Hello, welcome to the Wednesday, October 26, 2016 edition of the Sands and Storms and StormCast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Jumla today released a critical update that fixes two vulnerabilities. The first one can be used to create accounts in Jumla, even if

account creation is disabled. The second one is similar in that it also allows you to

create accounts, but not just normal accounts, it allows you to create accounts with

elevated privileges. At this point, I haven't

seen a public exploit for this yet, but at least one post on Twitter where someone claimed

that they created an exploit shortly after the patch was released, of course, the information

about what they did wrong here is now

public and I would expect a public exploit within sort of the next 24 hours, maybe a little bit

faster. So if you do run June line, you haven't patched yet to version 364, then better stop listening to this podcast and get on with patching.

And the Let's Encrypt project has certainly changed the landscape when it comes to applying

for and installing S.S.L certificates, but with some of the convenience that you get with Let's

Encrypt, there are also some security issues that you probably should be aware of. Let's

Encrypt mitigates some of the problems around validating domains by only issuing certificates that are valid for 90 days.

So every 90 days or better before that, you have to ask for a new certificate.

Now in order to do that, your account has to be validated with Let's Encrypt to be the

actual authoritative owner of that particular

host name.

That is done via a number of different ways.

For example, you can drop a file on the site and then Let's Encrypt checks if that file is

present.

And that's all reasonably solid, at least as solid as most other

...