Receive an email when a new extension is published.

Joomla Developer Blog

Joomla Developer Blog relayed by https://www.jlinker.com

Source: https://www.joomla.org

  1. JSST GPG Keys

    Members of the Joomla! Security Strike Team (JSST) have published GPG keys to receive signed and encrypted mail.

    Member Contacts and Keys

    JSST Main Email

    The security@joomla.org address is the primary email for the JSST.

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG/MacGPG2 v2.0.30
    
    mQINBFgYs8oBEAC03efhg04EWNCNwQn6KWpnJnofSu5N93b/ffLOYCkYoLDmPqOD
    p70YR0TFyhpeSF8Fn6JI5HRzZjj85UAwYY8V8UrZvYew4PAyhEcKT7bOSGaF6K1g
    iposAeE98ipSSemK/D+1q5rCd2UkpQGYmvLWE76oRQHD40tXEjQoFKC8vDIIHBC+
    SGtOR1QX6qRlPTbUh6VFYbrunMIrcEmrC6h8oLOtbfBb0p54egZxYKDRT9Afofjz
    +JE4l0vi46xB4utysSSn5RNY4X+1PGwrJhaKxiG2fwsnKrSu4c5xwr8P+5LJCSf8
    UlrSVBmDVka8lJLFpsDKpZUC/y7vuAflpDkbDTw6IrtnEm3Li7rB2nanZYyeQjQz
    syb4PLmJ3474E5oi1WhLhOzoUxnXmUK1Sx4V/ublwXL9xDd2IAgy0kvQsdYTISQ5
    uitmrHXwxFFAjKBiG3w0qwxLV5NsTdjFWHSAfauT0dgR9XusgXXSMoFgfE91LlWj
    qJuONOkjAEVLr64k/8LIRd0lzE61AALV4F56V3dyoF0aF1cPuQz7Wgvza0EzdhDm
    dForSoitCRJdQ+F6kfY7QyuArUZza3vJe/1lZdWibh52P2Ah4PWtUjocLd8Pyv89
    eZbhCr/luqcWPZjF0opbRnPBpA5bW/VrsMuaQlpKHea3ZhzB8sprddExkwARAQAB
    tDFKb29tbGEgU2VjdXJpdHkgU3RyaWtlIFRlYW0gPHNlY3VyaXR5QGpvb21sYS5v
    cmc+iQI0BBMBCgAeBQJYGLPKAhsDAwsJBwMVCggCHgECF4ADFgIBAhkBAAoJEGQk
    6dfyJXw6RZkQAKETYBeewgOzvK8i2AGboiKHNYstG2HF7y9sb1HOxUW8ulOLJaRo
    fSfOjc1fPXpSjx6yg+h6QTKzuPfXTB8sUzCqaiFJWu/OtPeoIMnBvGtn5r1ikvAk
    AWnLl3LZcvQ+JBIFuW8nAenAliBYJiEzqQSt0BoVVAq+PvJVZnO7hniyL6Gv2S8V
    mhOcTuMA4x8qIPLHnsle1JQ3ySnrXhEflgF6Hxq16JyzK4NTWBwkUB934FcgjSgD
    juitV88PIJglKRq8l0i+l5D1dOcIea9caXpyqk3TpHVhl41aTNgBShYKMI3E0sqJ
    /aMgch6/ZEljwdEcU7q8r3pIN2hXsCKzJ54ThrAviS0Q71Pi4JnXS7BZLapyxX1e
