Project: Joomla! SubProject: All Severity: Low Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions. Exploit type: XSS Vulnerability Reported Date: 2013-February-26 Fixed Date: 2013-April-24 CVE Number: CVE-2013-3059 Description Inadequate filtering leads to XSS vulnerability in Voting plugin. Affected Installs Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions. Solution Upgrade to version 2.5.10, 3.1.0 or 3.0.4. Contact The JSST at the Joomla! Security Center. Reported By: Yannick Gaultier and Jeff Channell
Read more from the original source:
[20130405] – Core – XSS Vulnerability
Project: Joomla! SubProject: All Severity: Moderate Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions. Exploit type: XSS Vulnerability Reported Date: 2013-March-9 Fixed Date: 2013-April-24 CVE Number: CVE-2013-3058 Description Inadequate filtering allows possibility of XSS exploit in some circumstances. Affected Installs Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions. Solution Upgrade to version 2.5.10, 3.1.0 or 3.0.4. Contact The JSST at the Joomla! Security Center. Reported By: James Kettle
Continued here:
[20130403] – Core – XSS Vulnerability
Project: Joomla! SubProject: All Severity: Low Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions. Exploit type: Information Disclosure Reported Date: 2013-March-29 Fixed Date: 2013-April-24 CVE Number: CVE-2013-3057 Description Inadequate permission checking allows unauthorised user to see permission settings in some circumstances. Affected Installs Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions. Solution Upgrade to version 2.5.10, 3.1.0 or 3.0.4. Contact The JSST at the Joomla! Security Center. Reported By: Francois Gauthier
Read the original:
[20130402] – Core – Information Disclosure
Project: Joomla! SubProject: All Severity: Low Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions. Exploit type: XSS Vulnerability Reported Date: 2013-February-15 Fixed Date: 2013-April-24 CVE Number: None Description Use of old version of Flash-based file uploader leads to XSS vulnerability. Affected Installs Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions. Solution Upgrade to version 2.5.10, 3.1.0 or 3.0.4. Contact The JSST at the Joomla! Security Center. Reported By: Reginaldo Silva
See more here:
[20130404] – Core – XSS Vulnerability
Project: Joomla! SubProject: All Severity: Low Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions. Exploit type: Privilege Escalation Reported Date: 2013-March-29 Fixed Date: 2013-April-24 CVE Number: CVE-2013-3056 Description Inadequate permission checking allows unauthorised user to delete private messages. Affected Installs Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions. Solution Upgrade to version 2.5.10, 3.1.0 or 3.0.4. Contact The JSST at the Joomla! Security Center. Reported By: Francois Gauthier
See the rest here:
[20130401] – Core – Privilege Escalation
Project: Joomla! SubProject: All Severity: Moderate Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions. Exploit type: Denial of service vulnerability Reported Date: 2013-February-18 Fixed Date: 2013-April-24 CVE Number: CVE-2013-3242 Description Object unserialize method leads to possible denial of service vulnerability. Affected Installs Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions. Solution Upgrade to version 2.5.10, 3.1.0 or 3.0.4. Contact The JSST at the Joomla! Security Center. Reported By: Egidio Romano
Original post:
[20130406] – Core – DOS Vulnerability
Project: Joomla! SubProject: All Severity: Low Versions: 2.5.9 and earlier 2.5.x versions. 3.0.3 and earlier 3.0.x versions. Exploit type: XSS Vulnerability Reported Date: 2013-April-17 Fixed Date: 2013-April-24 CVE Number: CVE-2013-3267 Description Inadequate filtering leads to XSS vulnerability in highlighter plugin. Affected Installs Joomla! version 2.5.9 and earlier 2.5.x versions; and version 3.0.2 and earlier 3.0.x versions. Solution Upgrade to version 2.5.10, 3.1.0 or 3.0.4. Contact The JSST at the Joomla! Security Center. Reported By: Vertical Pigeon
Read the original post:
[20130407] – Core – XSS Vulnerability
Over the last few months, the Platform team of maintainers and developers have been talking about future directions. One of our goals for this year is to introduce namespacing. This has been a very large undertaking and as work has progressed, it became obvious that backward compatibility was going to be a constant battle. One of the negative side-effects of this would be that the Joomla CMS wouldn’t be able to use the planned 13.1 release of the Platform for some time if we introduced namespacing in that version. After a lot of discussion both internally and with other developers in the community, in order to address the problem, as well as to take advantage of some new opportunities, we’ve decided to make some changes to the Platform.
