|
@@ -1,3 +1,702 @@
|
|
|
+Drupal 7.73, 2020-09-16
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2020-007
|
|
|
+
|
|
|
+Drupal 7.72, 2020-06-17
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2020-004
|
|
|
+
|
|
|
+Drupal 7.71, 2020-06-03
|
|
|
+-----------------------
|
|
|
+- Fix for jQuery Form bug in Chromium-based browsers
|
|
|
+- Full support for PHP 7.4
|
|
|
+
|
|
|
+Drupal 7.70, 2020-05-19
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2020-002
|
|
|
+ - SA-CORE-2020-003
|
|
|
+
|
|
|
+Drupal 7.69, 2019-12-18
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2019-012
|
|
|
+
|
|
|
+Drupal 7.68, 2019-12-04
|
|
|
+-----------------------
|
|
|
+- Fixed: Hide toolbar when printing
|
|
|
+- Fixed: Settings returned via ajax are not run through hook_js_alter()
|
|
|
+- Fixed: Use drupal_http_build_query() in drupal_http_request()
|
|
|
+- Fixed: DrupalRequestSanitizer not found fatal error when bootstrap phase order is changed
|
|
|
+- Fixed: Block web.config in .htaccess (and vice-versa)
|
|
|
+- Fixed: Create "scripts" element to align rendering workflow to how "styles" are handled
|
|
|
+- PHP 7.3: Fixed 'Cannot change session id when session is active'
|
|
|
+- PHP 7.1: Fixed 'A non-numeric value encountered in theme_pager()'
|
|
|
+- PHP 7.x: Fixed file.inc generated .htaccess does not cover PHP 7
|
|
|
+- PHP 5.3: Fixed check_plain() 'Invalid multibyte sequence in argument' test failures
|
|
|
+- Fixed: Allow passing data as array to drupal_http_request()
|
|
|
+- Fixed: Skip module_invoke/module_hook in calling hook_watchdog (excessive function_exist)
|
|
|
+- Fixed: HTTP status 200 returned for 'Additional uncaught exception thrown while handling exception'
|
|
|
+- Fixed: theme_table() should take an optional footer variable and produce <tfoot>
|
|
|
+- Fixed: 'uasort() expects parameter 1 to be array, null given in node_view_multiple()'
|
|
|
+- [regression] Fix default.settings.php permission
|
|
|
+
|
|
|
+Drupal 7.67, 2019-05-08
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2019-007
|
|
|
+
|
|
|
+Drupal 7.66, 2019-04-17
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2019-006
|
|
|
+
|
|
|
+Drupal 7.65, 2019-03-20
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2019-004
|
|
|
+
|
|
|
+Drupal 7.64, 2019-02-06
|
|
|
+-----------------------
|
|
|
+- [regression] Unset the 'host' header in drupal_http_request() during redirect
|
|
|
+- Fixed: 7.x does not have Phar protection and Phar tests are failing on Drupal 7
|
|
|
+- Fixed: Notice: Undefined index: display_field in file_field_widget_value() (line 582 of /module/file/file.field.inc)
|
|
|
+- Performance improvement: Registry rebuild should not parse the same file twice in the same request
|
|
|
+- Fixed _registry_update() to clear caches after transaction is committed
|
|
|
+
|
|
|
+Drupal 7.63, 2019-01-16
|
|
|
+-----------------------
|
|
|
+- Fixed a fatal error for some Drush users introduced by SA-CORE-2019-002.
|
|
|
+
|
|
|
+Drupal 7.62, 2019-01-15
|
|
|
+-----------------------
|
|
|
+- Fixed security issues:
|
|
|
+ - SA-CORE-2019-001
|
|
|
+ - SA-CORE-2019-002
|
|
|
+
|
|
|
+Drupal 7.61, 2018-11-07
|
|
|
+-----------------------
|
|
|
+- File upload validation functions and hook_file_validate() implementations are
|
|
|
+ now always passed the correct file URI.
