| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Drupal 5.10, 2008-08-13
-----------------------
- fixed a variety of small bugs.
- fixed security issues, (Cross site scripting, Arbitrary file uploads via
BlogAPI and Cross site request forgery), see SA-2008-047
|
|
immediately after reading the security announcement:
* SA-2008-046 - Drupal core - Session fixation
In addition to this security vulnerability, the following bugs have been fixed in the 5.9 release:
* #281042 by schuyler1d. Render blocks before CSS and JS header generation.
* #232433 by Damien Tournoud. Use non-localized date for RSS.
* #281494 by beeradb. Code style.
* #252580 by Robert Douglass, Gerhard Killesreiter, flobruit: avoid division by zero, when all search weights are set to 0.
* #252921 by David_Rothstein and agentrickard: remove unused join, which caused column type compatibility problems with postgresql; improves postgresql compatibility.
* #128846 by takashi, chx, bdragon, wedge, salvis, Shiny: rewritten queries on PostreSQL need to have matching DISTINCT ON and ORDER BY expressions
* #280934. Make sure session is always regenerated.
|
|
All the details of the changes can be found here: http://drupal.org/node/280586
The main reason for this update is to fix a known security issue:
http://drupal.org/node/280571
|
|
many packages used to use ${PAX}. Use the common way of directly calling
pax, it is created as tool after all.
|
|
|
|
* 208700 by pwolanin. Fix bad backport of #194579. Modified to use Form API.
* 118569 by bevan: document how should one set RewriteBase, if under a VirtualDocumentRoot. Backport by Bart Jansens.
* Patch 115606 by Junyor, thesaint_02: added support for PHP 5.2's 'recoverable fatal errors'.
* 209409 by Heine, webernet, dww: more accurate register globals value checking
|
|
This release fixes security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcement:
SA-2008-005 - Drupal core - Cross site request forgery
SA-2008-006 - Drupal core - Cross site scripting (UTF8)
SA-2008-007 - Drupal core - Cross site scripting (register_globals)
In addition to this security vulnerability, the following bugs have been fixed since the 5.5 release:
173858 by Gábor Hojtsy: skip UTF-8 BOM when importing locale files
179164 by Heine: sort modules by name on the module admin page
199640 by webernet: (usability) add option to select no taxonomy term in multiselect forms, not to rely on browser trickery
199084 by chx: better conformance with ISO date formats in our xmlrpc code
173459 by Dave Cohen. Backport of #78487 by FredCK, forngren and bjaspan: document support in url() and l() and proper active class support for .
89218 by Gábor Hojtsy. Properly initialize a counter variable and fix poll editing.
64388 by Gábor Hojtsy. Add missing db_rewrite_sql(); not a security issue since it is a count() query.
200338 by m3avrck and quicksketch: fix transparent GIF resizing
194652 by Heine: specify explicit accept-charset for forms to avoid browser guessing
182410 by greggles: HTTP Basic authentication username and password was parsed in drupal_http_request() but then not used in the request
- Patch 201894 by David Rothstein: fixed typo in user output.
180126 by mmoreno, drewish and scor: add realpath() call to file_save_data(), so Windows will create temporary files properly
115689 by chx: new content types should not overwrite old ones. Backport by Pancho.
203727 by Arancaytar. More effectively use hook API.
204855 by webernet. Add missing * in documentation.
168315 by schuyler1d: previous active database name was not consistently returned in db_set_active()
- Patch 199955 by saxofaan: file_upload_max_size() returns results in bytes, not in mega bytes.
194579 patch by pwolanin: clear filter cache when allowed HTML tags configuration changes in an input format
#166433 by Ralf Stamm. Use correct menu item type for revsion confirm pages.
58806 by fwalch and wicksteedc. Do not override MENU_VISIBLE_IF_HAS_CHILDREN on editing.
Partial backport of 112715 to fix 124641.
Changes from 5.4 -> 5.5
Fixed missing missing brackets in a query in the user module.
