Don't hold off. The 2nd security issue is critical... --- On Thu, 7/23/09, Stephen Burge <st...@joomlatraining.com> wrote:
> From: Stephen Burge <st...@joomlatraining.com> > Subject: Re: [joomla] New Joomla release 1.5.13: Joomla! Security News > To: ny...@lists.nyphp.org, s...@lists.nyphp.org > Date: Thursday, July 23, 2009, 10:56 AM > I believe there's a couple of bugs > with the 1.5.13 release: > http://forum.joomla.org/viewtopic.php?f=430&t=423159 > > Might be good to hold off for 24 / 48 hours before > updating. The Bug > Squad is apparently busy getting the fixes ready. > > Steve > > > > Mitch Pirtle wrote: > > Thanks Donna, I missed this totally in my avalanche of > work and deadlines. > > > > -- Mitch > > > > On Thu, Jul 23, 2009 at 8:38 AM, Donna Marie > > Vincent<donnamarievinc...@yahoo.com> > wrote: > > > >> Joomla! Security News > >> > >> ________________________________ > >> > >> [20090722] - Core - Missing JEXEC Check > >> > >> Posted: 22 Jul 2009 04:36 PM PDT > >> > >> Project: Joomla! > >> SubProject: Framework > >> Severity: Moderate > >> Versions: 1.5.12 and all previous 1.5 releases > >> Exploit type: XSS > >> Reported Date: 2009-July-21 > >> Fixed Date: 2009-July-22 > >> > >> Description > >> > >> Some files were missing the check for JEXEC. > These scripts will then expose > >> internal path information of the host. > >> > >> Affected Installs > >> > >> All 1.5.x installs prior to and including 1.5.12 > are affected. > >> > >> Solution > >> > >> Upgrade to latest Joomla! version (1.5.13 or > newer). > >> > >> Reported by Juan Galiana Lara (Internet Security > Auditors) > >> > >> Contact > >> > >> The JSST at the Joomla! Security Center. > >> > >> [20090722] - Core - File Upload > >> > >> Posted: 22 Jul 2009 04:17 PM PDT > >> > >> Project: Joomla! > >> SubProject: TinyMCE editor > >> Severity: Critical > >> Versions: 1.5.12 > >> Exploit type: Image File upload > >> Reported Date: 2009-July-22 > >> Fixed Date: 2009-July-22 > >> > >> Description > >> > >> Tiny browser included with TinyMCE 3.0 editor > allowed files to be uploaded > >> and removed without logging in. > >> > >> Affected Installs > >> > >> Version 1.5.12 only > >> > >> Solution > >> > >> Upgrade to latest Joomla! version (1.5.13 or > newer). > >> > >> Reported by Patrice Lazareff. > >> > >> Contact > >> > >> The JSST at the Joomla! Security Center. > >> > >> You are subscribed to email updates from Joomla! > Developer - Vulnerability > >> News > >> To stop receiving these emails, you may > unsubscribe now.Email delivery > >> powered by Google > >> Google Inc., 20 West Kinzie, Chicago IL USA 60610 > >> _______________________________________________ > >> New York PHP SIG: Joomla! Mailing List > >> http://lists.nyphp.org/mailman/listinfo/joomla > >> > >> NYPHPCon 2006 Presentations Online > >> http://www.nyphpcon.com > >> > >> Show Your Participation in New York PHP > >> http://www.nyphp.org/show_participation.php > >> > >> > > _______________________________________________ > > New York PHP SIG: Joomla! Mailing List > > http://lists.nyphp.org/mailman/listinfo/joomla > > > > NYPHPCon 2006 Presentations Online > > http://www.nyphpcon.com > > > > Show Your Participation in New York PHP > > http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP SIG: Joomla! Mailing List > http://lists.nyphp.org/mailman/listinfo/joomla > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > _______________________________________________ New York PHP SIG: Joomla! Mailing List http://lists.nyphp.org/mailman/listinfo/joomla NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