|
|
|
+- The default form cache expiration of 6 hours is now configurable (API
|
|
|
+ addition: https://www.drupal.org/node/2857751).
|
|
|
+- Allowed callers of drupal_http_request() to optionally specify an explicit
|
|
|
+ Host header.
|
|
|
+- Allowed the + character to appear in usernames.
|
|
|
+- PHP 7.2: Fixed Archive_Tar incompatibility.
|
|
|
+- PHP 7.2: Removed deprecated function each().
|
|
|
+- PHP 7.2: Avoid count() calls on uncountable variables.
|
|
|
+- PHP 7.2: Removed deprecated create_function() call.
|
|
|
+- PHP 7.2: Make sure variables are arrays in theme_links().
|
|
|
+- Fixed theme-settings.php not being loaded on cached forms
|
|
|
+- Fixed problem with IE11 & Chrome(PointerEvents enabled) & some Firefox scroll to the top of the page after dragging the bottom item with jquery 1.5 <-> 1.11
|
|
|
+
|
|
|
+Drupal 7.60, 2018-10-18
|
|
|
+------------------------
|
|
|
+- Fixed security issues. See SA-CORE-2018-006.
|
|
|
+
|
|
|
+Drupal 7.59, 2018-04-25
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (remote code execution). See SA-CORE-2018-004.
|
|
|
+
|
|
|
+Drupal 7.58, 2018-03-28
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (remote code execution). See SA-CORE-2018-002.
|
|
|
+
|
|
|
+Drupal 7.57, 2018-02-21
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2018-001.
|
|
|
+
|
|
|
+Drupal 7.56, 2017-06-21
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (access bypass). See SA-CORE-2017-003.
|
|
|
+
|
|
|
+Drupal 7.55, 2017-06-07
|
|
|
+-----------------------
|
|
|
+- Fixed incompatibility with PHP versions 7.0.19 and 7.1.5 due to duplicate
|
|
|
+ DATE_RFC7231 definition.
|
|
|
+- Made Drupal core pass all automated tests on PHP 7.1.
|
|
|
+- Allowed services such as Let's Encrypt to work with Drupal on Apache, by
|
|
|
+ making Drupal's .htaccess file allow access to the .well-known directory
|
|
|
+ defined by RFC 5785.
|
|
|
+- Made new Drupal sites work correctly on Apache 2.4 when the mod_access_compat
|
|
|
+ Apache module is disabled.
|
|
|
+- Fixed Drupal's URL-generating functions to always encode '[' and ']' so that
|
|
|
+ the URLs will pass HTML5 validation.
|
|
|
+- Various additional bug fixes.
|
|
|
+- Various API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.54, 2017-02-01
|
|
|
+-----------------------
|
|
|
+- Modules are now able to define theme engines (API addition:
|
|
|
+ https://www.drupal.org/node/2826480).
|
|
|
+- Logging of searches can now be disabled (new option in the administrative
|
|
|
+ interface).
|
|
|
+- Added menu tree render structure to (pre-)process hooks for theme_menu_tree()
|
|
|
+ (API addition: https://www.drupal.org/node/2827134).
|
|
|
+- Added new function for determining whether an HTTPS request is being served
|
|
|
+ (API addition: https://www.drupal.org/node/2824590).
|
|
|
+- Fixed incorrect default value for short and medium date formats on the date
|
|
|
+ type configuration page.
|
|
|
+- File validation error message is now removed after subsequent upload of valid
|
|
|
+ file.
|
|
|
+- Numerous bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional performance improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.53, 2016-12-07
|
|
|
+-----------------------
|
|
|
+- Fixed drag and drop support on newer Chrome/IE 11+ versions after 7.51 update
|
|
|
+ when jQuery is updated to 1.7-1.11.0.
|
|
|
+
|
|
|
+Drupal 7.52, 2016-11-16
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2016-005.
|
|
|
+
|
|
|
+Drupal 7.51, 2016-10-05
|
|
|
+-----------------------
|
|
|
+- The Update module now also checks for updates to a disabled theme that is
|
|
|
+ used as an admin theme.
