Sandbox

In reference to: http://forum.joomla.org/index.php/topic,194232.0.html

Please discuss the announcement here.

Thank you!

EDIT MOD: a new thread has been created to list extensions with compatibility problems.
Please devs and users, post there and follow-up.
http://forum.joomla.org/index.php/topic,194406.0.html

Great News! Thanks Rob!

Thanks for the detailed infos.

I presume we have tested the luck factor of the number 13? 

Thanks to the core developers - and special thanks to the third party developers for getting the new, improved security systems in sync,
Amy

Thanks for the announcement. I was looking for this post all Saturday morning.

Thanks for the details. Tanks for your work.

Thanks guys.

I had been a little bemused when I saw the release there earlier, but as usual took a prudent approach to upgrading (that is, I always wait a while before upgrading important sites to see how things pan out   )

My only problem now is that the great stability of the 1.0.12 had slowly drawn me in to the dreaded core hacks ....

Now which sites did I hack and where ....

Whilst I am here. A bit of advice to all those Joomla Admins out there:
You have been advise to upgrade, but that does not mean that you suddenly need to go and play Russian Roulette with your site. The more important the site, the more care you should take.

Perform the upgrade on a test site first
For some you may need to carry out the upgrade on a clone of your site first
At the very least wait a few days before doing the upgrade on an important site and check out these forums to see what issues may pop up.

I will repeat - if your site is important to you - do not take needless risks with it. Test first.

Lets not have lots of unnecessary whining this time
Nobody can guarantee that an upgrade will be flawless across the huge variety of installations.

Thannks again to the core team.

Awesome work as always 

Two quick observations:

• This maintenance release will break VirtueMart login functionality - as Joomla! 1.0.8, 1.0.10 and 1.0.11 have done before.  There is a hotfix available at http://virtuemart.net/index.php?option=com_content&task=view&id=257&Itemid=57.  Since this update affects password stores and core login functions, CB and SMF bridge maybe affected as well.  Good idea to look before you leap! 
  
• Now that we're at 1.0.13 could someone from the Core Team go and update the info at cmsmatrix.org, which is STILL showing version 1.0.7???  I often use the site with clients to compare and contrast against things like EktronCMS400.net, but having an old version in there helps no one...  The last time the Joomla! entry was updated was well over a year ago, and we've come a ways since then. 
  
  [/list]

Thanks!

@kaizen
Community Builder is affected by this as well. A user has released a temporary patch though there is a disclaimer on it on the CB website that says the CB Team didn't release it, it might not work for all sites, etc.

http://www.joomlapolis.com/content/view/3610/1/

Thanks to all who put time into this.

Please let's be clear!!!

Do NOT upgrade if your system

• Utilizes any Bridge > check with the developer first!
• Has an own login system such as CB/VM/ > check with developers first!
• should face a possible rollback to 1.0.12 or earlier > does not work!

BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST

To mods: Can we make a quick post where we list (just as we did with earlier releases in Adam's post/websmurf) the affected Bridges and extensions so users do NOT make a mistake? Besides CB/VM and most likely a lot of eLearning-stuff is for instance SMF-Bridge or Joomlahacks or direct forum login on Fireboard etc etc affected??? Do users have to find that out first while it is too late?

BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST BACKUP FIRST

Leo

Edit: Bridge Joomlahacks also does not function here

leolam wrote:
To mods: Can we make a quick post where we list (just as we did with earlier releases in Adam's post/websmurf) the affected Bridges and extensions so users do NOT make a mistake? Besides CB/VM and most likely a lot of eLearning-stuff is for instance SMF-Bridge or Joomlahacks or direct forum login on Fireboard etc etc affected??? Do users have to find that out first while it is too late?

