On April 23, 2010, Joomla! 1.5.16 was released on the official site for download. However, two days later, a note was posted on the 1.5.16 official announcement to warn users about 2 serious bugs discovered in this latest release. An update is scheduled to be released on April 27 as Joomla! 1.5.17, which will patch up those 2 bugs.
If your servers are running PHP version older than 5.2 or have Session Handler set to None in Global Configuration, they will be affect by those bugs. Please refrain from upgrading until Joomla! 1.5.17 is released.
It has been 6 months since the release of Joomla! 1.5.15. On April 23, 2010, Joomla! 1.5.16 was announced to patch up 48 various issues in the previous version. It includes 2 moderate and 2 low priority security issues.
- Moderate Priority - Core - Negative Values for Limit and Offset: If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system.
- Moderate Priority - Core - Sessation Fixation: Session id doesn't get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and reuse the cookie to authenticate as that user.
- Low Priority - Core - Installer Migration Script: The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server.
- Low Priority - Core - Password Reset Tokens: When a user requests a password reset, the reset tokens were stored in plain text in the database. It allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.
You can find the complete list of issues fixed at the official announcement page.