Released on: Friday, 19 July 2019 01:06
Missing language files in embedded restoration script made restoring sites impossible. While we were trying to make the 6.5.0 release and after we went through all our release pre-flight checklist the Internet went down at the office. The release lead had to switch to his laptop and go to a different location with working Internet to make the release, after running an abbreviated version of the release pre-flight checklist. The laptop was missing links to three language files which caused this issue. This is something we had not come across before. We are adding the full restoration process even to our abbreviated pre-flight checklist to prevent a future occurrence of this issue.
Security (Low Impact): An XSS issue in the Backup page was addressed. This issue affects Akeeba
5.3.0.b1 to 184.108.40.206 inclusive. An attacker could craft a malicious URL and trick a Super User, already logged into
be used to hack the site remotely and / or without the participation of an unwitting user with elevated privileges.
Moreover, it cannot be used to escalate the privileges of the logged in user or otherwise execute actions the
current user is not authorized to execute. Therefore we classify it as low impact.
We would like to thank Mario Korth for the report and the Joomla! Vulnerable Extensions List for forwarding the additional information Mario provided them, allowing us to successfully address this issue.
Mitigation: updating to the latest version, 6.5.0, is adequate to address this issue. If you are using an older version of Joomla! or PHP and cannot upgrade to the latest version of Akeeba Backup please be careful of links you click, especially if you are logged into your site, and use the latest version of Google Chrome which automatically protects you automatically against XSS attacks. Due to the low impact and the fact that a third party mitigation is already in place we do not plan to backport this security fix to earlier versions of our software.
Timing options in the integrated restoration to work around picky servers where the extraction always failed. This is the same seldo-used feature that's been in Kickstart for years.
Update to the Google Drive integration. Google has rolled out a new API for Google Drive which will become mandatory in June 2020. This version of Akeeba Backup switched to the new API, making sure that your Google Drive integration will continue working.
Upload to Amazon S3 now supports path-style bucket access for third party endpoints. Some third-party storage providers with S3-compatible APIs require path-style bucket access with V2 signatures instead of the really Amazon S3-compatible method of subdomain access with V2 signatures. This version of Akeeba Backup addresses this need and adds a new option in the S3 configuration to that effect. Using Amazon S3 proper is not affected; you are using V4 signatures with it anyway, making this change irrelevant to you.
Show row count for each table in Database Filters page. The Database Filters page is there to help you exclude pretty big tables with data you don't need to put inside your backup such as logs, file scanner caches, session information and so on. But how do you know a table is big if you don't see its row count or size? This version addresses this omission by displaying the row count of each tables next to it in the Database Filters page.
Bug fixes. We regularly fix smaller and bigger issues. Please consult the CHANGELOG below and the full change history available from the software's main page by clicking the CHANGELOG button.
We only officially support the latest stable branch of Joomla!. At the time of this writing it is Joomla! 3.9.
Our software should still run on Joomla! 3.8 or later, including 3.8 and 3.9. These versions are not actively supported by us or the Joomla! project anymore. We strongly advise you to run the latest available version of Joomla! for security reasons. Older versions of Joomla! have known major security issues which are being actively exploited to hack sites.
We only officially support using our software with PHP 5.6, 7.0, 7.1, 7.2 or 7.3. We strongly advise you to run the latest available version of PHP on a branch currently maintained by the PHP project for security and performance reasons. Older versions of PHP have known major security issues which are being actively exploited to hack sites and they have stopped receiving security updates, leaving you exposed to these issues. Moreover, they are slower, therefore consuming more server resources to perform the same tasks.
Kindly note that our policy is to officially support only the PHP versions which are not yet End Of Life per the official PHP project with a voluntarily extension of support for 6 to 9 months after they become End of Life. After that time we stop providing any support for these obsolete versions of PHP without any further notice.