Path to this page:
Subject: CVS commit: [pkgsrc-2009Q2] pkgsrc/www/drupal6
From: Matthias Scheler
Date: 2009-07-17 15:35:28
Message id: 20090717133528.6FD7E175D0@cvs.netbsd.org
Log Message:
Pullup ticket #2817 - requested by adrianp
drupal6: security update
Revisions pulled up:
- www/drupal6/Makefile 1.16
- www/drupal6/distinfo 1.12
---
Module Name: pkgsrc
Committed By: adrianp
Date: Thu Jul 16 18:11:53 UTC 2009
Modified Files:
pkgsrc/www/drupal6: Makefile distinfo
Log Message:
This release fixes security vulnerabilities. Sites are urged to upgrade \
immediately after reading the security announcement:
* SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed \
since the 6.12 release:
* - Patch #463450 by wulff: fixed documentation glitch.
* #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() \
function does not behave like PHP explode(); causes problems with multiple node \
body break tags
* #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a \
possible CSS query character, since that is the Drupal path name character too
* #452704 by andypost, catch: Names of compressed CSS and JS files should \
have a prefix, so that names starting in ad* will not happen. Those are easily \
blocked by firewalls, Firefox's Adblock, etc.
* #468732 by andypost: cache_clear_all() mentioned cache_flush_delay \
incorrectly; it should say we use cache_lifetime
* #460420 by wulff, andypost: drupal_set_title() in forum_overview() is not \
needed; menu already sets the title and is localized
* #398902 by Nick Urban, alexanderpas, kscheirer: password equality checking \
was not using strict type checking; we should assume these are strings and \
compared character to character
* #479216 by jhedstrom: fix grammar in forum module messages
* #445748 by Dave Reid, dww: Fix module support for disabled module update \
status checking and do not track usage in that case.
* #465190 by Heine: The Anonymous name is a plain text setting, so it should \
be escaped properly for output.
* #246096 by Sutharsan, Pedro Lozano, mr.baileys, andypost: Actions set to \
run on cron were not actually triggered.
* #226479 by gpk, BrianV, catch: We should always show the node access \
rebuild button. The check on when to show it was fragile, so the button might \
not have been there when actually needed.
* #482646 by Dave Reid: For proper HTTP query simpletesting, we should pass \
on the instance identifier (database prefix).
* #197266 by ufku, lilou, Dave Reid, c960657, drewish: Save a query by only \
calling file_space_used() when a limit is provided.
* #408876 by Pasqualle, JamesAn: The 'serialize' Schema API property was \
used but not documented.
* #145733 by kepten, brianV: The session.use_cookies PHP setting is required \
by Drupal, but it can be turned off, so try to ensure it is turned on at all \
times.
* #373225 by jpulles, Josh Waihi: When changing columns, PostgreSQL needs \
explicit type casting to ensure that values are kept properly.
* #236657 by hctom, swentel: In system_clear_cache_submit(), the function \
arguments were swapped (but it did not affect how it actually worked).
* #243253 by Benjamin Melan=C3=A7on, dww: Update status should not attempt \
to request update data until a limit is reached. Fixed Drupal instances when \
drupal.org is down and gets less load on Drupal.org if data is not found.
* #339466 by patryk, c960657, alexanderpas: Remove url() wrapping from \
remote links and link in a more user friendly OpenID provider list.
* #461938 by grendzy, JamesAn: Use filter_xss_admin() on site name and site \
slogan, just like footer message and mission
* #455172 by budda, RoboPhred, andypost: Fix drupal_mail() documentation, so \
that it encourages to set the body of the email as an array (like core does).
* #329797 by berenddeboer, redndahead, danielb: The tablesort code did not \
account for possibly nested tables; only match immediate descendats, so elements \
of nested tables are not matched.
* #352121 by valthebald, Damien Tournoud, mr.baileys: The safe string check \
on translations should only be applied to the default textgroup. Strings in \
other textgroups such as blocks and menu items are displayed via escaping and \
filtering, and might contain arbitrary HTML.
Files: