Discussion about: Upgrade to Joomla! 1.0.3 Security Release now!

[stingrey]

Discussion area for the announcement that:

Upgrade to Joomla! 1.0.3 Security Release now!
http://www.joomla.org/content/view/338/52/

[guilliam]

wow!.. it was FAST! whew! thanks team!

[bluesaze]

Hi I just upgraded It worked fine  . 

The main Full installer has a extension of "tgz" shouldnt it be tar.gz (I havent Downloaded it or tried unzipping it since I used the 1.0.2  1.0.3 patch)

I see that you have started giving ZIP version too thats good since the Newbies wouldnt know what to do with the tar ball file

[shadoe]

I wish I could say that it worked. But as I've stated in another post in the "upgrade" forum...

includes/joomla.php version 1.0.2 and above gives me only a white page on frontend index...
when I replace joomla.php with version 1.0.1 it works..

something that has been done in 1.0.2 and above gives me headache...

Current config:

Fedora Core 3
PHP 4.3.11
MySQL 3.23.58

Please help... or tell me whats changed in joomla.php that gives me the ability to change it manually to see what is causing it.

Regards,

Mattias

[stingrey]

The main Full installer has a extension of "tgz" shouldnt it be tar.gz (I havent Downloaded it or tried unzipping it since I used the 1.0.2  1.0.3 patch)

http://en.wikipedia.org/wiki/Tar.gz
Same format slightly different extension name

[ibrown]

I've just updated my Joomla 1.0.2-based Website using the 1.0.3 Patch ...

and found that I now have no frontpage items! Before the upgrade, I had a News item displayed on the frontpage, but now all I have is the message "There are no items to display".

Why? What does the 1.0.3 patch contain that would interfere with my frontpage? Has anyone any suggestions?

Best,

Iain.

[shadoe]

ok... so through viewcvs I'm changing 1.0.1 manually to latest version och joomla.php

everything worked fine until I added this to it..

  switch ( $group ) {
                          case 'content':
                                  $query = "SELECT folder, element, published, params"
                                  . "\n FROM #__mambots"
                                  . "\n WHERE access <= $gid"
                                  . "\n AND folder = '$group'"
                                  . "\n ORDER BY ordering"
                                  ;
                                  break;
 
                          default:

Then the frontpage turned blank..

I also added the part a bit further down to see if it was relying on it (which it should be)..                       

break;
                  }

Made no difference

Every other change according to the CVS "diff" works like a charm. When I add the above changes my frontpage goes blank...

[cozimek]

Hi Rey, everyone else,

Let's say we have a good number of clients.  Now, not all our clients, who are on Mambo 4.5.2.3 really want to upgrade to Joomla.  They're just getting settled in with the admin interface, knowing where things are, etc.  So, since I read that this security fix hits all 4.5.x versions of Mambo as well, I'm wondering if there's a way I can simply patch the security issues, rather than have to upgrade them to Joomla 1.0.3.

Now, don't get me wrong.  I'm a huge Joomla supporter.  It's just with our large number of clients, most don't want to upgrade the UI of their administrator, and additionally we don't want to have force them to have a new UI just to be secure.

Is there any way that we can know where the security hardening code is, that affects Mambo 4.5.2?  When Joomla 1.1 or 1.2 comes out, we'll recommend upgrades to production servers, but for now, we're kinda in a holding pattern.

Any guidance would be appreciated.

Best,
Ryan

[stingrey]

Every other change according to the CVS "diff" works like a charm. When I add the above changes my frontpage goes blank...

Try slowly unpublishing each of your mambots and seein gif that corrects anything - you may have to unsintall 3rd party mambots.

This code line loads mambots to parse your content.


Do you have any 3pd mambots installed?

[nathandiehl]

Hi Rey, everyone else,

Let's say we have a good number of clients.  Now, not all our clients, who are on Mambo 4.5.2.3 really want to upgrade to Joomla.  They're just getting settled in with the admin interface, knowing where things are, etc.  So, since I read that this security fix hits all 4.5.x versions of Mambo as well, I'm wondering if there's a way I can simply patch the security issues, rather than have to upgrade them to Joomla 1.0.3.

Now, don't get me wrong.  I'm a huge Joomla supporter.  It's just with our large number of clients, most don't want to upgrade the UI of their administrator, and additionally we don't want to have force them to have a new UI just to be secure.

Is there any way that we can know where the security hardening code is, that affects Mambo 4.5.2?  When Joomla 1.1 or 1.2 comes out, we'll recommend upgrades to production servers, but for now, we're kinda in a holding pattern.

Any guidance would be appreciated.

Best,
Ryan

I think the best solution is to tell them why this is a security fix, and let them make the choice. If they want to remain vulnerable, let them.

[shadoe]

Bingo...

Some 3d-party mambot made a boo-boo...
Thanks Stingrey..

[cozimek]

I think the best solution is to tell them why this is a security fix, and let them make the choice. If they want to remain vulnerable, let them.

Wow, that's tough love.