|
|
|
+- Exceptions thrown in dblog_watchdog() are now caught and ignored.
|
|
|
+- Clarified the warning that appears when modules are missing or have moved.
|
|
|
+- Log messages are now XSS filtered on display.
|
|
|
+- Draggable tables now work on touch screen devices.
|
|
|
+- Added a setting for allowing double underscores in CSS identifiers
|
|
|
+ (https://www.drupal.org/node/2810369).
|
|
|
+- If a user navigates away from a page while an Ajax request is running they
|
|
|
+ will no longer get an error message saying "An Ajax HTTP request terminated
|
|
|
+ abnormally".
|
|
|
+- The system_region_list() API function now takes an optional third parameter
|
|
|
+ which allows region name translations to be skipped when they are not needed
|
|
|
+ (API addition: https://www.drupal.org/node/2810365).
|
|
|
+- Numerous performance improvements.
|
|
|
+- Numerous bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.50, 2016-07-07
|
|
|
+-----------------------
|
|
|
+- Added a new "administer fields" permission for trusted users, which is
|
|
|
+ required in addition to other permissions to use the field UI
|
|
|
+ (https://www.drupal.org/node/2483307).
|
|
|
+- Added clickjacking protection to Drupal core by setting the X-Frame-Options
|
|
|
+ header to SAMEORIGIN by default (https://www.drupal.org/node/2735873).
|
|
|
+- Added support for full UTF-8 (emojis, Asian symbols, mathematical symbols) on
|
|
|
+ MySQL and other database drivers when the site and database are configured to
|
|
|
+ allow it (https://www.drupal.org/node/2761183).
|
|
|
+- Improved performance by avoiding a re-scan of directories when a file is
|
|
|
+ missing; instead, trigger a PHP warning (minor API change:
|
|
|
+ https://www.drupal.org/node/2581445).
|
|
|
+- Made it possible to use any PHP callable in Ajax form callbacks, form API
|
|
|
+ form-building functions, and form API wrapper callbacks (API addition:
|
|
|
+ https://www.drupal.org/node/2761169).
|
|
|
+- Fixed that following a password reset link while logged in leaves users unable
|
|
|
+ to change their password (minor user interface change:
|
|
|
+ https://www.drupal.org/node/2759023).
|
|
|
+- Implemented various fixes for automated test failures on PHP 5.4+ and PHP 7.
|
|
|
+ Drupal core automated tests now pass in these environments.
|
|
|
+- Improved support for PHP 7 by fixing various problems.
|
|
|
+- Fixed various bugs with PHP 5.5+ imagerotate(), including when incorrect
|
|
|
+ color indices are passed in.
|
|
|
+- Fixed a regression introduced in Drupal 7.43 that allowed files uploaded by
|
|
|
+ anonymous users to be lost after form validation errors, and that also caused
|
|
|
+ regressions with certain contributed modules.
|
|
|
+- Fixed a regression introduced in Drupal 7.36 which caused the default value
|
|
|
+ of hidden textarea fields to be ignored.
|
|
|
+- Fixed robots.txt to allow search engines to access CSS, JavaScript and image
|
|
|
+ files.
|
|
|
+- Changed wording on the Update Manager settings page to clarify that the
|
|
|
+ option to check for disabled module updates also applies to uninstalled
|
|
|
+ modules (administrative-facing translatable string change).
|
|
|
+- Changed the help text when editing menu links and configuring URL redirect
|
|
|
+ actions so that it does not reference "Drupal" or the drupal.org website
|
|
|
+ (administrative-facing translatable string change).
|
|
|
+- Fixed the locale safety check that is used to ensure that translations are
|
|
|
+ safe to allow for tokens in the href/src attributes of translated strings.
|
|
|
+- Fixed that URL generation only works on port 80 when using domain based
|
|
|
+ language negotation.
|
|
|
+- Made method="get" forms work inside the administrative overlay. The fix adds
|
|
|
+ a new hidden field to these forms when they appear inside the overlay (minor
|
|
|
+ data structure change).
