The twelfth maintenance and security release of the Drupal 5 series. Only
fixes for security vulnerabilities and other bugs have been committed. New
features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement:
* SA-2008-067 - Drupal core - Multiple vulnerabilities
* SA-2008-060 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed in the 5.11 release:
* - Patch 265899 by mfb: uri_brief mail token did not support https URLs.
* - Patch 170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
* 296096 by Damien Tournoud. Fix 5.10 Postgres install & update.
* - Patch 246143 by bjaspan, Damien Tournoud: make sure updates are run in numeric order, not in definition order.
* 181831 by Rob Loach. Backport of #130630 by chx: provide an id on the form item wrapper div.
* 283026 by Damien Tournoud. Make user_authenticate from external source (for existing users) work with no server part.
* 298535 by mkalkbrenner. Correct HTTP status code for failed connection.
* 108717 by add1sun and neclimdul. Code style.
* - Patch 230932 by ryanlath: file_scan_directory() didn't scan the directory called '0'. Backport by cridenour.
* follow up to 280621 by lilou: the object tag was disallowed in a previous version in filter_xss_admin(), so disallow param as well, which is only meaningful inside an object tag
* 208270 reported by Dries, patch by jvandyk: it was not possible to clear the XML-RPC error cache, making it impossible to do multiple queries in one request. Add xmlrpc_clear_error() and slightly modify xmlrpc_error() to fix.
* - Patch 308549 by lyrincz, Dave Reid: fixed broken link in PHPdoc.
* 67895 patch by goba, tested by JirkaRybka and blackdog: move poll votes with poll options, when an option is removed, instead of dropping all old votes, solving an old data loss bug. Backport by dww.
* 312730 by Damien Tournoud. hook_requirements('install') should work for modules that don't reside in the main './modules' folder.
Drupal 5.10, 2008-08-13
-----------------------
- fixed a variety of small bugs.
- fixed security issues, (Cross site scripting, Arbitrary file uploads via
BlogAPI and Cross site request forgery), see SA-2008-047
* SA-2008-046 - Drupal core - Session fixation
In addition to this security vulnerability, the following bugs have been fixed in the 5.9 release:
* #281042 by schuyler1d. Render blocks before CSS and JS header generation.
* #232433 by Damien Tournoud. Use non-localized date for RSS.
* #281494 by beeradb. Code style.
* #252580 by Robert Douglass, Gerhard Killesreiter, flobruit: avoid division by zero, when all search weights are set to 0.
* #252921 by David_Rothstein and agentrickard: remove unused join, which caused column type compatibility problems with postgresql; improves postgresql compatibility.
* #128846 by takashi, chx, bdragon, wedge, salvis, Shiny: rewritten queries on PostreSQL need to have matching DISTINCT ON and ORDER BY expressions
* #280934. Make sure session is always regenerated.
* 208700 by pwolanin. Fix bad backport of #194579. Modified to use Form API.
* 118569 by bevan: document how should one set RewriteBase, if under a VirtualDocumentRoot. Backport by Bart Jansens.
* Patch 115606 by Junyor, thesaint_02: added support for PHP 5.2's 'recoverable fatal errors'.
* 209409 by Heine, webernet, dww: more accurate register globals value checking
This release fixes security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcement:
SA-2008-005 - Drupal core - Cross site request forgery
SA-2008-006 - Drupal core - Cross site scripting (UTF8)
SA-2008-007 - Drupal core - Cross site scripting (register_globals)
In addition to this security vulnerability, the following bugs have been fixed since the 5.5 release:
173858 by Gábor Hojtsy: skip UTF-8 BOM when importing locale files
179164 by Heine: sort modules by name on the module admin page
199640 by webernet: (usability) add option to select no taxonomy term in multiselect forms, not to rely on browser trickery
199084 by chx: better conformance with ISO date formats in our xmlrpc code
173459 by Dave Cohen. Backport of #78487 by FredCK, forngren and bjaspan: document support in url() and l() and proper active class support for .
89218 by Gábor Hojtsy. Properly initialize a counter variable and fix poll editing.
64388 by Gábor Hojtsy. Add missing db_rewrite_sql(); not a security issue since it is a count() query.
200338 by m3avrck and quicksketch: fix transparent GIF resizing
194652 by Heine: specify explicit accept-charset for forms to avoid browser guessing
182410 by greggles: HTTP Basic authentication username and password was parsed in drupal_http_request() but then not used in the request
- Patch 201894 by David Rothstein: fixed typo in user output.
180126 by mmoreno, drewish and scor: add realpath() call to file_save_data(), so Windows will create temporary files properly
115689 by chx: new content types should not overwrite old ones. Backport by Pancho.
203727 by Arancaytar. More effectively use hook API.
204855 by webernet. Add missing * in documentation.
168315 by schuyler1d: previous active database name was not consistently returned in db_set_active()
- Patch 199955 by saxofaan: file_upload_max_size() returns results in bytes, not in mega bytes.
194579 patch by pwolanin: clear filter cache when allowed HTML tags configuration changes in an input format
#166433 by Ralf Stamm. Use correct menu item type for revsion confirm pages.
58806 by fwalch and wicksteedc. Do not override MENU_VISIBLE_IF_HAS_CHILDREN on editing.
Partial backport of 112715 to fix 124641.
Changes from 5.4 -> 5.5
Fixed missing missing brackets in a query in the user module.
Fixed taxonomy feed bug introduced by SA-2007-031
* SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled
In addition to this security vulnerability, the following bugs have been fixed since the 5.2 release:
* 178478 by scor: typo in text displyed when the DB is installed but not accessible
* Patch 122759 by Robrecht: fixed broken query in upgrade path.
