Joomla! 1.0.9 [ Sunshine ] is now available as of Monday 05th June 2006 18:00 UTC for download here.
We suggest that all Joomla! users upgrade to this version.
1.0.9 contains the following changes:
- 12 Low Level Security Fixes
- 160+ General bug fixes
- Several Performance enhancements
Although this release contains 12 security fixes, as they are of a low level nature, this release is being characterized as a Stability/General release. If you are running 1.0.8, you are advised to upgrade to 1.0.9 as it fixes several annoying non-critical errors in 1.0.8
1.0.9 is available as a Full Package, which contains all Joomla! files and Patch Packages which contain only the files that have been changed by the Stability work conducted from previous Joomla! 1.0.x versions.
New to Joomla! or starting a new site
Are you a new Joomla! user? Confused as to which of the 30 available packages to download?
The answer is simple. If you are creating a site for the first time, you will need the Full Package file:
The other packages are for those users who have already have an existing Joomla! site and wish to upgrade to the latest version.
Upgrading from any version of Joomla! 1.0.x to 1.0.9, simply involves overwriting your current sites files, with the files in the proper Patch Package that applies to your site. This is also the case for those users who are currently using a 1.0.9 Beta version.
So if you are running Joomla! 1.0.5, you will need the 1.0.5 to 1.0.9 Patch Package.
This can be done by either uncompressing the Patch Package and then using an FTP client to transfer these files to your server and overwriting existing file. If you find errors after the process, ensure that all files were properly transferred. There have been verified reports of some FTP clients not properly transferring files across to a server - without notifying the user of such a problem.
If your Web Provider gives you access to your site via some sort of Web Admin panel like CPanel or Plesk, you can use the system's file manager to upload the Patch Package file to your server and then extracting the package file and overwriting all the files on your server.
More information can be found on the Forums and if at any stage you are unsure, then search the forums for posts on the subject. Most will be found in the Upgrading Forum.
Before undertaking an Upgrade or Conversion, it is extremely important that you backup your site Database and if possible, also you site files. While we try to ensure that an Upgrade or Conversion process is relatively straightforward, we cannot guarantee that this will always be the case for every user. So it is imperative that users take protective measures in case they face problems after the Upgrade or Conversion.
To ensure the integrity of the files you are downloading, you are advised only to download from the 'Official Source' on the Official Joomla! Forge. As an extra security measure we now make available the MD5 checksum values of the respective package files, to allow people to do integrity checking.
Joomla! 1.0.9 comes as a Full Package:
- 1.0.9 Stable Full Package
and Patch Packages:
It also comes packaged in 3 different compression formats
Joomla! 1.0.9 Contains twelve (12) fixes for Low Level Security Vulnerabilities.
Low Level Threat Fixes
A1 Unvalidated Input
- A1 - Harden mosmsg
- A1 - Hardening of backend `User Manager` to stop 'Administrators' from being able to create 'Super Administrator' users
A2 Broken Access Control
- A2 - Breadcrumbs title visibility even when access restricted
- A2 - 'Edit Your Details' page now needs a published menu item to be accessible
- A2 - 'Check-In My Items' page now needs a published menu item to be accessible
- A2 - 'Submit News' page now needs a published menu item to be accessible
- A2 - 'Submit Weblink' page now needs a published menu item to be accessible
- A2 - Add ability to selectively disable certain types of syndicated feeds
- A2 - Ensure module caching does not inadvertently make special level modules visible to registered users
- A2 - Add ability to totally disable access to frontend login page
- A2 - Add ability to disable frontend user params
A3 - Broken Authentication and Session Management
- A3 - Changes to access level of user account will kill any active session for that user
OWASP Vulnerability Categorization
Since 1.0.8, Joomla! has started adopting the Open Web Application Security Project (OWASP) Top Ten Vulnerability categorization system, to standardize the categorization of security vulnerability reports.
Query Performance Improvements
1.0.9 contains query performance improvements that should lead to slightly better database performance for Joomla! sites.
There is roughly a 20% reduction in number of queries called in 1.0.9 compared to 1.0.8
In all earlier versions of 1.0.x the core caching functionality is basically does not work, this has now been corrected in 1.0.9
This means that activating Joomla! caching should now lead to actual performance improvements.
MOSImage Performance Issue
There is a performance issue in regards to the MOSImage Manager that can slow the loading of the Content Item create/edit page when you have a large number of images in the /images/stories/ directory.
To solve this, new functionality has been added to 1.0.9
Losing data by getting Logged out
One common problem in the 1.0.x series is getting logged out (because your session has expired) and losing the data you had been working on. This has been addressed in 1.0.9 by a slight change in the logout system. This should mean that the circumstance of losing data due to being logged out will be a thing of the past.
Language File changes
In 1.0.9 modifications were made regards the frontend static language file. For non-english Joomla! users (users who use a different language file for their site instead of the default english.php) this may cause some minor issues.
Until the 3rd Party Development team in charge of creating your specific language file has updated their language versions, then you need to make the changes in your language file yourself.
Other fixes & improvements
Any other new improvements in 1.0.9 will be blogged about in the Official Joomla! Developers Blog.
A very big thank you must go to the community in assisting with this release.
In the lead up to 1.0.9 stable 2 beta releases were made available to the community for testing. This is the first time the community has been given access to such Beta release for the 1.0.x series. It was done in the hope of improving the testing process and we believe that this has indeed been the case, as can be seen from the community reported bugs submitted after these releases.
It is only through the partnership with a strong vibrant and active community that Joomla! can continue to be successful.
Rey Gigataras [stingrey]
Joomla! Core Team Member
Stability Team Leader