Fixed taxonomy feed bug introduced by SA-2007-031
|
|
immediately. For more details, please see the security announcement:
* SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled
In addition to this security vulnerability, the following bugs have been fixed since the 5.2 release:
* 178478 by scor: typo in text displyed when the DB is installed but not accessible
* Patch 122759 by Robrecht: fixed broken query in upgrade path.
* 55277 by catch and JirkaRybka: when flat comment view is used, order comments by cid (ie. original submission order) instead of timestamp (ie. last editing time order) to avoid comments jumping around when being edited
* Patch 181063 by chx and bjaspan: fixed problem with drupal_bootstrap() not booting to the proper level.
* 184668 by hazexp, Remove unnecessary ';'
* Patch 182728 by Darren Oh: improved PHPdoc of db_rewrite_sql().
* 93425 by bjaspan: remove pre-Drupal 4.6 era destination handling cruft carried over in comment module
* 154388 (backport of 172262) by JirkaRybka. Better globals handling in install system, so the choosen profile and language are remembered.
* 171117 by JirkaRybka: set access time for admin created or edited accounts so they are exempt from the spam protection we have for accounts never logged in
* Patch 168829 by Neil Drumm: fixed link in documentation.
* 165924 by odious. Use accurate count query for user list.
* 187601 by Bart Jansens. Use correct HTTP status codes for redirects.
* 180109 by JirkaRybka: overcome browser quirk to detect when no taxonomy term was selected
* 134984 by mikesmullin. Fix x2 coordinate for rendering gradients.
|
|
Fix a number of security issues:
SA-2007-024 - Drupal Core - HTTP response splitting
SA-2007-025 - Drupal Core - Arbitrary code execution via installer.
SA-2007-026 - Drupal Core - Cross site scripting via uploads
SA-2007-029 - Drupal Core - User deletion cross site request forgery
SA-2007-030 - Drupal Core - API handling of unpublished comment
Bugs:
Redirect to home page after user registration requiring admin approval.
More correct wording since some modules will actually work despite warning.
variable search_cron_limit was not removed on search uninstall
Append to instead of overwrite #suffix.
hide administration pages links on module help pages if there are no admin links for the module
See http://drupal.org/node/184395 for all the details
|
|
Fix two security issues:
http://drupal.org/node/162360
http://drupal.org/node/162361
|
|
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
|
|
|
|
Drupal 5.1, 2007-01-29
----------------------
- fixed security issue (code execution), see SA-2007-005
- fixed a variety of small bugs.
Drupal 5.0, 2007-01-15
------------------------
- completely retooled the administration page
* /admin now contains an administration page which may be themed
* reorganised administration menu items by task and by module
* added a status report page with detailed PHP/MySQL/Drupal information
- added web-based installer which can:
* check installation and run-time requirements
* automatically generate the database configuration file
* install pre-made 'install profiles' or distributions
* import the database structure with automatic table prefixing
* be localized
- added new default Garland theme
- added color module to change some themes' color schemes
- included the jQuery JavaScript library 1.0.4 and converted all core JavaScript
to use it
- introduced the ability to alter mail sent from system
- module system:
* added .info files for module meta-data
* added support for module dependencies
* improved module installation screen
* moved core modules to their own directories
* added support for module uninstalling
- added support for different cache backends
- added support for a generic "sites/all" directory.
- usability:
* added support for auto-complete forms (AJAX) to user profiles.
* made it possible to instantly assign roles to newly created user accounts.
* improved configurability of the contact forms.
* reorganized the settings pages.
* made it easy to investigate popular search terms.
* added a 'select all' checkbox and a range select feature to administration
tables.
* simplified the 'break' tag to split teasers from body.
* use proper capitalization for titles, menu items and operations.
- integrated urlfilter.module into filter.module
- block system:
* extended the block visibility settings with a role specific setting.
* made it possible to customize all block titles.
- poll module:
* optionally allow people to inspect all votes.
* optionally allow people to cancel their vote.
- distributed authentication:
* added default server option.