    T78/TTrs5wQ3Q6j0YSyqcZCEooTgVkFYa7x+QCZClK92I+hXofcA3nB+OX8SG/7j
    VD4a1woYPFbbltmohu7jA/2NS1IgOn8pvMK+2ONp0M1DiVLDfloDICccqD3l9jmJ
    fzl4t3vV0QwdVlrG5exjaata+mnidCQhpBjxU4QgTg3KoV4OGylXzJYY2gOIjOqC
    1/GnwZjVUEVkA1vbU6GtR+eMeJLLc3KFhPq+4jGmlb5iyWRh7eLFfS0slGamYKme
    0xIPlgGOu1YtODEwZJtF7e+74duLtkTdbdVr5a36vMFBfEw7GrMDHcXxiEYEExEC
    AAYFAlgYtAMACgkQqMeBFexeHdLqvACeLkei1HDFDDy44usqQ8F00jS3NNkAoICN
    RxMI0TVvoJ20kaUL3y1ED+ZEuQENBFgYs8oBCADfPnes0cExSsqTLrtK6Oc1kJ4K
    MMXIVpzL9DNGE9MroCQ4RCvNDtmRa0dVIljJmpg04CTU5GPRYDN36KoXl2Pe7GsM
    1gSJBg2vFHZ/PTxEpnHuaJGINIwoEGzpjByS+tACMccV1lz7kbG1Vt2jlP3DHvKy
    GmTjN6Ymyb4RIk0lpK73XN8hUGOX+64GmGCBp1SQOsr5KPOtoLESiBLygOWxr2q5
    VKRT61R4pfqKg4cACtq3MWmYZoKERmqcm776cFlI6t3wjPmWvPxld0e8RJOGyuDp
    KL9VYsVXs1s+xfqB35asa4htwTR7QfjVg1JQNB4Ydd5/piz3RSXfEBh7k/7vABEB
    AAGJA0QEGAEKAA8FAlgYs8oFCQ8JnAACGwwBKQkQZCTp1/IlfDrAXSAEGQEKAAYF
    AlgYs8oACgkQEIJrw9qQK1Y69QgAjjicNOxOD/2FsDFJeIb+lTX0rSTyPjPFRXlk
    TnIVZ7SKZIbHdQ5U5xWMz1rgXRadihuWvPCSTQpOySxSN0c0FiMbvs+1LPNij2Lt
    p9yHNpYwVmpQMFWL8mIwThYb0LqO+X2Nc5klLAeguSCO93/4h8hwazBqThan6yip
    cGrwNOlgrFZvNHXJXLyjanE1orfsJpAdg7RK9x5z6ORvSqkRhurMtjWI5X/jOnsx
    h7Sl3tftb6VxdbovTfl2VepBkZTAPVMGw2GYRQpcFQq+FArrU3SO0T+vju93AjOy
    qxoRBv7OUq63sk6NPVi1xX4gJOdYJ8hFxNIVDB7kPHIHhTc4Y8JDEACAEk4JA8hL
    gpKewJUV/mDdDPtXYNRoFqiEumfpFreZUZbIUUaT/oYriKhUwZ3c/w3A7/aifizz
    02R+w+z0G5nqbQpn2QdrGM8uOlxREl/Mmcp1gBKGZkdkfJEERmQ3xJlSLgK8l512
    mhzkMobXeHCNQpQNf6fVfQSAr1DxUDFuDEw4Dbv8Ne2NqA2iIUMY1g5Sj4wKly9D
    jS5GXD77KGul5kUzpGBApiDlNyPumpLZcPKRE4F58d2bcxPL75vj09BPywf4kC+n
    DGdhwsgpI526+yBWoItw7cUsotOKLd1eqsHgkGW9jc5LeX0NkJpA67G92xICpBrQ
    VKbW3AAsGYWljfbAhGVbSTTIqZEM1C8I4lxqYM8JKE89uZgV36yJtgylbv50txQ/
    n8FfZbLoBDkGImnzAi+HcD/8S44NandQBEEK26gHKWC93Kb1snSkO9citVix6Lr9
    IAtjLhOyXPN1Lo/WSSqf5+Za82X9teJpzK3nhZqAd/KIC5IpBZ0MUn5WPKEvHv4b
