Today, October 25th, 2016, Joomla 3.6.4 has been released. It contains two high priority security updates. If you own or administrate a Joomla site, it’s highly recommended that you update your site to this version immediately. In collaboration with the Joomla Security Stike Team (JSST), our team has implemented and tested platform-wide protection from this vulnerability.
In the hours following the release, the CloudAccess.net Abuse Team has not seen any active widespread attacks, although we do expect to see automated bots actively scanning for out-of-date sites on unprotected hosts.
Is my Joomla site Affected?
This latest version of Joomla fixes a vunerability that was presented in Joomla 3.4.4. If your site is below that version it is still recommended to update to Joomla 3.6.4.
Are there any known update issues?
At this point, we have tested the update without any issues. Joomla.org keeps a running FAQ for update issues which can be found here.
How was this vunerabiltiy found?
This issue has been responsibly reported to the Joomla community and to our knowledge has not been seen in the wild.
We'd like to point out that this security release is a great example of competence and strength on the part of Joomla and it's community. We continue to stand 100% behind the security of Joomla and would like to thank the Joomla Securtiy Strike Team (JSST) for their efforts.