- added default robots.txt to control crawlers.
- database API:
* added db_table_exists().
- blogapi module:
* 'blogapi new' and 'blogapi edit' nodeapi operations.
- user module:
* added hook_profile_alter().
* e-mail verification is made optional.
* added mass editing and filtering on admin/user/user.
- PHP Template engine:
* add the ability to look for a series of suggested templates.
* look for page templates based upon the path.
* look for block templates based upon the region, module, and delta.
- content system:
* made it easier for node access modules to work well with each other.
* added configurable content types.
* changed node rendering to work with structured arrays.
- performance:
* improved session handling: reduces database overhead.
* improved access checking: reduces database overhead.
* made it possible to do memcached based session management.
* omit sidebars when serving a '404 - Page not found': saves CPU cycles and
bandwidth.
* added an 'aggressive' caching policy.
* added a CSS aggregator and compressor (up to 40% faster page loads).
- removed the archive module.
- upgrade system:
* created space for update branches.
- forms API:
* made it possible to programmatically submit forms.
* improved api for multistep forms.
- theme system:
* split up and removed drupal.css.
* added nested lists generation.
* added a self-clearing block class.
|
|
Patch provided by Sergey Svishchev in private mail.
|
|
------------------------
- fixed security issue (code execution), see SA-2007-005
|
|
|
|
Only updates to address two new security issues:
http://drupal.org/files/sa-2007-001/advisory.txt
http://drupal.org/files/sa-2007-002/advisory.txt
|
|
Make pkglint happy
* Fix problems reported using the bug tracking system
* Fixes for three security issues:
http://drupal.org/files/sa-2006-024/advisory.txt
http://drupal.org/files/sa-2006-025/advisory.txt
http://drupal.org/files/sa-2006-026/advisory.txt
|
|
Only change appears to be a fix for an XSS bug
|
|
is controlled properly
Fix by Takahiro Kambe in private mail.
Bump to nb1.
|
|
- fixed critical upload issue, see SA-2006-007
- fixed taxonomy XSS issue, see SA-2006-008
- fixed a variety of small bugs.
|
|
all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
|
|
For a full list of changes see: http://drupal.org/drupal-4.7.0
In short:
- Updated Documentation for All Modules
- Auto-complete Fields(AJAX)
- Added Mass Comment Operations
- Easier to Make Menu Items
- RSS Feed Settings
- Better Search Index
- New Forms API
|
|
Bump PKGREVISION
|
|
Fix pkglint warnings
|
|
------------------------
- fixed critical SQL issue, see SA-2006-005
|
|
pkginstall framework. In the case of libtool-base, avoid using
FILES_SUBST_SED where it isn't needed.
|
|
fixed bugs, including 4 security vulnerabilities.
1. http://drupal.org/sa-2006-001/advisory.txt
2. http://drupal.org/sa-2006-002/advisory.txt
3. http://drupal.org/sa-2006-003/advisory.txt
4. http://drupal.org/sa-2006-004/advisory.txt
For further details see: http://drupal.org/project/cvs/3060/?branch=DRUPAL-4-6
|
|
|
|
|
|
XXX Use DIST_SUBDIR in a more intelligent way?
|
|
of the shlib major bump.
PKGREVISION++ for the dependencies.
|
|
|
|
pkg has been changed to 5.x). Reminded by wiz... thanks.
|
|
the checksums to change.
Update to the latest checksum and bump to nb1.
|
|
No PKGREVISION bump as the package is only 12 hours old.
|
|
Drupal is software that allows an individual or a community of users to easily
publish, manage and organize a great variety of content on a website. Tens of
thousands of people and organizations have used Drupal to set up scores of
different kinds of web sites, including
* community web portals and discussion sites
* corporate web sites/intranet portals
* personal web sites
* aficionado sites
* e-commerce applications
* resource directories
Drupal includes features to enable:
* content management systems
* blogs
* collaborative authoring environments
* forums
* newsletters
* picture galleries
* file uploads and download
|