IMO, the 3pd developers and or users have to do that themselves here.
Mods would only be able to centralize infos, not find out themselves what works and what not.
Moderation, as its name implies, does not include testing all available extensions for a specific version of J!
Thanks for your understanding.

igeoffi wrote:
@kaizen
Community Builder is affected by this as well. A user has released a temporary patch though there is a disclaimer on it on the CB website that says the CB Team didn't release it, it might not work for all sites, etc.

http://www.joomlapolis.com/content/view/3610/1/

The user in question is Sam, one of our Core developers.

infograf768 wrote:IMO, the 3pd developers and or users have to do that themselves here.
Mods would only be able to centralize infos, not find out themselves what works and what not.

Jean-Marie, where did i write down that the mods should test? of course not! you misunderstand this completely..... I meant a list as we made here which was extremely useful:

http://forum.joomla.org/index.php/topic,86525.0.html

Cheers
Leo

Done:
http://forum.joomla.org/index.php/topic,194406.0.html

There is very annoying issue with auto logouts in the backend if a component has a task called 'save' or 'apply'.

See http://forum.joomla.org/index.php/topic,193707.0.html

I think the problem arises because Joomla fails to reset the session cookie because the headers have already been sent do doGzzip()

Joomfish 1.7 is NOT compatible with 1.0.13 because of this problem

Geraint

Hi,
I am wondering if in general it would be better to wait for 1.5 to be released if currently in need of a CMS, but not urgently.
Will it be an easy upgrade from 1.0.13 to 1.5 when it is released?  If so, I might try 1.0.13 and upgrade later.

Am also wondering if extensions will be scarse for 1.5 until all the necessary extension developers get around to updating their extensions, or will the 1.0.13 ones be compatible with 1.5. 

Thanks,
Highway.

Ok, the .13 update kills all bridges and other login systems because of the new loginsystem. So far, so bad.

But, when the release does "Several low-risk security fixes" isn't it possible, that you post these fixes? People could patch their .12 Sites and they would still work.

Geraint wrote:There is very annoying issue with auto logouts in the backend if a component has a task called 'save' or 'apply'.

See http://forum.joomla.org/index.php/topic,193707.0.html

I think the problem arises because Joomla fails to reset the session cookie because the headers have already been sent do doGzzip()

Joomfish 1.7 is NOT compatible with 1.0.13 because of this problem

Geraint

This is driving me mad on all my Virtuemart installations

Hope somebody has a solution soon.

GoodisonBlue wrote:This is driving me mad on all my Virtuemart installations
Hope somebody has a solution soon.

Hotfix is published on  Virtuemart.net (!)

edit: only for login not for session issues

Unfortunatly that doesn't solve another problem in joomla.php as discussed in this thread

http://virtuemart.net/index.php?option= ... ic=30249.0

GoodisonBlue wrote:Unfortunatly that doesn't solve another problem in joomla.php as discussed in this thread
http://virtuemart.net/index.php?option= ... ic=30249.0

Thanks for pointing that out...... changed the message her.. follow this thread (http://forum.joomla.org/index.php/topic ... #msg918583)  and you see the issue is being pinned down....it sucks but hopefully we have a quick (if dirty i dont mind) solution.....

Well, looks like I won't be updating - rather starting to look for a new CMS to replace Joomla! Unless of course the Joomla team do something about the license restriction to prevent non-GPL code working in unison with Joomla! I will be sticking with SMF, so with a heavy heart it's got to be bye bye Joomla!

leolam wrote:

GoodisonBlue wrote:Unfortunatly that doesn't solve another problem in joomla.php as discussed in this thread
http://virtuemart.net/index.php?option= ... ic=30249.0

Thanks for pointing that out...... changed the message her.. follow this thread (http://forum.joomla.org/index.php/topic ... #msg918583)  and you see the issue is being pinned down....it sucks but hopefully we have a quick (if dirty i dont mind) solution.....

Cheers for link

It seems like this is going to be quite a big problem so hopefully a full fix will be along soon.

mpetrie wrote:Well, looks like I won't be updating - rather starting to look for a new CMS to replace Joomla! Unless of course the Joomla team do something about the license restriction to prevent non-GPL code working in unison with Joomla! I will be sticking with SMF, so with a heavy heart it's got to be bye bye Joomla!