Imagine if Microsoft, every time it put out a security patch (which seems to be weekly these days), changed pieces of the UI for Windows XP.  The world's users would go crazy.

I think it would be nice just to let developers know where the security issues are, so that we can be empowered to have the choice as to whether it really requires a full upgrade to Joomla 1.0.3.  That seems reasonable, doesn't it?

Maybe I missed it in the patch file, if so, just let me know.

-Ryan

[Peter Koch]

Is there any way that we can know where the security hardening code is, that affects Mambo 4.5.2?  When Joomla 1.1 or 1.2 comes out, we'll recommend upgrades to production servers, but for now, we're kinda in a holding pattern.

I think the best solution is to tell them why this is a security fix, and let them make the choice. If they want to remain vulnerable, let them.

Given that many important 3rd party add-ons such as mambelfish are not jet available for joomla I cannot support the idea of letting mambo 4.5.2.3 users stay standing in the rain. Allthough I can undestand that there is little motivation for the core team to continue support for something called mambo, many people supporting joomla are let down this way. Migration takes time, especially if you have many sites to support.

[FerretLife]

Bingo...

Some 3d-party mambot made a boo-boo...
Thanks Stingrey..

Hi shadoe,

Could you tell us which mambot caused the problem?

I had a similar problem with one of my sites when I went to 1.0.2. I freaked when my front page content disappeared, then I went into the admin side and saw that it had become unpublished. Weird.

[spacemonkey]

Given that many important 3rd party add-ons such as mambelfish are not jet available for joomla I cannot support the idea of letting mambo 4.5.2.3 users stay standing in the rain. Allthough I can undestand that there is little motivation for the core team to continue support for something called mambo, many people supporting joomla are let down this way. Migration takes time, especially if you have many sites to support.

But we cannot release patches for Mambo, this is the problem. There are risks (won't go into that in public) and also support issues. We can control Joomla!, and that is all that we can promise to support.

Again, we're doing what we can to ensure compatibility for as long as possible, but somewhere down the line that compatibility will end.

[nickpledge]

It is good to see this out the door.

But its a shame the bug in admin panel where the images are all disorganized when viewed in firefox was not fixed for this release.

[Tonie]

I feel bad for all people who now have to both support Mambo and Joomla. IMHO Mambo security is in the end a problem of the new Mambo developer team. They can do a file diff or ask the Joomla dev team nicely for the security issues in question and implement them for Mambo 4.5.2.4.

[ibrown]

I wrote:

I've just updated my Joomla 1.0.2-based Website using the 1.0.3 Patch ... and found that I now have no frontpage items! Before the upgrade, I had a News item displayed on the frontpage, but now all I have is the message "There are no items to display".

I've been poking around the forums and noticed people had a similar problem for 1.0.2. Checked that my frontpage items' sections and categories were all published, and now everything is okay: I have a frontpage again!

best,

Iain.

[nathandiehl]

Imagine if Microsoft, every time it put out a security patch (which seems to be weekly these days), changed pieces of the UI for Windows XP.  The world's users would go crazy.

Do you expect Unix developers to release security patches for Microsoft?

or perhaps the OpenOffice team to release security patches for Microsoft Office?

That is the equivilant of asking Joomla! developers to release security patches for Mambo. They are NOT the same CMS, and shouldn't be treated as that. Mambo needs to release their own security patches if they want to compete with Joomla!, not the Joomla! team working to support Joomla! and also the outdated Mambo!

[rhuk]

It is good to see this out the door.

But its a shame the bug in admin panel where the images are all disorganized when viewed in firefox was not fixed for this release.

Nick if you have a solution on how to fix this please let me know.  I have not been able to replicate this on any enviroment, but others say they have seen it too.  I'm sure it's a css-rendering issue with the browser, but perhaps there's a fix/hack?  I can't fix it if I can't replicate it.

[nickpledge]

really? it looks fine in firefox? Ok so the first login it looks fine, its once you surf around in the admin panel it starts going crackers.... I didnt mean to sound stuck up in my post....  i thought the team were working on it through...sorry.

I personally would have no idea on how to fix it... i will ask around then.

[cozimek]

Do you expect Unix developers to release security patches for Microsoft?
or perhaps the OpenOffice team to release security patches for Microsoft Office?
That is the equivilant of asking Joomla! developers to release security patches for Mambo. They are NOT the same CMS, and shouldn't be treated as that. Mambo needs to release their own security patches if they want to compete with Joomla!, not the Joomla! team working to support Joomla! and also the outdated Mambo!

Hi Nathandiel,

I think you may have missed my point.  I definitely don't expect OpenOffice to release security patches for MS Office.  What I'm alluding to is something more systemic than relevant to Mambo/Joomla.  In the past, this same core dev team (love 'em all!) has bundled in UI changes in the administrator side with security patches.  So, a minor x.x.x rev change includes new UI and rearrangement of items in the administrator.  This happened before the whole Joomla change.  All I'm asking is that when future security patches come out, that the actual code that is in security violation be posted alone, so that people can determine if they want to do an upgrade that includes all the fun UI changes in the administrator, or just the security issue itself.

