Critical security vulnerability affects Joomla 1.5 through 3.4.5 — immediate update required
UPDATE, 21-Dec-2015: Please review this updated security announcement.
On 14 December 2015, the Joomla project announced a new security vulnerability affecting all current versions of Joomla 1.5 through 3.4.5.
This vulnerability has been detected in the wild, has been fully documented publicly, and remains an active threat to the security and integrity of most Joomla websites.
Updating Joomla 3 sites
We strongly advise you to update any Joomla 3 site to the latest 3.4.6 version without delay. You can do this via the Watchful dashboard or on each of your website backends. Updating to this version will also resolve the security issues reported in October.
Updating Joomla 1.5 and 2.x sites
Once a version of Joomla reaches the end-of-life (EOL) stage of development, official updates are no longer released. However, if critical security bugs are identified, unofficial fixes may be applied manually (via FTP for example).
To make it easier to apply updates for EOL Joomla versions, we’ve prepared security patches that may be installed from the Joomla backend. To use them:
- Backup your site(s).
- Download the installable EOL patches.
- Websites running Joomla 1.5 or 2.5* must first be updated to the latest versions — Joomla 1.5.26 (instructions) and 2.5.28 (instructions).
- Install the EOL patches via the in the Joomla installer of each site individually. Watchful users may use the Remote Installer to update all of their Joomla 1.5 and 2.5 sites at once.
* Thanks to the Joomla project — for releasing both the 3.4.6 patches, and details for manually updating EOL Joomla versions — and to DSD Business Internet/René Kreijveld who inspired the Joomla 2.5 installable patch which was used with their permission.