Joomla 3.9.6
8 May 2019
Joomla version 3.9.6 is now available (security release).
Upgrading to Joomla 3.9.6
Joomla 3.9.6 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Joomla updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Joomla install to test the 3.9.6 upgrade prior to applying it live. Get started managing your Joomla installations with Installatron
What's New in Joomla 3.9.6
Security
- Low Priority - Core - XSS in com_users ACL debug views (affecting Joomla 1.7.0 through 3.9.5) - The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
- Low Priority - Core - Core - By-passing protection of Phar Stream Wrapper Interceptor (affecting Joomla 3.9.3 through 3.9.5) - In Joomla 3.9.3, the vulnerability of insecure deserialization when executing Phar archives was addressed by removing the known attack vector in the Joomla core. In order to intercept file invocations like file_exists or stat on compromised Phar archives the base name has to be determined and checked before allowing to be handled by PHP Phar stream handling. The used implementation however is vulnerable to path traversal leading to scenarios where the Phar archive to be assessed is not the actual (compromised) file.
Bug fixes and Improvements
- Media Manager: Fix logic in file upload check introduced in 3.9.5 #24637
- Edge Chromium support added #24379
- User Notes: Fix date format #24529
- Frontend editing: article category editable by Publishers and up #24640
- Cache: Cache folder automatically created if it doesn’t exist #21952
- PostgreSQL database improvements #24682 #24683 #24652