Subject: CVS commit: [pkgsrc-2009Q2] pkgsrc/www/drupal6
From: Matthias Scheler
Date: 2009-07-17 15:35:28
Message id: 20090717133528.6FD7E175D0@cvs.netbsd.org

Log Message:
Pullup ticket #2817 - requested by adrianp
drupal6: security update

Revisions pulled up:
- www/drupal6/Makefile			1.16
- www/drupal6/distinfo			1.12
---
Module Name:	pkgsrc
Committed By:	adrianp
Date:		Thu Jul 16 18:11:53 UTC 2009

Modified Files:
	pkgsrc/www/drupal6: Makefile distinfo

Log Message:
This release fixes security vulnerabilities. Sites are urged to upgrade \ 
immediately after reading the security announcement:

    * SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed \ 
since the 6.12 release:

    * - Patch #463450 by wulff: fixed documentation glitch.
    * #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() \ 
function does not behave like PHP explode(); causes problems with multiple node \ 
body break tags
    * #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a \ 
possible CSS query character, since that is the Drupal path name character too
    * #452704 by andypost, catch: Names of compressed CSS and JS files should \ 
have a prefix, so that names starting in ad* will not happen. Those are easily \ 
blocked by firewalls, Firefox's Adblock, etc.
    * #468732 by andypost: cache_clear_all() mentioned cache_flush_delay \ 
incorrectly; it should say we use cache_lifetime
    * #460420 by wulff, andypost: drupal_set_title() in forum_overview() is not \ 
needed; menu already sets the title and is localized
    * #398902 by Nick Urban, alexanderpas, kscheirer: password equality checking \ 
was not using strict type checking; we should assume these are strings and \ 
compared character to character
    * #479216 by jhedstrom: fix grammar in forum module messages
    * #445748 by Dave Reid, dww: Fix module support for disabled module update \ 
status checking and do not track usage in that case.
    * #465190 by Heine: The Anonymous name is a plain text setting, so it should \ 
be escaped properly for output.
    * #246096 by Sutharsan, Pedro Lozano, mr.baileys, andypost: Actions set to \ 
run on cron were not actually triggered.
    * #226479 by gpk, BrianV, catch: We should always show the node access \ 
rebuild button. The check on when to show it was fragile, so the button might \ 
not have been there when actually needed.
    * #482646 by Dave Reid: For proper HTTP query simpletesting, we should pass \ 
on the instance identifier (database prefix).
    * #197266 by ufku, lilou, Dave Reid, c960657, drewish: Save a query by only \ 
calling file_space_used() when a limit is provided.
    * #408876 by Pasqualle, JamesAn: The 'serialize' Schema API property was \ 
used but not documented.
    * #145733 by kepten, brianV: The session.use_cookies PHP setting is required \ 
by Drupal, but it can be turned off, so try to ensure it is turned on at all \ 
times.
    * #373225 by jpulles, Josh Waihi: When changing columns, PostgreSQL needs \ 
explicit type casting to ensure that values are kept properly.
    * #236657 by hctom, swentel: In system_clear_cache_submit(), the function \ 
arguments were swapped (but it did not affect how it actually worked).
    * #243253 by Benjamin Melan=C3=A7on, dww: Update status should not attempt \ 
to request update data until a limit is reached. Fixed Drupal instances when \ 
drupal.org is down and gets less load on Drupal.org if data is not found.
    * #339466 by patryk, c960657, alexanderpas: Remove url() wrapping from \ 
remote links and link in a more user friendly OpenID provider list.
    * #461938 by grendzy, JamesAn: Use filter_xss_admin() on site name and site \ 
slogan, just like footer message and mission
    * #455172 by budda, RoboPhred, andypost: Fix drupal_mail() documentation, so \ 
that it encourages to set the body of the email as an array (like core does).
    * #329797 by berenddeboer, redndahead, danielb: The tablesort code did not \ 
account for possibly nested tables; only match immediate descendats, so elements \ 
of nested tables are not matched.
    * #352121 by valthebald, Damien Tournoud, mr.baileys: The safe string check \ 
on translations should only be applied to the default textgroup. Strings in \ 
other textgroups such as blocks and menu items are displayed via escaping and \ 
filtering, and might contain arbitrary HTML.

Files:
RevisionActionfile
1.15.2.1modifypkgsrc/www/drupal6/Makefile
1.11.2.1modifypkgsrc/www/drupal6/distinfo