2009-09-29 15:39:58 by Takahiro Kambe | Files touched by this commit (2) |
Log message:
Update www/drupal package to 5.20 to fix security problem.
pkgsrc change: add LICENSE.
Drupal 5.20, 2009-09-16
-----------------------
- Avoid security problems resulting from writing Drupal 6-style menu
declarations.
- Fixed security issues (session fixation), see SA-CORE-2009-008.
- Fixed a variety of small bugs.
|
2009-07-16 20:11:07 by Adrian Portelli | Files touched by this commit (2) |
Log message:
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-CORE-2009-007 Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed \
since the 5.18 release:
* #212285 by wrwrwr: hr should be treated as a block level tag. Backport by \
alexanderpas.
* #145733 by kepten, brianV: The session.use_cookies PHP setting is required by \
Drupal, but it can be turned off, so try to ensure it is turned on at all times.
|
2009-06-15 00:00:42 by Joerg Sonnenberger | Files touched by this commit (316) |
Log message:
Convert @exec/@unexec to @pkgdir or drop it.
|
2009-05-14 21:37:02 by Adrian Portelli | Files touched by this commit (2) | |
Log message:
5.18
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-CORE-2009-006 Drupal core - Cross site scripting
In addition to this security vulnerability, the following bugs have been fixed \
since the 5.15 release:
* #396224 partial rollback of SA-CORE-2009-003 security hardening.
* #396224 adding missing documentation comment update. By dvessel and pwolanin.
* #267305 by brianV. Remove ?>.
* #305544 by jsenich. Add missing clear-block to admin by modules.
* #330084 by c960657: Remove unnecessary duplication of the From header value in \
Reply-to; standards indicate setting the From header should be sufficient.
|
2009-05-01 21:49:42 by Adrian Portelli | Files touched by this commit (2) |
Log message:
Update to 5.17
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-CORE-2009-005 Drupal core - Cross site scripting
In addition to this security vulnerability, the following bugs have been fixed \
since the 5.15 release:
* #150851 by pwolanin and chx: different radio buttons in the same set should \
have different HTML id values (XHTML validity fix). Backport #367689 by gollyg.
* #335741 by electricmonk. Do not recurse over non-objects.
* #287725 by mantyla. Sort by mid to avoid inconsistencies when multiple menu \
items exist for a node.
* 174940 by gpk: avoid calling up the full Drupal bootstrap for nonexistent \
favicon.ico. Backport by matt@antinomia.
* #112887 by ged3000. Adding Newfoundland DST
* #401494 by andypost. Correctly clear menu cache.
* #396224 by pwolanin: Further harden template file name discovery
* #395086 by Freso: call trim() before truncate_utf8() in comment module for \
better quality truncation.
* #197864 by vito_swat, alpritt, Murz, catch: Use hook_term_path() in forum \
module instead of hook_link_alter(); simplfies code, improves performance and \
compatibility.
|
2009-02-28 17:10:23 by Adrian Portelli | Files touched by this commit (2) |
Log message:
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-CORE-2009-004 Drupal core - Local file inclusion on Windows
In addition to this security vulnerability, the following bugs have been fixed \
since the 5.15 release:
* #124492 by m3avrck, mfer: more accurate checking for valid URLs in valid_url()
* #360038 by sun. Documentation improvement.
* #179244 by tangent: line break filter operates on object element.
* #62926 by karschsp: increase the free tagging field maximum length to \
1024; the database limits are per-tag.
|
2009-01-15 21:05:44 by Adrian Portelli | Files touched by this commit (2) | |
Log message:
The following bug has been fixed since the 5.13 release:
* Rolling back #280934. PHP 4 incompatibility.
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-CORE-2009-001 Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed \
since the 5.14 release:
* #348269 by Darren Oh. Add missing * in the expand_password_confirm() comment.
* #202688. Backport from 6.x.
* #103528 by gpk, hass & salvis. Provide a useful message when the color \
picker is disabled due to the download method.
* #350708 by dww. Backport t() documentation improvements from D6.
* #157353 by Freso and tangent. Remove a needless dash from RSS feed title.
