Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#39069] - Update from 4.2.3 to 4.2.4 failed.

No Code Attached Yet
avatar joomlaphp
joomlaphp
25 Oct 2022

Steps to reproduce the issue

File Checksum Failed
1

Expected result

Actual result

System information (as much as possible)

Additional comments

avatar joomlaphp joomlaphp - open - 25 Oct 2022
avatar joomla-cms-bot joomla-cms-bot - change - 25 Oct 2022
Labels Added: No Code Attached Yet
avatar joomla-cms-bot joomla-cms-bot - labeled - 25 Oct 2022
avatar peteruoi
peteruoi - comment - 25 Oct 2022

i have the same problem

avatar jschmi102
jschmi102 - comment - 25 Oct 2022

same problem on my site

avatar nikosdion
nikosdion - comment - 25 Oct 2022

I can confirm the issue and I can explain it to people who are not aware of what is going on. It's a security feature kicking in because of a mistake in the Joomla Update files.

@roland-d @fancyFranci MAYDAY! MAYDAY! MAYDAY!

Joomla downloads its update information from the file https://update.joomla.org/core/sts/extension_sts.xml. This file lists the download source as https://downloads.joomla.org/cms/joomla4/4-2-4/Joomla_4.2.4-Stable-Update_Package.zip and its SHA checksums as follows:

<sha256>
9523e2d5f199b579005a4e9008e848662c4504e298bf487e27ba9680843a4d68
</sha256>
<sha384>
ce37f3d55115a2effa9096fc82dd44259048b288babbddb8cc507fef43dc5922239d05f074f4e387a1fc1f165b5e38c4
</sha384>
<sha512>
c80d128b2191a2e850a873bd3102499c204f61f43e9259b83a7d8227767bde3e3437c29dd84ef5ff361a572d5d6c342812c0ad24f039c7fdc8e1252712bde62e
</sha512>

Joomla Update downloads the ZIP file, calculates its SHA checksum and compares it to what is claimed in the update XML file. If there is a mismatch it stops the update with "File Checksum Error". This is a security feature to prevent (most) man-in-the-middle attacks or file hosting issues from giving a malicious update to Joomla which could be used to hack sites en masse.

However, this feature only works if the SHA checksums in the XML update file are valid.

Downloading that ZIP file and calculating its SHA checksum on my computer yields very different checksums than the ones claimed in the update XML file:

% shasum -a 256 Joomla_4.2.4-Stable-Update_Package.zip
d14a21d06b05ddeb643a5c0b9e3e6c96fc9929d74a6424ada2e019fd81f2d09b  Joomla_4.2.4-Stable-Update_Package.zip
% shasum -a 384 Joomla_4.2.4-Stable-Update_Package.zip
ef3232f03a05892375c5f84f778abf26d231a95ab35a5f241aac7fe35ad23ef78fc8cb216d00b7c9e490de33deb50a7a  Joomla_4.2.4-Stable-Update_Package.zip
% shasum -a 512 Joomla_4.2.4-Stable-Update_Package.zip
ec80b1314d4b13a75db685909d890e39daf00453993084c2af66c585645060a0cdbbc324fdc6d5dd5a25ad5bba7fae32c764a756f1916557563367ae17592562  Joomla_4.2.4-Stable-Update_Package.zip

This is why the update does not proceed.

The Joomla project needs to fix the SHA sums in the update XML file. After this happens we all need to go and re-check for updates going to System, Update, Extensions, click on Check For Updates (which clears the update cache), then go to System, Update, Joomla and install the 4.2.4 update which will now compare against the correct checksum.

avatar roland-d
roland-d - comment - 25 Oct 2022

Thanks for the report, the checksums have been updated.

avatar joomlaphp joomlaphp - change - 25 Oct 2022
Status New Closed
Closed_Date 0000-00-00 00:00:00 2022-10-25 15:20:09
Closed_By joomlaphp
avatar joomlaphp joomlaphp - close - 25 Oct 2022
avatar joomlaphp
joomlaphp - comment - 25 Oct 2022

Thank you, I can close the issue.

avatar funartist
funartist - comment - 25 Oct 2022

my background image disappeared after update; I use helix ultimate

avatar ankurj-itsoft
ankurj-itsoft - comment - 4 May 2023

In my case, we need to use the correct tmp_path and log_path, and also create the tmp & update directory in the joomla root

Add a Comment

Login with GitHub to post a comment