From the Joomla.org website:
The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.6 [Vusani]. This is a quick turnaround security release to address a high level security issue and it is recommended all users upgrade immediately.
A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).
For more information about this exploit, click here to visit the Joomla Security Blog.
The pace of improvements to Joomla 1.5 seems to be quickening this summer, as we're seeing new versions in weeks now.
This release also contains "important SEF URL improvements and fixes for com_content in addition to a number of bug fixes and improvements."
Be sure to upgrade today, especially if you upgraded to version 1.5.4.
The Joomla Project recently announced the release of the latest version of our favorite CMS, Joomla 1.5.4, codenamed "Naiki."
Quoting from the news item on Joomla.org, here are some of the bug fixes announced with this release:
- Several Search component fixes, including the removal of HTML tags as possible search results
- Banners can handle Flash items
- Polls and Latest and Most Popular articles listed in the Administrator now support GMT dates
- Several OpenID improvements
- Several critical security improvements
The Joomla Project recommends upgrading your version asap. Download and upgrade today!
Bravo to the Joomla development team for their continuous and consistent improvement of our beloved Joomla.
The Joomla Project celebrated its second birthday this month with Release Candidate 2, the second of three release candidates for Joomla 1.5. Check it out!
Read the official news
Get Joomla 1.5 RC2
Instructions for upgrading from RC1 to RC2
Discuss Joomla 1.5 on our forum
Vote for the Joomlashack Templates you want to see converted for 1.5!
While still not ready for production sites, the Joomla folks are feeling that a final stable release is coming sometime before the end of 2007. Stay tuned to Joomlashack for updates.