Hope that made more sense.

Best,
Ryan

[cozimek]

I feel bad for all people who now have to both support Mambo and Joomla. IMHO Mambo security is in the end a problem of the new Mambo developer team. They can do a file diff or ask the Joomla dev team nicely for the security issues in question and implement them for Mambo 4.5.2.4.

Tonie,

I completely agree with your point.  Do you think you, or someone here in the community, could do a diff for the average users to say where the security changes are between 4.5.2.3 and this new release?  i know the core dev team here isn't required to do that, but it would be nice for someone who knows how to do it effectively to post up this change so that people that haven't migrated to Joomla (some people get scared with 1.0 anything) can still know where to patch this security issue.

Best,
Ryan

[stingrey]

In the past, this same core dev team (love 'em all!) has bundled in UI changes in the administrator side with security patches.  So, a minor x.x.x rev change includes new UI and rearrangement of items in the administrator.  This happened before the whole Joomla change. 

Yes we were very guilty of this.

However, I can now assure you that this will no longer be happening.
Once the start of a Major version is released e.g. 1.1.0, all other Stability/Security Releases 1.1.1, 1.1.2, etc will contain only bug/security fixes and will contain NO new features or changes to UI.

We will release to the communiity in due course the exact objectives and goals of the specific Teams/Working Groups (and roles & responsibilities of Team members) that make up the Joomla! project.  So people can better understand the structure and organization of the project.

All I'm asking is that when future security patches come out, that the actual code that is in security violation be posted alone, so that people can determine if they want to do an upgrade that includes all the fun UI changes in the administrator, or just the security issue itself.

We are somewhat wary of posting the exact nature of security vunerabilities and what action was taken to correct them.

[stingrey]

Do you think you, or someone here in the community, could do a diff for the average users to say where the security changes are between 4.5.2.3 and this new release? 

This is much harder done one might think, as all files were modified (to some extent or other) when we created 1.0.x, thus a pure diff would not necessarily work.

[cozimek]

In the past, this same core dev team (love 'em all!) has bundled in UI changes in the administrator side with security patches.  So, a minor x.x.x rev change includes new UI and rearrangement of items in the administrator.  This happened before the whole Joomla change. 

Yes we were very guilty of this.

However, I can now assure you that this will no longer be happening.
Once the start of a Major version is released e.g. 1.1.0, all other Stability/Security Releases 1.1.1, 1.1.2, etc will contain only bug/security fixes and will contain NO new features or changes to UI.

Rey,

Great to hear man.  Thank you for leading this cause, and I feel much more at ease knowing that this is something you're all looking after.  You continue to instill confidence.

Best,
Ryan

[aravot]

really? it looks fine in firefox? Ok so the first login it looks fine, its once you surf around in the admin panel it starts going crackers.... I didnt mean to sound stuck up in my post....  i thought the team were working on it through...sorry.

I personally would have no idea on how to fix it... i will ask around then.

I too have this issue using Firefox 1.0.7 and IE

[shadoe]

Could you tell us which mambot caused the problem?

Not really, this is mainly due to the fact that I found a bunch of old 3d party mambots (which where no longer used) so I uninstalled ALL my 3d party mambots and reinstalled the ones I used..

But I uninstalled the following 3d party mambots:

* Glossary mambots
* AkoCommentbot (reinstalled)
* AsciiEncodeEmail
* MosBookmarks mambots
* HTMLArea3 XTD
* mosce (reinstalled)
* MosMailProtector

Regards,

Mattias

[stingrey]

Great to hear man.  Thank you for leading this cause, and I feel much more at ease knowing that this is something you're all looking after.  You continue to instill confidence.

This is one aspect of Community feedback that came through very loudly - the need to separate Patching/Stability work from Development work.
Also the need to release Bug fixes regularly, thereby increasing the stability of a code base as quickly as possible.

This was the primary reason for the creation of the Stability Team and now its supporting/subsidiary unit - Quality & Assuarance Testing Working Group.



What you have seen with the release of 1.0.0 [Major Release] and then the subsequent 1.0.1, 1.0.2 and now 1.0.3 Stability/Security [Point] Releases will become the norm for Joomla! - thereby giving clear separation between bug fixing and further development of the code base. 



It was very clear that if Joomla! was to become a more professional project and more professional application that we had to institute more professional operations.
Hence the creation of separate Development and Stability Teams and the need to institute an industry accepted versioning system, the creation of a more formal QA Testing Unit and other attendent support Teams and infrastructure.

This will be slowly become more evident as more of the new organizational practices are finalized and implemented, and then introduced to the community - one of the other aspects from community feedback is increased operational transparency and the greater transparency of the Project processes.

[chay]

Rey,

Great to hear man.  Thank you for leading this cause, and I feel much more at ease knowing that this is something you're all looking after.  You continue to instill confidence.

I agree. Look at Rey's contributions to the Changelog, too. Fantastic! We've got a bunch of phenoms leading Joomla, and Rey is a phenom among phenoms.    Needless to say, I'm regularly impressed, and grateful.