* 55277 by catch and JirkaRybka: when flat comment view is used, order comments by cid (ie. original submission order) instead of timestamp (ie. last editing time order) to avoid comments jumping around when being edited
* Patch 181063 by chx and bjaspan: fixed problem with drupal_bootstrap() not booting to the proper level.
* 184668 by hazexp, Remove unnecessary ';'
* Patch 182728 by Darren Oh: improved PHPdoc of db_rewrite_sql().
* 93425 by bjaspan: remove pre-Drupal 4.6 era destination handling cruft carried over in comment module
* 154388 (backport of 172262) by JirkaRybka. Better globals handling in install system, so the choosen profile and language are remembered.
* 171117 by JirkaRybka: set access time for admin created or edited accounts so they are exempt from the spam protection we have for accounts never logged in
* Patch 168829 by Neil Drumm: fixed link in documentation.
* 165924 by odious. Use accurate count query for user list.
* 187601 by Bart Jansens. Use correct HTTP status codes for redirects.
* 180109 by JirkaRybka: overcome browser quirk to detect when no taxonomy term was selected
* 134984 by mikesmullin. Fix x2 coordinate for rendering gradients.
Fix a number of security issues:
SA-2007-024 - Drupal Core - HTTP response splitting
SA-2007-025 - Drupal Core - Arbitrary code execution via installer.
SA-2007-026 - Drupal Core - Cross site scripting via uploads
SA-2007-029 - Drupal Core - User deletion cross site request forgery
SA-2007-030 - Drupal Core - API handling of unpublished comment
Bugs:
Redirect to home page after user registration requiring admin approval.
More correct wording since some modules will actually work despite warning.
variable search_cron_limit was not removed on search uninstall
Append to instead of overwrite #suffix.
hide administration pages links on module help pages if there are no admin links for the module
See http://drupal.org/node/184395 for all the details
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
Drupal 5.1, 2007-01-29
----------------------
- fixed security issue (code execution), see SA-2007-005
- fixed a variety of small bugs.
Drupal 5.0, 2007-01-15
------------------------
- completely retooled the administration page
* /admin now contains an administration page which may be themed
* reorganised administration menu items by task and by module
* added a status report page with detailed PHP/MySQL/Drupal information
- added web-based installer which can:
* check installation and run-time requirements
* automatically generate the database configuration file
* install pre-made 'install profiles' or distributions
* import the database structure with automatic table prefixing
* be localized
- added new default Garland theme
- added color module to change some themes' color schemes
- included the jQuery JavaScript library 1.0.4 and converted all core JavaScript
to use it
- introduced the ability to alter mail sent from system
- module system:
* added .info files for module meta-data
* added support for module dependencies
* improved module installation screen
* moved core modules to their own directories
* added support for module uninstalling
- added support for different cache backends
- added support for a generic "sites/all" directory.
- usability:
* added support for auto-complete forms (AJAX) to user profiles.
* made it possible to instantly assign roles to newly created user accounts.
* improved configurability of the contact forms.
* reorganized the settings pages.
* made it easy to investigate popular search terms.
* added a 'select all' checkbox and a range select feature to administration
tables.
* simplified the 'break' tag to split teasers from body.
* use proper capitalization for titles, menu items and operations.
- integrated urlfilter.module into filter.module
- block system:
* extended the block visibility settings with a role specific setting.
* made it possible to customize all block titles.
- poll module:
* optionally allow people to inspect all votes.
* optionally allow people to cancel their vote.
- distributed authentication:
* added default server option.
- added default robots.txt to control crawlers.
- database API:
* added db_table_exists().
- blogapi module:
* 'blogapi new' and 'blogapi edit' nodeapi operations.
- user module:
* added hook_profile_alter().
* e-mail verification is made optional.
* added mass editing and filtering on admin/user/user.
- PHP Template engine:
* add the ability to look for a series of suggested templates.
* look for page templates based upon the path.
* look for block templates based upon the region, module, and delta.
- content system:
* made it easier for node access modules to work well with each other.
* added configurable content types.
* changed node rendering to work with structured arrays.
- performance:
* improved session handling: reduces database overhead.
* improved access checking: reduces database overhead.
* made it possible to do memcached based session management.
* omit sidebars when serving a '404 - Page not found': saves CPU cycles and
bandwidth.
* added an 'aggressive' caching policy.
* added a CSS aggregator and compressor (up to 40% faster page loads).
- removed the archive module.
- upgrade system:
* created space for update branches.
- forms API:
* made it possible to programmatically submit forms.
* improved api for multistep forms.
- theme system:
* split up and removed drupal.css.
* added nested lists generation.
* added a self-clearing block class.
all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
For a full list of changes see: http://drupal.org/drupal-4.7.0
In short:
- Updated Documentation for All Modules
- Auto-complete Fields(AJAX)
- Added Mass Comment Operations
- Easier to Make Menu Items
- RSS Feed Settings
- Better Search Index
- New Forms API
Drupal is software that allows an individual or a community of users to easily
publish, manage and organize a great variety of content on a website. Tens of
thousands of people and organizations have used Drupal to set up scores of
different kinds of web sites, including
* community web portals and discussion sites
* corporate web sites/intranet portals
* personal web sites
* aficionado sites
* e-commerce applications
* resource directories
Drupal includes features to enable:
* content management systems
* blogs
* collaborative authoring environments
* forums
* newsletters
* picture galleries
* file uploads and download
