* SA-2007-031 - Drupal core - SQL Injection possible when certain contributed modules are enabled
In addition to this security vulnerability, the following bugs have been fixed since the 5.2 release:
* 178478 by scor: typo in text displyed when the DB is installed but not accessible
* Patch 122759 by Robrecht: fixed broken query in upgrade path.
* 55277 by catch and JirkaRybka: when flat comment view is used, order comments by cid (ie. original submission order) instead of timestamp (ie. last editing time order) to avoid comments jumping around when being edited
* Patch 181063 by chx and bjaspan: fixed problem with drupal_bootstrap() not booting to the proper level.
* 184668 by hazexp, Remove unnecessary ';'
* Patch 182728 by Darren Oh: improved PHPdoc of db_rewrite_sql().
* 93425 by bjaspan: remove pre-Drupal 4.6 era destination handling cruft carried over in comment module
* 154388 (backport of 172262) by JirkaRybka. Better globals handling in install system, so the choosen profile and language are remembered.
* 171117 by JirkaRybka: set access time for admin created or edited accounts so they are exempt from the spam protection we have for accounts never logged in
* Patch 168829 by Neil Drumm: fixed link in documentation.
* 165924 by odious. Use accurate count query for user list.
* 187601 by Bart Jansens. Use correct HTTP status codes for redirects.
* 180109 by JirkaRybka: overcome browser quirk to detect when no taxonomy term was selected
* 134984 by mikesmullin. Fix x2 coordinate for rendering gradients.
Changes in 2.2.4 :
- Fix crash in fileview
- Added patch from Rafel Milecki to add file selection in the coldmilk webgui
- Added patch from Rafel Milecki to add a confirmation dialog when the user shutsdown KT in the default webgui
- Fixed bug which caused the set max rate menu in the system tray icon menu to fail in recent KDE versions
- Optimized SHA1HashGen a bit
- Use Qt int types to be sure size is correct
- Do not stop ONLY_SEED chunks, but let them finish
Changes in 2.2.3 :
- Fix datacheck of 4GB+ files on 32 bit systems
- Prioritise at least 1 % of multimedia files instead of 1 chunk
- Fix crashes caused by SIGXFSZ (BUG: 149747)
- Make sure body tag is OK in 404 and 500 error defines in webgui (BUG: 150023)
- Fix bug which allows clients to trick KT in enabling PEX on private torrents
- If do not use KDE proxy is enabled and no alternative proxy is set, make sure we use no proxy at all for HTTP tracker connections. (BUG: 150284)
- Removed slashes which prevent opening torrents to work in ktshell
- Fix broken preexsting file check, which can result in files being deleted when the user deselects them and they already exist. (
BUG: 150563)
- When stop all and start all is pressed, make sure that start and stop buttons are updated properly (BUG: 149549)
- Make URL of tracker selectable in tracker tab
- Fix issue with speed calculating, causing the displayed speed to grow enormously
- Updated Peer ID list with more clients
- Fix crash when trying to download an empty link with the RSS plugin (BUG: 150879)
- Fix crash at exit when the RSS plugin was loaded
- Make TrayHoverPopup dissapear faster (BUG: 148243)
- Sort IP addresses by their actual value and not by their string representation (BUG: 150328)
- Added patch from Jaak Ristioja, which updates the FileView in a separate thread.
- Make sure only the files of a torrent are moved when the data directory is changed.
- Make sure window is not hidden when hidden_on_exit is true and the system tray icon is not enabled
- Added patch from Stefan Monov to hide the menubar (BUG: 151450)
- Fix crash at exit (BUG: 149827)
- Added patch from The_Kernel, which allows you to change file priorities in the webgui
- Backported fix for refresh bug from KDE4 version
- Added option to limit the number of outgoing connection setups, so that people can limit the number of TCP connections in SYN_SENT state, should their router not be able to handle to much
- Replaced TOS setting by DSCP setting
- Added several patches from Rafael Mileki which fix and improve some things in the webgui
- Change buttons in recreate popup to Recreate and Do Not Recreate (BUG: 151805)
- Added patch from Lukasz Fibinger which adds a filter bar to search for torrents
- Make sure that day and month names are not translated in HTTP headers.
Changes in 2.2.2 :
- Several minor bugfixes
version 20071205.
Fix the bug where multiple targets appeared as one. With huge thanks to
Greg Oster for his work in squashing this one.
Module Name: src
Committed By: oster
Date: Tue Dec 4 16:25:37 UTC 2007
Modified Files:
src/dist/iscsi/src: disk.c
Log Message:
Set "lun = sess->d" early on (but not too early), and allow multiple
targets to now work correctly. XXX: This will need to be re-visited
at some point, and fixed properly.
