"Security is an ongoing journey: The best way to stay safe is to always stay up-to-date" says Beat (CB Team and JSST - Joomla Security Strike Team member).
The previous Joomla 3.4.6 critical security release triggered an in depth security investigation by the JSST Team to better understand the true nature and cause of this vulnerability.
This "follow the code" process has identified the root cause of this issue down to a specific PHP security bug, already fixed on 4th September 2015 in PHP 5.4.45, 5.5.29 and 5.6.13 (and also in all PHP 7 releases) and also in all major Linux distributions back in September 2015
In an effort to help secure Joomla against poorly maintained hosting environments, the Joomla project has released Joomla 3.4.7 along with Joomla 2.5 and 1.5 code fixes.
This means that:
- All Joomla 3.4 websites should be upgraded to Joomla 3.4.7
- All Joomla 2.5/1.5 websites that cannot upgrade to Joomla 3 should apply the EOL Security Hotfixes
These actions will protect your Joomla core installation against this specific PHP bug.
You should make sure that your hoster continuously security-maintains your PHP/LINUX environment to keep it up to date (Joomlapolis Hosting does).
Please note that Community Builder 2.0.12 runs just fine with Joomla 3.4.7 (no backwards compatibility issues) and Community Builder's sessions management is not affected by this PHP secutity bug.