|
|
|
+- Increased maxlength of menu link title input fields in the node form and
|
|
|
+ menu link form from 128 to 255 characters.
|
|
|
+- Removed meaningless post-check=0 and pre-check=0 cache control headers from
|
|
|
+ Drupal HTTP responses.
|
|
|
+- Added a .editorconfig file to auto-configure editors that support it.
|
|
|
+- Added --directory option to run-tests.sh for easier test discovery of all
|
|
|
+ tests within a project.
|
|
|
+- Made run-tests.sh exit with a failure code when there are test fails or
|
|
|
+ problems running the script.
|
|
|
+- Fixed that cookies from previous tests are still present when a new test
|
|
|
+ starts in DrupalWebTestCase.
|
|
|
+- Improved performance of queries on the {authmap} database table.
|
|
|
+- Fixed handling of missing files and functions inside the registry.
|
|
|
+- Fixed Ajax handling for tableselect form elements that use checkboxes.
|
|
|
+- Fixed a bug which caused ip_address() to return nothing when the client IP
|
|
|
+ address and proxy IP address are the same.
|
|
|
+- Added a new option to format_xml_elements() to allow for already encoded
|
|
|
+ values.
|
|
|
+- Changed the {history} table's node ID field to be an unsigned integer, to
|
|
|
+ match the same field in the {node} table and to prevent errors with very
|
|
|
+ large node IDs.
|
|
|
+- Added an explicit page callback to the "admin/people/create" menu item in the
|
|
|
+ User module (minor data structure change). Previously this automatically
|
|
|
+ inherited the page callback from the parent "admin/people" menu item, which
|
|
|
+ broke contributed modules that override the "admin/people" page.
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.44, 2016-06-15
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (privilege escalation). See SA-CORE-2016-002.
|
|
|
+
|
|
|
+Drupal 7.43, 2016-02-24
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2016-001.
|
|
|
+
|
|
|
+Drupal 7.42, 2016-02-03
|
|
|
+-----------------------
|
|
|
+- Stopped invoking hook_flush_caches() on every cron run, since some modules
|
|
|
+ use that hook for expensive operations that are only needed on cache clears.
|
|
|
+- Changed the default .htaccess and web.config to block Composer-related files.
|
|
|
+- Added static caching to module_load_include() to improve performance.
|
|
|
+- Fixed double-encoding bugs in select field widgets provided by the Options
|
|
|
+ module. The fix deprecates the 'strip_tags' property on option widgets and
|
|
|
+ replaces it with a new 'strip_tags_and_unescape' property (minor data
|
|
|
+ structure change).
|
|
|
+- Improved MySQL 5.7 support by changing the MySQL database driver to stop
|
|
|
+ using the ANSI SQL mode alias, which has different meanings for different
|
|
|
+ MySQL versions.
|
|
|
+- Fixed a regression introduced in Drupal 7.39 which prevented autocomplete
|
|
|
+ functionality from working on servers that are not configured to
|
|
|
+ automatically recognize index.php.
|
|
|
+- Updated the Archive_Tar PEAR package to the latest 1.4.0 release, to fix bugs
|
|
|
+ with tar file handling on various operating systems.
|
|
|
+- Fixed fatal errors on node preview when a field is displayed in the node
|
|
|
+ teaser but hidden in the full node view. The fix removes a
|
|
|
+ field_attach_prepare_view() call from the node_preview() function since it is
|
|
|
+ redundant with one in the node preview theme layer.
|
|
|
+- Improved the description of the "Trimmed" format option on text fields
|
|
|
+ (translatable string change, and minor UI and data structure change).