    +pXN+CxqSsGXOxINnF1yo56GmO69DOBIInxUM9es15hF/Jg2mmFKgNgGQfNURgyY
    sezRtoQx6RfnETAk5vjaRHrW2kOfSs8/V4u+ruqNkFBZS8aMcmu9YO1EpfFjLWtb
    hG5zKg1X5mIwP9ux1Pd2tm6VW9o2Lj0rKbkBDQRYGLPKAQgAwyKpsTnCIrTwd/D4
    VT5RISQN71hggTlpxSOW9YIZONCA7nbRVzVgRw1M0K+dxXRyTtPwNHw3tzgkac4q
    omac91QI4WdFvFAvPu13pa6rtrC3Xj4F3MNw0DGnfsM8FjdlPz400QPHG0DpJmht
    DdaM2LINKJTzPJ0rK+ENNbZOKLTdQP0+ZjQHWPEwIj8y3PvPBxNICWs5Rfqht6lc
    jBj2efs2NU2/62eCq0C+c4ChTO6rz4Qv2S33Y2Lw3+k/ny01l/79FWh1C1EThelP
    6b766z23g9w7CsP8Dx/rDZUoa9MPqqSvF0CUbiIHaTZaV0fbdi+TqT/HJc7HlpkH
    j3XlKwARAQABiQNEBBgBCgAPBQJYGLPKBQkPCZwAAhsiASkJEGQk6dfyJXw6wF0g
    BBkBCgAGBQJYGLPKAAoJEJFSYmi855n00E4H/2PM2rN9AYhjG6Aw+O7N/oI7C84S
    IpFf6b7Pj5t/rz0RNpkW7zH9AFgLLxyJDK5S6BP5vRje7gHtcxl9j0iGmsRex/kM
    RqV0wTLrIjeps2Fxx0uDlWqsMUR71V32LtMiEjXtmV5JV1LL3uVZ5c2tLtuWURH6
    CapjtdjCyOvsQJxxFnLv62JtPEG93UH7/Cjji12TOaLc6+ZFkH/WnimUK5hOOpIj
    vr57HsDbkfk2zCn8A37mweewsjWaQFTDyEK4aIuuLaQI+V/UMw1xg/u5tKPRZI/B
    ltuH5YVMULpcy1Xrk/RmCotb8S5lDm5uFwMD/SYcee0iquaes7UvKFkx+Hz+PA//
    Rm0pb4oXQAQxaEgvA91NGYPYJpdxgbexXFSkr5zfgMMLHcI+b0w4LFtQwxBzc7Qg
    Nh5xfflkDIsEgqGAloVInz0U/w/mxOi4HM+f+vJkFlISGdK56Q+KXNNgDquD9aCA
    yon6PXrTFeZukRHlPrd2PIQkKbFvlL5HL3uKRZASnHyPyk5Vus1wqK6vfRv9yLgQ
    AtboQ3wl5TyUAq7CRJPo6Yrw6PCr5EEwK4nhRv6LLCqJw7EVM2OswhIE4pxmdRq+
    RkHBaOBcG/wf43x4rVGHrnhkV1MEGliPPIAC0Dd+YTnFLT2cytpRpP+vw9YNKXAe
    bqDxtxpCLggkHAy8mMzafFuLw8d3cbD44Fyc1x6Xh75/SoA0rXTiauFTpZ3qF4vU
    4oqZ0bVqqQXEKasWPmlMhXQ6g8YseY8dbZTH8lPtj79EmFhshuSpwLjMQG0Dssyt
    q7uVFVOofEjf3RRymtcrY/BmKVtFvC6uVq2D5cvT3n+xxs8hIuCZfknUGMFPYqa9
    /czqUoMrf/2KYEkLihqoTiuCq0DhXWBeWpf7AMHEVz4TFUdCuSRoHe/+nSXnQ5HG
    Kc+swCZfCC8oOjjATDmFFpWacsb1NauTAbWbqu3ldQN8WbYJRiylMhw2sPkGdd2Q
    PGM4L/S4xIRGqBruL1ERKb2FPQVIxgukGZyJ0xBS7Ic=
    =8rKZ
    -----END PGP PUBLIC KEY BLOCK-----