Commit requested by: agc
To generate a diff of this commit:
cvs rdiff -r1.34 -r1.35 src/dist/iscsi/src/disk.c
Also, the initiator has been modified to attach to multiple targets,
again thanks to Greg Oster.
Module Name: src
Committed By: oster
Date: Tue Dec 4 16:22:39 UTC 2007
Modified Files:
src/share/examples/refuse/iscsi-initiator: iscsifs.c
Log Message:
Add a '-D' option to allow "Discovery" of the targets provided by a host.
Initial support for multiple targets from the same host.
Base 'MaxTargets' on a #define, rather than hard-coding.
Reviewed by: agc
NOTE: includes a critical bug fix in the attachment handling
- Enabled user selection of address format when adding from address
book during message composition.
- Fixed issue with adding attachments in PHP 4.x environments (#1805471).
- Backport size setting on "newmail" popup window.
- Added a "short_open_tag" configuration test.
- Undefined notice in error message box when no default folder prefix is set.
- Undefined index error when downloading. Possibly caused by using tabs and
opening multiple mailboxes.
- PAGE_NAME might not be defined in all plugins, which might cause a
"not defined" error on session timeouts.
- Fixed outgoing messages to allow addresses such as "0@..." or "000@...",
etc. (#1818398).
- Fixed issue with in-reply-to and reference headers not being retained on
reply (#1810659).
- Revived logout_error hook (#1800015).
- Allow custom session handlers to work correctly (and be defined at the
application level with SquirrelMail).
- Fix off-by-one in bodystructure parsing triggered by servers sending
a body location part (e.g. Sun Java System Messaging Server). Thanks
John Callahan (#1808382).
- Invalid initialization of To: header (#1772893).
- Includes cleanup in include/validate.php.
- Cleanup in multiple files to remove unneeded includes.
- Added sort by size (#812233 and #159997, plus multiple list requests).
Patch provided by Christopher E. Brown.
- Fix bug in sitewide SMTP settings still using authenticated user, rather
than configured settings (#1835942).
- Fixed mailto: functionality.
- Added mailto: link handling when viewing messages.
- Handle PHP's insistence on setting the value to 'deleted' for destroyed
sessions
Major changes since Sudo 1.6.9p8:
o The ALL command in sudoers now implies SETENV permissions.
o The command search is now performed using the target user's
auxiliary group vector, not just the target's primary group.
o When determining if the PAM prompt is the default "Password: ",
compare the localized version if possible.
o New passprompt_override option in sudoers to cause sudo's prompt
to be used in all cases. Also set when the -p flag is used.
Remove patch -- make changes using SUBST_SED framework.
Add imagemagick as an option (not on by default).
Add perl:run for USE_TOOLS.
Add another script to REPLACE_PERL.
Get rid of most of post-install target and let the ikiwiki Makefile
do the installation.
Too many changes from CHANGELOG to list. Here are the most recent:
ikiwiki (2.15) unstable; urgency=low
* Add a new ikiwiki-makerepo program, that automates setting up a repo
and importing existing content for svn, git, and mercurial. This makes
the setup process much simpler.
* Reorganised git documentation.
* Actually install the ikiwiki-update-wikilist program.
* Improve workaround for perl bug #376329. Rather than double-encoding,
which has been reported to cause encoding problems (though I haven't
reproduced them), just catch a failure of markdown, and retry.
(The crazy perl bug magically disappears on the retry.)
Closes: #449379
* Add umask configuration option. Closes: #443329
-- Joey Hess <joeyh@debian.org> Sat, 01 Dec 2007 11:44:01 -0500
ikiwiki (2.14) unstable; urgency=high
* Let CC be used to control what compiler is used to build wrappers.
* Use 'cc' instead of gcc as the default compiler.
* Security fix: Ensure that there are no symlinks anywhere in the path
to the top of the srcdir. In certian unusual configurations, an attacker
who could commit to one of the parent directories of the srcdir could
use a symlink attack to cause ikiwiki to publish files elsewhere in the
filesystem. More details at <http://ikiwiki.info/security/#index29h2>
-- Joey Hess <joeyh@debian.org> Mon, 26 Nov 2007 15:26:06 -0500
Add apache SVN revision 574884 to fix garbage characters in Server header
http://issues.apache.org/bugzilla/show_bug.cgi?id=43334
When it hits, this issue can completely screw up returned pages if the
Server header gets embedded newlines
