Joomla has published today the following advisory:
A Joomla 3.4.7 release containing a security fix will be published today (Monday 21st December) at approximately 21:00 UTC
The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of this year (2015) with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (N.B. Fixed in all versions of PHP 7 and has been backported in some specific Linux LTS versions of PHP 5.3). The only Joomla sites affected by this bug are those which are hosted on vulnerable versions of PHP. We are aware that not all hosts keep their PHP installations up to date so we are releasing a Joomla Update later today which contains additional protection for those users. We do of course recommend that all users apply this update as soon as possible.
From Joomla 3.4.6, performing an update to the new version is as simple as logging in and clicking an update button. The update version warning notice will be clearly visible as soon as an administrator logs in. Joomla advises that there are Joomla extensions available that can apply updates automatically.
Although no longer supported officially, the Joomla Security Strike Team plans to issue patches for Joomla versions 1.5 and 2.5.
Until the release is out, please understand that we cannot provide any further information.