster LInie ein Security Release, behebt aber auch drei Bugs und härtet diverse Bereiche.
Joomla 3.6.5 Release Notes
- High Priority – Core – Elevated Privileges (affecting Joomla! 1.6.0 through 3.6.4) More information »
- Low Priority – Core – Shell Upload (affecting Joomla! 3.0.0 through 3.6.4) More information »
- Low Priority – Core – Information Disclosure (affecting Joomla! 3.0.0 through 3.6.4) More information »
- Security Hardening
 – Misc. Security Hardening
- Project: Joomla!
- SubProject: CMS
Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user’s ability to make potentially damaging configuration changes. This includes restricting the ability to set the “New User Registration Group” and “Guest User Group” to a group with Super User permissions and restricting the ability for a lesser privileged user to make user group assignment changes to users in a Super User group.
Additionally, we have modified the behavior of
JUser::authorise() to only return a boolean value. Previously, this method could return either a boolean value or null because the underlying call to
JAccess::check() can also return a null value; neither
JAccess::check()documented this though. We have determined that based on how the API is used that
JUser::authorise() should only return a boolean value. If a developer requires the previous behavior of a null return value (which indicates an “implicit” denied state versus “explicit” signified by boolean false), they should use
JAccess::check() instead. The documentation for
JAccess::check() has been updated to indicate the null return value as well.