This is utterly nonsense to bring this into the link with 1.1.13 release. Absolutely nonsense! That it is a bad thing I agree but you cannot point a finger without seeing the story from 2 sites... Decision was made by SMF and not by Joomla btw.......which is an observation without any value to any of the parties...

Please.  There are enough threads on this board dedicated to misinformation and misrepresentation (from *ALL* sides) on the 'GPL issue'...no need to dredge that up here.

But I will say that I wouldn't update to .13 even if a free car came with it.  I'm kind of disappointed that the maintenance team would release yet another version that breaks backwards compatibility...I hope we're not looking at a 'canary in a coalmine' here with all the staff changes and other goings on.  This used to be a tight community, where our biggest competition was with the "M*mbo" guys  .

Now we just seem to be more intersted in bickering with each other.  Let's leave that out of this thread, and let's work together on finding solutions - it's really what we're all best at.

kaizen wrote:But I will say that I wouldn't update to .13 even if a free car came with it.  I'm kind of disappointed that the maintenance team would release yet another version that breaks backwards compatibility...I hope we're not looking at a 'canary in a coalmine' here with all the staff changes and other goings on. 

Robert, I completely agree.......I have a truck loaded with new clients..........(CB broken/VM down the drain/no admin backend/new modules errors ) I love Joomla 

but i do agree....this is a big bad image loss, especially in current storming environment 

Cheers

Leo

toubkal wrote:Lets not have lots of unnecessary whining this time
Nobody can guarantee that an upgrade will be flawless across the huge variety of installations.

Toubkal - I don't know if you realize what a positive voice you are in our community. That made me laugh! I want to say thanks for your attitude and for believing in this community. You help me feel more hopeful and confident.

Also, I want to thank Beat for requesting salts be used with Joomla! password changes. I didn't realize something called rainbow tables can now be used to crack MD5 hashes. This cracking capability has emerged in the past six months. And, thanks to the efforts of the Joomla! developers knowing how to implement salts, our sites can, again, be safe.

For me, having access to people like Beat and the Joomla! developers who understand emerging technical issues and have the skill to protect us against problems is part of why open source works. Beat has been enormously helpful for a long time, most especially during our security problems last year.  I don't have these skills or this knowledge - but - look - I get full benefit. Sincere thanks.

So, now, making it work is up to us! We are going to see a number of applications that must be updated in order to use this security feature in Joomla! websites. Jean-Marie provided a thread for us to record these issues and work on solutions.

If we have to choose between "no problems, but vulnerable websites" and "challenges, but secured websites", it's a no-brainer, even for me! We can work through our challenges. And, there is nothing like success to help strengthen a community. Right now, we could use a bit of that, so let's make it happen.

Thanks to all,
Amy

JoomlAndi wrote:Ok, the .13 update kills all bridges and other login systems because of the new loginsystem. So far, so bad.

But, when the release does "Several low-risk security fixes" isn't it possible, that you post these fixes? People could patch their .12 Sites and they would still work.

I agree, could the low risk security fixes just be posted and we can update them manually? I looked at the changelog and there really wasnt much there. If not what is the easiest way to upgrade? Do you just upload/overwrite the old files with the patched zip?

davedirty wrote:

JoomlAndi wrote:Ok, the .13 update kills all bridges and other login systems because of the new loginsystem. So far, so bad.

But, when the release does "Several low-risk security fixes" isn't it possible, that you post these fixes? People could patch their .12 Sites and they would still work.

I agree, could the low risk security fixes just be posted and we can update them manually? I looked at the changelog and there really wasnt much there. If not what is the easiest way to upgrade? Do you just upload/overwrite the old files with the patched zip?

I'll second that emotion! 

I'd much rather have the bug fixes and low risk patches for now; this way we're not 'dangling in the breeze' with any Zero Day exploits whilst we wiat for the 3PDs to test compatibility fixes.