* #323386 by mariuss: The selection type in profile module expects items each on \
their own line and should not break items on commas
* #252921 by k4ml. Use correct placeholder.
* #61108 by Uwe Hermann: update LICENSE.txt with latest version of GPL2 text
* - Patch #335385 by Dave Reid: fixed maxlength of path alias fields to be \
consistent with the database.
* #346285 by grendzy, Damien Tournoud, thekevinday et al: fixed problem when \
HTTP_HOST is not transmitted
|
2008-12-11 00:55:39 by Adrian Portelli | Files touched by this commit (2) |
Log message:
Update to 5.13
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-2008-073 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed \
since the 5.12 release:
* #318102 by Damien Tournoud and Dave Reid: hook_exit() not invoked for some \
cached requests.
* #278821 by teezee. More isset() checking.
* #293612 by egfrith, Bart Jansens: let user_authenticate() be called without \
cookies previously set; allows web service modules to start a session with the \
authentication.
* #123556 by maartenvg and dvdweide. Do not show empty user info categories.
* #294450 by blakehall. Match up DB and form max length.
* More code style removing trivial differences with 6.x.
* #195161 by mcarbone with some modifications: only show 'login to post \
comments' if logging in actually lets you post comments. Backport by salvis.
* - Patch #342988 by ultimateboy: fixed order of attributes in PHPdoc.
* #280934 follow up by pwolanin: harden the cookie handling in sess_regenerate() \
by setting our session cookie to be an HTTP only cookie, thus reducing the risk \
of session stealing via XSS
* #324875 by pwolanin: improve HTTP_HOST checking, ensuring that the host is \
lowercased and only valid characters are allowed.
* #28776 by Uwe Hermann, Morbus Iff, jvandyk: Protect *.test files and SVN \
metafiles from being exposed under Drupal
* #299582 by hass: Remove outdated items from robots.txt and fix ordering of \
items to make stuff easier to find.
http://drupal.org/node/345467
|
2008-10-23 23:33:21 by Adrian Portelli | Files touched by this commit (2) |
Log message:
Update to 5.12
The twelfth maintenance and security release of the Drupal 5 series. Only
fixes for security vulnerabilities and other bugs have been committed. New
features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement:
* SA-2008-067 - Drupal core - Multiple vulnerabilities
|
2008-10-12 02:32:31 by Adrian Portelli | Files touched by this commit (2) | |
Log message:
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-2008-060 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed \
in the 5.11 release:
* - Patch 265899 by mfb: uri_brief mail token did not support https URLs.
* - Patch 170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by \
non-SSL cookie.
* 296096 by Damien Tournoud. Fix 5.10 Postgres install & update.
* - Patch 246143 by bjaspan, Damien Tournoud: make sure updates are run in \
numeric order, not in definition order.
* 181831 by Rob Loach. Backport of #130630 by chx: provide an id on the form \
item wrapper div.
* 283026 by Damien Tournoud. Make user_authenticate from external source (for \
existing users) work with no server part.
* 298535 by mkalkbrenner. Correct HTTP status code for failed connection.
* 108717 by add1sun and neclimdul. Code style.
* - Patch 230932 by ryanlath: file_scan_directory() didn't scan the directory \
called '0'. Backport by cridenour.
* follow up to 280621 by lilou: the object tag was disallowed in a previous \
version in filter_xss_admin(), so disallow param as well, which is only \
meaningful inside an object tag
* 208270 reported by Dries, patch by jvandyk: it was not possible to clear the \
XML-RPC error cache, making it impossible to do multiple queries in one request. \
Add xmlrpc_clear_error() and slightly modify xmlrpc_error() to fix.
* - Patch 308549 by lyrincz, Dave Reid: fixed broken link in PHPdoc.
* 67895 patch by goba, tested by JirkaRybka and blackdog: move poll votes with \
poll options, when an option is removed, instead of dropping all old votes, \
solving an old data loss bug. Backport by dww.
* 312730 by Damien Tournoud. hook_requirements('install') should work for \
modules that don't reside in the main './modules' folder.
|