Original post:
The New Joomla Framework
As part of the normal budgeting process, the Production Leadership Team has come up with six goals for 2013. Those goals concern releases of the Joomla Platform and the Joomla CMS, continuing maintenance updates, and outreach and promotion to a technical audience. Goal #1: Complete Three Iterations of the Joomla Platform Project. Our goal is to release at least three new versions of the Joomla Platform in 2013. The timing of releases is not exact and only used for the benefit of planning. As such, we anticipate the following releases this year. Platform Release 13.1 on or about 31 March, 2013 Platform Release 13.2 on or about 30 June, 2013 Platform Release 13.3 on or about 31 October, 2013 The following sub-goals are also envisioned for the Joomla Platform. 1.1 Define and Ratify the Version and Deprecation Strategy for the Platform. The release strategy for the Joomla Platform differs a little from the CMS because we generally consider work within a “year” as opposed to work within a particular “version”. However, the system is a little ad hoc and we’d like to bring some clarity to releasing the Joomla Platform. In addition, we aim to ratify the deprecation policy. 1.2 Implement Tools to Assist with Collaboration We aim to look at tools that can be used to assist people working collaboratively on features within the Joomla Platform, and also help people work out what they can do, be that in the area of development, documentation or even general administrative maintenance. Possible outcomes could include a better policy by which we use Joomla Platform’s issue tracker on Github, or looking at other tools like Jira. 1.3 Introduce Namespacing We aim, this year, to introduce namespacing to the Joomla Platform and to bring the core source tree in compliance with PSR-1. Doing so will allow the Joomla Platform to be integrated with other PHP projects and give developers using the Joomla Platform more options. 1.4 Lift Code Coverage for Each Package to a Minimum of 50% We want to challenge the Joomla development community to raise our code quality and, this year, to ensure that all packages in the core platform have no less than 50% code coverage (lines of code). 1.5 Add Complete Documentation for 5 New Packages in the Platform Manual We want to encourage the Joomla development community to add complete documentation for at least five package that currently do not have documentation. Goal #2: Complete two full iterations of the Joomla CMS project. We will release new versions of the Joomla CMS according to this schedule: CMS Release 3.1 in March, 2013 CMS Release 3.2 in September, 2013 We will use PLT summits to discuss issues regarding the releases, supplemented by virtual meetings. We will examine and discuss ideas from the Joomla Ideas Pool, the Joomla Feature Patch Tracker and other sources. We will use these to announce visions or themes for CMS releases. To accomplish this, we need volunteer developers, documenters, and translators. We will facilitate Pizza, Bugs and Fun (PBF) events, code and documentation sprints, working group meetings, Student programmes, Roadmap Sessions and other such events. The following sub-goals are also envisioned for the Joomla CMS. 2.1 Lift Code Coverage for the CMS Libraries to 30% We want to challenge the Joomla development community to raise our code quality and, this year, to ensure that the CMS libraries (the code found under /libraries/cms) have no less than 30% code coverage (lines of code). 2.1.1 Expand Test Coverage to Additional Code In addition to unit testing the CMS libraries, unit test coverage should be expanded to other areas of the code, with a future goal of all PHP classes being testable. Prime candidates for unit testing would be the classes in the various /includes folders (application classes) and the FinderIndexer classes (administrator/components/com_finder/helpers/indexer). 2.2 Enforce Joomla Coding Standards in All CMS Files Presently, the CMS is only enforcing a small subset of the Joomla Coding Standard, and excludes numerous files from being scanned for the various rules. Developers are encouraged to assist in bringing all files in compliance with the Joomla Coding Standards. This recognizes that the Joomla Coding Standard has different rules for alternate syntax in layout files. 