As part of our post-release review process for the 3.6.4 release, the Joomla! Security Strike Team has identified and confirmed an additional side effect of the issue resolved in security advisory 20161002 (CVE-2016-8869) and as such we have revised our assessment of this issue.

Joomla 3.6.4

Joomla! 3.6.4 is now available. This is a security release for the 3.x series of Joomla! which addresses three critical security vulnerabilities and a bug fix for two-factor authentication. We strongly recommend that you update your sites immediately.

This release only contains the security fixes and bug fix; no other changes have been made compared to the Joomla! 3.6.3 release.

Note: This announcement was revised on 27 October to include a third vulnerability confirmed after the release, please see this announcement for additional information.
Joomla Security Release

What's in 3.6.4

Version 3.6.4 is released to address two critical security issues and a bug regarding two-factor authentication.

Security Issues Fixed

  • High Priority - Core - Account Creation (affecting Joomla! 3.4.4 through 3.6.3) More information »
  • High Priority - Core - Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information »
  • High Priority - Core - Account Modifications (affecting Joomla! 3.4.4 through 3.6.3) More information »

Bug Fixes

  • [#12497] Two-Factor Authentication encryption fix

Please see the documentation wiki for FAQ’s regarding the 3.6.4 release.

Joomla Security Announcement

A Joomla! 3.6.4 release containing a security fix will be published on Tuesday 25th October at approximately 14:00 UTC.

The Joomla! Security Strike Team (JSST) has been informed of a critical security issue in the Joomla! core.

Since this is a very important security fix, please be prepared to update your Joomla! installations next Tuesday.

Until the release is out, please understand that we cannot provide any further information.