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.41, 2015-10-21
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (open redirect). See SA-CORE-2015-004.
|
|
|
+
|
|
|
+Drupal 7.40, 2015-10-14
|
|
|
+-----------------------
|
|
|
+- Made Drupal's code for parsing .info files run much faster and use much less
|
|
|
+ memory.
|
|
|
+- Prevented drupal_http_request() from returning an error when it receives a
|
|
|
+ 201 through 206 HTTP status code.
|
|
|
+- Added support for autoloading traits via the registry on sites running PHP
|
|
|
+ 5.4 or higher.
|
|
|
+- Allowed the user-picture.tpl.php theme template to have HTML classes besides
|
|
|
+ the default "user-picture" class printed in it (markup change).
|
|
|
+- Fixed the URL text filter to convert e-mail addresses with plus signs into
|
|
|
+ mailto: links.
|
|
|
+- Added alternate text to file icons displayed by the File module, to improve
|
|
|
+ accessibility (string change, and minor API addition to theme_file_icon()).
|
|
|
+- Changed one-time login link failure messages to be displayed as errors or
|
|
|
+ warnings as appropriate, rather than as regular status messages (minor UI
|
|
|
+ change and data structure change).
|
|
|
+- Changed the default settings.php configuration to exclude private files from
|
|
|
+ the "404_fast_paths" behavior.
|
|
|
+- Changed the page that displays filter tips for a particular text format, for
|
|
|
+ example filter/tips/full_html, to return "page not found" or "access denied"
|
|
|
+ if the format does not exist or the user does not have access to it. This
|
|
|
+ change adds a new menu item to the Filter module's hook_menu() entry (minor
|
|
|
+ data structure change).
|
|
|
+- Added a new hook, hook_block_cid_parts_alter(), to allow modules to alter the
|
|
|
+ cache keys used for caching a particular block.
|
|
|
+- Made drupal_set_message() display and return messages when "0" is passed in
|
|
|
+ as the message to set.
|
|
|
+- Fixed non-functional "Files displayed by default" setting on file fields.
|
|
|
+- The "worker callback" provided in hook_cron_queue_info() and the "finished"
|
|
|
+ callback specified during batch processing can now be any PHP callable
|
|
|
+ instead of just functions.
|
|
|
+- Prevented drupal_set_time_limit() from decreasing the time limit in the case
|
|
|
+ where the PHP maximum execution time is already unlimited.
|
|
|
+- Changed the default thousand marker for numeric fields from a space ("1 000")
|
|
|
+ to nothing ("1000") (minor UI change: https://www.drupal.org/node/1388376).
|
|
|
+- Prevented malformed theme .info files (without a "name" key) from causing
|
|
|
+ exceptions during menu rebuilds. If an .info file without a "name" key is
|
|
|
+ found in a module or theme directory, Drupal will now use the module or
|
|
|
+ theme's machine name as the display name instead.
|
|
|
+- Made the format column in the {date_format_locale} database table
|
|
|
+ case-sensitive, to match the equivalent column in the {date_formats} table.
|
|
|
+- Fixed a bug in the Statistics module that caused JavaScript files attached to
|
|
|
+ a node while it is being viewed to be omitted from the page.
|
|
|
+- Added an optional 'project:' prefix that can be added to dependencies in a
|
|
|
+ module's .info file to indicate which project the dependency resides in (API
|
|
|
+ addition: https://www.drupal.org/node/2299747).
|
|
|
+- Fixed various bugs that occurred after hooks were invoked early in the Drupal
|
|
|
+ bootstrap and that caused module_implements() and drupal_alter() to cache an
|
|
|
+ incomplete set of hook implementations for later use.
|
|
|
+- Set the X-Content-Type-Options header to "nosniff" when possible, to prevent
|
|
|
+ certain web browsers from picking an unsafe MIME type.
|
|
|
+- Prevented the database API from executing multiple queries at once on MySQL,
|
|
|
+ if the site's PHP version is new enough to do so. This is a secondary defense
|
|
|
+ against SQL injection (API change: https://www.drupal.org/node/2463973).
|
|
|
+- Fixed a bug in the Drupal 6 to Drupal 7 upgrade path which caused the upgrade
|
|
|
+ to fail when there were multiple file records pointing to the same file.