2.3 Enforce Test Compliance Pre-Commit The Joomla! CMS has numerous automated testing tools to assist in maintaining a high quality of code, however, patches to the CMS are not tested for compliance with these tests prior to being merged into the code base. Determine a method to enforce automated test compliance (unit and system testing, code standard compliance) without making the user contribution process more difficult. Goal #3: Release maintenance updates to the current LTS and STS releases as required. While the fun part is new features and releases, a major part of our responsibility is to the existing releases. Normal maintenance releases of an existing long term support release will be made until 3 months after the general availability of the next long term support release. Ongoing support of the short term releases continues until a month after a superseding release. The number, timing, and nature of the maintenance releases depends on the circumstances. The Joomla Bug Squad and the Joomla Security Strike Team are the main volunteers spearheading this effort. Goal #4: Outreach and promotion of Joomla to a technical audience. The PLT aims to expand its outreach and promotion of Joomla to technical audiences, both those within and outside the Joomla project. We will do this by attending technical conferences and events, and speaking about current and future development within the project. Members of the Joomla community will be invited to speak about and promote Joomla at events worldwide. 4.1 Participate in Google Summer of Code program The Google Summer of Code program 2012 edition was very sucessful with several contributions to the Joomla Project (see http://conference.joomla.org/speakers/sessions/session/session/83-joomla-and-google-summer-of-code-2012.html ). This year the Joomla Project plans to maintain support of this initiative and encourages the community to actively participate in the program. 4.2 Review and improve developer.joomla.org We will be asking the development community to help us review the developer.joomla.org site to ensure that information is up-to-date, relevent and accurate. Our aim is that when people have questions about Joomla development, there is an easily found link on developer.joomla.org that they can be directed to that answers their question, or at least directs them to a place where they can find answers. To do this, we will need a team of volunteers to help identify areas of the site that are missing content and need content modified. Goal #5: Improve processes in Translating the Joomla Software and support the enhancement of the Joomla CMS multilingual system. 5.1 Support the creation of at least 3 new features on internationalization in Joomla CMS Support the production teams in implementing improvements in the language areas of the project (“multilingual” and “language packages”). See these examples from 2012: News in Languages in Joomla 3.0.3: http://community.joomla.org/blogs/community/1714-languages-in-303-what-is-new.html News in Languages in Joomla 3.0.2: http://community.joomla.org/blogs/community/1695-multilanguage-in-302-whats-new.html 5.2: Halve the dedicated time needed by a Translation Team member to provide a language package for Joomla. In agreement with the Translation Team, dedicate resources on improving processes and tools to automate the creation of translation packages and uploading them to the Joomla Languages Server. 5.3: Meet 3rd party developers needs by translating their Joomla extensions and find ways to improve and cooperate together. Projects like Facebook ( http://www.insidefacebook.com/… ), RememberTheMilk ( http://www.rememberthemilk.com/…/ ) or other projects using https://www.transifex.com are taking advantage of their communities in order to localize their software. Joomla is being translated by its community into 64 languages but there is plenty of space for more languages and more community participation. At the same time many Joomla 3rd party developers are searching for a solution on how their communities can contribute in the translation of their extensions. It is a goal for 2013 to study and identify common needs between the Joomla project and 3rd party developers interested in joining efforts to plan a solution for increasing the international community involvement in the translation of software. Some tools already exist that can be improved: http://extensions.joomla.org/extensions/languages/language-edition/17755 Goal #6: Refine and improve the user contribution process. Since transitioning from SVN to Git in late 2011, the PLT has recognized that there have been struggles with the contribution process, particularly towards the CMS. Much of this headache exists in the issue/feature tracking processes, which are not connected to GitHub at present. The PLT aims to improve this process in 2013 by investigating ways to improve the existing Joomlacode infrastructure or evaluating the potential of implementing a new tracking system which suits the project requirements and improves the native integration with GitHub. Community feedback requested Feedback, comments, and discussion on the 2013 production goals are welcome. In order to facilitate communication, we encourage users to respond with their feedback on this thread on the Joomla General Development mailing list - https://groups.google.com/d/topic/joomla-dev-general/6K-mnKwzC2E/discussion .
View original post here:
Production Goals for 2013
Following are the meeting notes from the Production Leadership Team meeting held in February 2013.
Read more:
PLT Meeting Notes – February 2013