    Michael Babker

    Michael is a member of the JSST and Joomla's Production Department Coordinator (which includes oversight of the JSST); he can be reached at michael.babker@joomla.org.

    -----BEGIN PGP PUBLIC KEY BLOCK-----
    mQENBFQi2ScBCACUg5T1pFiuy+SSzo8gIa9QlhLEigFN3FTAsBvqcIvVR/27DuYJ
    KUwK+ZGcz08jUvAHxhKl8iHT3OubN0qL7P23beRHajR5Rpm3CO/UYAa2xK+C+SjS
    Paa/Xq449i7e9QMT2KfgCPsTEBEeBWM2B8kJDiTu3ktTcX6CJD/DX06k6UC92hqK
    97qknC7XOazVN/7vl+W+4Ydqc/14pzzJE5T5WAgVWFRVT50qrA9LwP5EncOscHk2
    pZKY7+nkEHwqyhUpKgeHBGGpdK/bVnLoZQpvgxu7/5ADo518KED99dRmtQg1fuI8
    hfzYYW4kN/PEYUWjIJM39gL2x/QSNMrhQcMBABEBAAG0NE1pY2hhZWwgQmFia2Vy
    IChKb29tbGEhKSA8bWljaGFlbC5iYWJrZXJAam9vbWxhLm9yZz6JATwEEwEKACcF
    AlQi2ScCGwMFCQeGH4AFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQtQeJvLOo
    U3gg8Af3WXDSJegJEVYArnBEynVDniCvgpH3HtTGesX3Sgwv4VfFm1KIO6tDCqn/
    ZmDa1NPKJFJGIvoXlta7BSZUf8xz4cZhzPxNgAPCL0jaYV1n0z7IQfxD8B7avTaO
    M82w8fBSbvGqlwLk6qm6VQpPRUtm/e1hahHt04l2LI8D+j3DhZOl7hpzPhKg3Xqy
    4AFMvUFi+i1645qn1EvcsSqr4cD7OCfHeMO6jdC7yZwYFzFgNaHiuX0LZ99ZwEY2
    A7yrpIgeUhUj+ejGNzuU3P5jfvxwKvnXyXzqM/FNEkXceEKREa2tB0Q3IJ6iN2IR
    7/Hh+UyHL49txO3qcq8oyIuNe2U2uQENBFQi2ScBCADBeI/LnC0FqeMIX2xGH4ET
    g0oyxcNMAPycCEaAie6Msw1Ngf+aSOcbvg+1Si3PiLIRX+9nSw4w5Lwvs2z/vEGA
    9G6f2fMRsA0NoqBnou+1QHvdxP0TMfpoViBM3zFaUSioXTJ+KAcpNxqryt1uRIle
    UMFTvYSm3tAW0LEps16tF8yf4rJ5oU7CDvxp5oKiO5zg5rn16A8aAjWmSGMM+xoA
    w2CePb+paaLttlB2izHcdt89tAqvl+67c5eZ7qrv8mGDzw5FeZ9iIdCj3HeHeoKG
    S4P2uzH3RSskHPyvf8fylc/c0QTboHDlGq/a8rpvjObeufhNia0u+alIcDFSO8tT
    ABEBAAGJASUEGAEKAA8FAlQi2ScCGwwFCQeGH4AACgkQtQeJvLOoU3gJ6Af/Yqho
    in3bUs2LQj4Vg+pNEdcQ2aN6XWJXcSzNDE9txw6KZ3ZHitqG9uHhfO+OSAdNSywe
    XQ1ipn0FV0rhXKgCFF+hSbNqCI5jkUD6n51D5ZHVbCVLf/DQ1995lDyiQGKKc8gM
    eSNXR+w3EjipaGelb3WDuKzn8VOFEUHJOpAVXbN1iDJkug5eEWkhVKw+Gaz8ZKuT
    oEik1ca6VV6+7zg8R15F8PbPXIrp7LmNXsu7lIXNXjor3lpvjJEQ0K6trpeHrAz5
    uRNvB7h38CwOSp6a5q+RlBln0gUkMpfyonaFKtuqMn/47AxKGOKYXBb+nS+BJ9Sp
    GajUSZompRNGQswu5g==
    =CliS
    -----END PGP PUBLIC KEY BLOCK-----
  2. Joomla! Security Strike Team

    The Joomla! Project takes security vulnerabilities very seriously. As such, the Joomla! Security Strike Team (JSST) oversees the project's security issues and follows some specific procedures when dealing with these issues.

    About the JSST

    Joomla Security Strike Team

    In wild land firefighting, the term "Strike Team" is used to describe a collection of similar resources, which used for a specific purpose (https://en.wikipedia.org/wiki/Strike_Team). The JSST is called a strike team because it is a collection of developers and security experts tasked with improving and managing security for Joomla. The JSST roster can be found on the Joomla! Volunteers Portal.

    If you want to join the team send an email to security@joomla.org and ask for more details.  Due to the sensitive nature of security work the team's membership is restricted, but we welcome anyone who is qualified to contact us about membership.

    Reporting Procedures

    If you find a possible vulnerability, please report it to the JSST first. You can contact the team via email at security@joomla.org or using the contact form on this site.

    Team Scope

    The JSST operates with a limited scope and only directly responds to issues with the core Joomla! CMS and Framework, as well as processing reports regarding the *.joomla.org network of websites. We do not directly handle potential vulnerabilities with Joomla! extensions or websites built by our users, however there are resources available for these categories. The Vulnerable Extensions List contains reports of security vulnerabilities in extensions and users may seek assistance with security issues on their websites from the Joomla! Forum.

