The other two vulnerabilities were minors (non-persistent XSS) and described here:
So what happened in the meantime?
Well, our dear fellow Joomla developers kept us even more busy than usual. :-) We were forced by different circumstances to release minor interim versions. First, we had to react fast to different problems in Joomla. For example in February we were informed by "Appcheck NG", that we were distributing the dangerous file 'uploader.swf' in our Joomla 2.5.x/VM 3.0.x full-installer. After some investigations it became clear, that the file was still distributed by Joomla and was only removed when users updated Joomla. The file has been known as dangerous since J2.5.10, but is still present in the J2.5.28 installer. So we removed the file from our package and added a remove function to our install and update function of VirtueMart 2.6.16+ and 3.0.6+ to ensure that the file is deleted.
I wrote the above 1 week ago and meanwhile we are suffering from new problems with routing of the language in Joomla 3.4.1, a new problem with canonical urls and more. So let's hope that all the currently open router/SEF fixes, viewable at issues.joomla.org/tracker/joomla-cms/?category=router-sef will be tested and merged into Joomla as soon as possible. A half baked new router system creates many problems for us.
Since there are still security audits for Joomla 2.5.28, even after the announced End Of Life, we currently recommend that multilingual shops stay with Joomla 2.5.28 until we have a stable Joomla 3.4.x or 3.5 version. Our Supporter Membership implies a security maintenance contract and ensures a stable and secure system.
As many live shops show, staying with Joomla 2.5.28 doesn't mean, the system is not responsive or not mobile friendly. There are great templates in the market that offer all the mobile friendly features that are necessary to have an up-to-date e-commerce system with a stable Joomla 2.5 backbone.
We really worked hard on the new version and besides fixing bugs, we also added some features.
- The vmbeez template is now mobile friendly (Kudos to Stefan Schumacher)
- New option for Multivariants, which automatically creates the selected customfield "string" in the childs for you. This is very important for search plugins
- multi variant gives correct numbers of rows (for browsepage)
- new Sampledata with new images
- added more not null declarations for sql http://dev.mysql.com/doc/refman/5.7/en/is-null-optimization.html
- Fallbacks for IE9, various js, missing config values and similar
- category name understands vmText language keys
- Added extra option to "is_list" for the customfields S and M
- Address handling in cart is enhanced
- Example for making the code more robust: creating of children had a limited due the slug finder (was not doing more than 20 tries). The new function uses the slug of the most recent generated child to find a new slug.
- Another example: Added function ensureUniqueId to keep all html id tags to ensure unique id tags (not implement for any html function, yet)
- or Vmprices addtocart works now also with entity button, not just input
- added vRequest::vmSpecialChars without double encoding, the reason is that lang can be a command in php (thx to Kainhofer for hint and patch)
- and a lot more, you may investigate the repository yourself dev.virtuemart.net/.../trunk/virtuemart
Furthermore we released the new vm2.6.18, just minor bugfixes.