14 DAY TRIAL // After a few hours ago the Drupal team announced a security fix, now Joomla's team has followed suit but has addressed three different issues, one of which is an SQL injection vulnerability labelled as critical.
The SQL vulnerability was reported on October 15, and even if no particular details have been provided yet, the Joomla Security team felt the issue was major enough to warrant a pre-announcement the next day, something it had not done until that point.
According to data available at this moment, the issue manifests itself because of "inadequate filtering of request data" and affects Joomla's core and all versions from 3.2 to 3.4.4. Future details about the issue will be available under: CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858.
Besides the SQL injection, two other vulnerabilities were also discovered and patched in the com_contenthistory and com_content functions that allowed attackers to access data that should normally be restricted for unprivileged users.
These vulnerabilities affect Joomla installations of 3.2 to 3.4.4 (com_contenthistory) and 3.0 to 3.4.4 (com_content).
All users are urged to upgrade as soon as possible to avoid leaving attack vectors unpatched in their website's code. Besides the three security fixes, no other changes have been made to the CMS' code.
You can download the latest version of the Joomla CMS from the official website, GitHub, or from a Softpedia mirror on our Webscripts section.
UPDATE: Since our blog post, Trustwave researchers released in-depth details on their blog about the SQL Injection they've found.