    Requested Information

    To be able to fully respond to a potential security issue, the JSST asks that issue reports includes as much of the following data as possible:

    • The Joomla! software (CMS or Framework) or website (*.joomla.org) affected by the vulnerability (for the software, please include the version(s) tested)
    • Steps to reproduce the problem
      • For the CMS or Framework, this should be what is required from a new install of the affected package
      • For the *.joomla.org websites, this should be the steps taken to trigger the vulnerability
    • If sharing a vulnerability reported elsewhere, please include the source of this report
    • A patch may be proposed which will be reviewed by the JSST

    Response Handling

    The JSST aims to ensure all issues are handled in a timely manner and for clear communication between the team and issue reporters. As such, we have established the following guidelines for responding to issue reports:

    1. Within 24 hours every report gets acknowledged
    2. Within 7 days every report gets a further response stating either
      1. the issue is closed (and why)
      2. the issue is still under investigation; if needed, additional information will be requested
    3. Within 21 days every report must be resolved unless there are exceptional circumstances requiring additional time

    Signed & Encrypted Mail

    We maintain a list of GPG keys and addresses for the security@joomla.org address and members of the JSST to allow signed and encrypted communications.

    Goals

    1. Investigate and respond to reported vulnerabilities in the Joomla! CMS, Framework, and joomla.org websites.
    2. Execute code reviews prior to release to identify new vulnerabilities.
    3. Provide public presence regarding security issues.
    4. Help the community understand Joomla! security.

    Security Announcement Policy

    • Verified vulnerabilities will only be publicly announced AFTER a release is issued which fixes the vulnerability.
    • All announcements will contain as much information as possible, but will NOT contain step-by-step instructions for the vulnerability.

    Public Responses Policy

    Articles are written about Joomla! all the time. In many circumstances, these articles (even from reputable sources) contain a significant amount of misinformation.

    • The JSST in conjunction with the Marketing Team will assess and address articles written about security issues
      • If the article contains valid information about a vulnerability not yet fixed, we will ask the publisher to suspend the article until we can fix the issue
      • If the article contains invalid information, we will note what is invalid, and ask the publisher to either fix or remove the article
    • The JSST will be available to answer questions/validate any Joomla! security related articles on the publisher's request

    Security Release Policy

    • Critical and high-level vulnerabilities trigger an immediate release cycle
      • The Joomla! project may release an advisory indicating the scheduled release window to allow site owners to prepare for the release
    • Moderate vulnerabilities may trigger a release cycle depending on the specific issue
    • Low and very low vulnerabilities (and moderates which do not trigger a release cycle) will be included with the next scheduled maintenance release
    • All security releases will be accompanied by one (or more) appropriate security announcements

    Issue Credit

    The Joomla! project will properly credit individuals and/or organizations who responsibly disclose security issues to the JSST. You can indicate the way you would like to be referred to in the advisory about the vulnerability. Our preference is to use full names. If you do not specify then we will use the contact name associated with the email address the report was received from. You can also request a pseudonym or having your name withheld.

    Vulnerability Threat Levels

    In accordance with the security policy from the Joomla! project's development strategy, there are two main details that contribute to a vulnerability's priority or "threat level":

    Impact

    Level Description
    Critical “0-day" attacks, and attacks where site control is compromised (allows attacker to take control of the site).
    High SQL injection attacks, remote file include attacks, and other attack vectors where site data is compromised.
    Moderate XSS attacks, write ACL violations (editing or creating of content where not allowed).
    Low Read ACL violations (reading of content where not allowed).

    Severity

    Level Description Release Fix
    Critical VERY easy to perform. Relies on no outside information (TRUE 0-day attack). As soon as possible
    High Moderately easy to perform. May rely on readily available outside information. Per oCERT guidelines
    Moderate Not easy to perform. May rely on sensitive information. Per oCERT guidelines
    Low Difficult to perform. Relies on sensitive information or requires special circumstances to perform. Per oCERT guidelines

    NOTE: The descriptions are just generic guidelines. Each vulnerability will be assessed for damage potential and will be ranked accordingly.

    Supported Versions

    All currently developed and supported versions of the Joomla! CMS and Framework will be actively monitored by the JSST.

    Currently active versions include:

    • Joomla! CMS - 3.x
    • Joomla! Framework - 1.x
  3. Nightly Builds

    Help test the latest Joomla! code.

    Warning! These builds are intended for testing purposes only and should never be used on production websites.

    The nightly builds are snapshots of the development activity for upcoming Joomla! releases and include new features and bug fixes scheduled for these releases. These releases are made available to make it easier for users to test their websites and extensions for potential issues with an upcoming release or to test new features and provide feedback on ways to improve them before being released to the Joomla! community.

    As these builds are snapshots of the latest code, it is more likely you may encounter an issue compared to the stable releases. If you have encountered an issue, please check our issue tracker to see if it has already been reported; if a report hasn't been made, please report it so our community members can review the issue and make any needed fixes.

    {nightlybuilds}