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.39, 2015-08-19
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-003.
|
|
|
+
|
|
|
+Drupal 7.38, 2015-06-17
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-002.
|
|
|
+
|
|
|
+Drupal 7.37, 2015-05-07
|
|
|
+-----------------------
|
|
|
+- Fixed a regression in Drupal 7.36 which caused certain kinds of content types
|
|
|
+ to become disabled if they were defined by a no-longer-enabled module.
|
|
|
+- Removed a confusing description regarding automatic time zone detection from
|
|
|
+ the user account form (minor UI and data structure change).
|
|
|
+- Allowed custom HTML tags with a dash in the name to pass through filter_xss()
|
|
|
+ when specified in the list of allowed tags.
|
|
|
+- Allowed hook_field_schema() implementations to specify indexes for fields
|
|
|
+ based on a fixed-length column prefix (rather than the entire column), as was
|
|
|
+ already allowed in hook_schema() implementations.
|
|
|
+- Fixed PDO exceptions on PostgreSQL when accessing invalid entity URLs.
|
|
|
+- Added a sites/all/libraries folder to the codebase, with instructions for
|
|
|
+ using it.
|
|
|
+- Added a description to the "Administer text formats and filters" permission
|
|
|
+ on the Permissions page (string change).
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.36, 2015-04-01
|
|
|
+-----------------------
|
|
|
+- Added a 'file_public_schema' variable which allows modules that define
|
|
|
+ publicly-accessible streams in hook_stream_wrappers() to bypass file download
|
|
|
+ access checks when processing managed file upload fields.
|
|
|
+- Fixed a bug that caused database query tags not to be added to search-related
|
|
|
+ database queries under many circumstances, and which prevented the
|
|
|
+ corresponding hook_query_TAG_alter() implementations from being called.
|
|
|
+- Fixed the "for" attribute on managed file upload field labels to improve
|
|
|
+ accessibility (minor markup change).
|
|
|
+- Added a 'javascript_always_use_jquery' variable which can be set to FALSE by
|
|
|
+ sites that may not need jQuery loaded on all pages, and a 'requires_jquery'
|
|
|
+ option to drupal_add_js() which modules can set to FALSE when adding
|
|
|
+ JavaScript files that have no dependency on jQuery (API addition:
|
|
|
+ https://www.drupal.org/node/2462717).
|
|
|
+- Fixed incorrect foreign keys in the User module's role_permission and
|
|
|
+ users_roles database tables.
|
|
|
+- Changed permission descriptions throughout Drupal core to consistently link
|
|
|
+ to relevant administrative pages, regardless of whether the user viewing the
|
|
|
+ Permissions page can view the page being linked to (minor UI change).
|
|
|
+- Fixed the drupal_add_region_content() function so that it actually adds
|
|
|
+ content to the page.
|
|
|
+- Added an 'image_suppress_itok_output' variable to allow sites already using
|
|
|
+ the existing 'image_allow_insecure_derivatives' variable to also prevent
|
|
|
+ security tokens from appearing in image derivative URLs.
|
|
|
+- Fixed double-escaping of theme names in the Block module administrative
|
|
|
+ interface (minor string change).
|
|
|
+- Added basic support for Xdebug when running automated tests.
|
|
|
+- Fixed a bug which caused previewing a node to remove elements from the node
|
|
|
+ being edited. With this fix, calling node_preview() will no longer modify the
|
|
|
+ passed-in node object (minor API change).
|
|
|
+- Added a user_has_role() function to check whether a user has a particular
|
|
|
+ role (API addition: https://www.drupal.org/node/2462411).
|
|
|
+- Fixed installation failures when an opcode cache is enabled.
|
|
|
+- Fixed a bug in the Drupal 6 to Drupal 7 upgrade path which caused private
|
|
|
+ files to be inaccessible.
|
|
|
+- Fixed a bug in the Drupal 6 to Drupal 7 upgrade path which caused user
|
|
|
+ pictures to be lost.
|
|
|
+- Fixed missing language code in hook_field_attach_view_alter() when it is
|
|
|
+ invoked from field_view_field().
