Today the Joomla! team has announced the availability of Joomla! 1.5 RC1. In a small paragraph at the end of this article you can read that Joomla! 1.0.13 has been released surprisingly. Joomla! 1.0.13 is an "incremental bug
fixing and security update for Joomla! 1.0 series software".
This maintenance release will again break VirtueMart login functionality - as Joomla! 1.0.8, 1.0.10 and 1.0.11 have done before. It's sad to see that the maintenance team has again introduced feature changes that break backward compatibility:
- J! 1.0.13 uses a different method to encrypt passwords that the Joomla! version before
- the core login function parameter declaration/types were changed
Once you have updated to Joomla! 1.0.13, you can't just revert back to Joomla! 1.0.12: the user passwords will have been converted (for those users, who visited the site) and the new password format is not accepted by older Joomla! versions. That's why you should make a full database backup before you update your Joomla! version, so you can go back at any time.
For all VirtueMart users we have created a HotFix that patches VirtueMart for Joomla! 1.0.13. It can be downloaded from joomlacode.org.
HotFix for VirtueMart to use Joomla! 1.0.13
UPDATE: When testing the VirtueMart Hotfix I was running a "fixed" installation of an internal Joomla! 1.0.13 RC3 release. This way I couldn't see that VirtueMart users suffer under another bug in the admin session handling of Joomla! 1.0.13. This file allows you to fix your joomla! 1.0.13: Joomla! 1.0.13 Admin Session Fix (2.41 Kb)
Please note that Community Builder and probably also the SMF Bridge are also affected by the changes introduced with this version. My recommendation is not to update your Joomla! site to version 1.0.13 until you haven't fully tested the update in testing environment.
P.S.: As I'm part of the Joomla! Quality and Testing Workgroup, I tried to prevent these changes, but the developers of the maintenance team saw higher priority in making password storage more secure. That's ok, but why the change of the login function? According to them it was "necessary". In my eyes it wasn't.
