Joomla! 3.4.7 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately.
This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release.
What's in 3.4.7
Version 3.4.7 is released to address two reported security vulnerabilities and includes security hardening of the MySQLi driver to help prevent object injection attacks.
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). The only Joomla sites affected by this bug are those which are hosted on vulnerable versions of PHP. We are aware that not all hosts keep their PHP installations up to date so we are making this release to deal with this issue on vulnerable PHP versions.
Security Issues Fixed
- High Priority - Core - Session Hardening (affecting Joomla 1.5 through 3.4.6) More information »
- Low Priority - Core - SQL Injection (affecting Joomla 3.0.0 through 3.4.6) More information »
Please see the documentation wiki for FAQ’s regarding the 3.4.7 release. It is important to note that due to some session changes you will not be able to edit items until you log out and log back in again. Please note that there has been a backwards compatibility break regarding how session management is handled. If you are using the documented Joomla API you will have no issues. The changes are fully documented in the release documentation.
New Installations:Download Joomla 3.4.7
English (UK), 3.4.7 Full Package
Upgrade Packages:Upgrade Packages
Joomla 3 upgrade packages
Note: Please read the update instructions before updating.
Please remember to clear your browser's cache after upgrading.
Joomla 1.5 and 2.5
Joomla does not release updates for EOL versions however we have made patches available for download which can be found at https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions.
A Huge Thank You!
Thank you to the Joomla Security Strike Team for their swift resolution of this issue. Thanks to Akeeba for helping the JSST with the Session Hardening patch.
Joomla Security Strike Team
A big thanks to the Joomla Security Strike Team for their ongoing work to keep Joomla secure. Members include: Matias Aguirre, Michael Babker, Beat B., Mark Boos, Marco Dings, Matias Griese, Thomas Hunziker, David Jardin, Alan Langford, Jean-Marie Simonet, Phil Taylor, Viktor Vogel, George Wilson, Davide Tampellini
Security Team Leadership: Viktor Vogel, Coordinator
Image Credit: Chiara Aliotta and Helvecio Da Silva