J! 3.3.6 and 2.5.27 Security Releases and Shellshock


Joomla 3.3.6 and Joomla 2.5.27 have been released.

Shellshock is a real threat

Both packages are high priority security releases. So, all Joomla 3.X websites should upgrade to Joomla 3.3.6 and all Joomla 2.5 series to Joomla 2.5.27. According to the Joomla technical requirements, the Joomla 3.3.6 release will only work on PHP versions 5.3.10 or better.

Here is a quick summary that will help you decide:

If your website is using

As usual backup before upgrading your Joomla websites and verify that all third party extensions (including your template) are compatible.

In case you upgraded to 2.5.26/3.2.6/3.3.5

If you had previously upgraded to one of the "short-lived" 2.5.26/3.2.6/3.3.5 releases in which an upgrader bug slipped in, you will notice that the one-click upgrade method will not work to upgrade to 2.5.27/3.2.7/3.3.6. Instead, you would need to use one of the alternative upgrade methods B or C.

Shellshock is a real threat

Disclosed on September 24th, 2014, Shellshock, also known as Bashdoor, is a family of security bugs affecting the widely used Unix Bash shell. Simply put, this bug allows remote attackers to execute arbitrary code on hosting environments using unpatched Bash shells.

Security wise, this ia as bad as it gets and the potential harm that can be inflicted is enormous. Everyone needs to take action now to either patch their hosts as needed or make sure that their hosting environments are secure.

So, if you are in charge of maintaining a host that has a Unix Bash shell, you need to patch it now. Also make sure that you upgrade all your computers and network and any other embedded equipment that might contain bash. Also old ones, since that security bug is present and got unnoticed since 22 years.

Even though you might not be aware that you are using a Bash shell, your webserver environment might be using it to execute your Joomla PHP.

If you have a website that is being hosted somewhere, you need to contact the host helpdesk and confirm that your environment is secure against this bug.