Joomla 3.6.4 has just been released and it fixes two critical security vulnerabilities and a two-factor authentication bug.
This is a very important release and all Joomla 3.4.4 to 3.6.3 sites need to be quickly updated to this new release.
You can read the full Joomla 3.6.4 announcement for more details, but to make things super clear here is a list of recommended actions depending on your installed version:
- All sites with Joomla 3.4.4 through Joomla 3.6.3 must update to Joomla 3.6.4 now - this is extremely important as the found vulnerabilities let hackers create accounts on your website and then to promote them to administrator (but not super-administrator ones)
- All sites with Joomla 3.x less than 3.4.4 should upgrade as soon as possible to Joomla 3.6.4. These sites are not affected by the two critical vulnerabilities, but there are many other know issues that have already been fixed
- All Joomla 2.5.x sites (1.0-2.5 are not affected by these 2 vulnerabilities, but they are by other known ones) should plan to upgrade to Joomla 3.6.4. If not possible soon, they should at least by now have updated to the unofficially security-maintained Joomla "2.5.999" version which includes fixes only for high-level security issues (download zip button at top right) and follow that project on github, while planing to plan an upgrade to latest Joomla.
And, as always, make a full backup of your website before you attempt any upgrade.
Community Builder 2.0.15 and all our latest CB add-ons versions are running fine on Joomla 3.6.4 according to our tests.
Beat, member of both CB Team and of the Joomla Security Strike Team (JSST), insists on the urgency and the importance of this Joomla 3.6.4 upgrade: Stop doing what you are doing and Upgrade Now. If you can't, then take an off-site archive-backup of your site Now. Only the latest versions of Joomla and of all your extensions and add-ons, which are the only ones maintained are considered safe at all times.
Keep your Joomlapolis membership active and your sites up to date at all times!
Some hosters who care for Joomla Security have already implemented WAF modsecurity rules to protect their customers. Joomlapolis Web Hosting Services have also done so, even before the 3.6.4 release!