|
|
|
+- Stopped sending ETag and Last-Modified headers for uncached page requests,
|
|
|
+ since they break caching for certain Varnish and Nginx configurations.
|
|
|
+- Changed the Simpletest module to allow PSR-4 test classes to be used in
|
|
|
+ Drupal 7.
|
|
|
+- Fixed a fatal error that occurred when using the Comment module's "Unpublish
|
|
|
+ comment containing keyword(s)" action.
|
|
|
+- Changed the "lang" attribute on language links to "xml:lang" so it validates
|
|
|
+ as XHTML (minor markup change).
|
|
|
+- Prevented the form API from allowing arrays to be submitted for various form
|
|
|
+ elements, such as textfields, textareas, and password fields (API change:
|
|
|
+ https://www.drupal.org/node/2462723).
|
|
|
+- Fixed a bug in the Contact module which caused the global user object to have
|
|
|
+ the incorrect name and e-mail address during the remainder of the page
|
|
|
+ request after the contact form is submitted.
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.35, 2015-03-18
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2015-001.
|
|
|
+
|
|
|
+Drupal 7.34, 2014-11-19
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-006.
|
|
|
+
|
|
|
+Drupal 7.33, 2014-11-07
|
|
|
+-----------------------
|
|
|
+- Began storing the file modification time of each module and theme in the
|
|
|
+ {system} database table so that contributed modules can use it to identify
|
|
|
+ recently changed modules and themes (minor data structure change to the
|
|
|
+ return value of system_get_info() and other related functions).
|
|
|
+- Added a "Did you mean?" feature to the run-tests.sh script for running
|
|
|
+ automated tests from the command line, to help developers who are attempting
|
|
|
+ to run a particular test class or group.
|
|
|
+- Changed the date format used in various HTTP headers output by Drupal core
|
|
|
+ from RFC 1123 format to RFC 7231 format.
|
|
|
+- Added a "block_cache_bypass_node_grants" variable to allow sites which have
|
|
|
+ node access modules enabled to use the block cache if desired (API addition).
|
|
|
+- Made image derivative generation HTTP requests return a 404 error (rather
|
|
|
+ than a 500 error) when the source image does not exist.
|
|
|
+- Fixed a bug which caused user pictures to be removed from the user object
|
|
|
+ after saving, and resulted in data loss if the user account was subsequently
|
|
|
+ re-saved.
|
|
|
+- Fixed a bug in which field_has_data() did not return TRUE for fields that
|
|
|
+ only had data in older entity revisions, leading to loss of the field's data
|
|
|
+ when the field configuration was edited.
|
|
|
+- Fixed a bug which caused the Ajax progress throbber to appear misaligned in
|
|
|
+ many situatons (minor styling change).
|
|
|
+- Prevented the Bartik theme from lower-casing the "Permalink" link on
|
|
|
+ comments, for improved multilingual support (minor UI change).
|
|
|
+- Added a "preferred_menu_links" tag to the database query that is used by
|
|
|
+ menu_link_get_preferred() to find the preferred menu link for a given path,
|
|
|
+ to make it easier to alter.
|
|
|
+- Increased the maximum allowed length of block titles to 255 characters
|
|
|
+ (database schema change to the {block} table).
|
|
|
+- Removed the Field module's field_modules_uninstalled() function, since it did
|
|
|
+ not do anything when it was invoked.
|
|
|
+- Added a "theme_hook_original" variable to templates and theme functions and
|
|
|
+ an optional sitewide theme debug mode, to provide contextual information in
|
|
|
+ the page's HTML to theme developers. The theme debug mode is based on the one
|
|
|
+ used with Twig in Drupal 8 and can be accessed by setting the "theme_debug"
|
|
|
+ variable to TRUE (API addition).
|
|
|
+- Added an entity_view_mode_prepare() API function to allow entity-defining
|
|
|
+ modules to properly invoke hook_entity_view_mode_alter(), and used it
|
|
|
+ throughout Drupal core to fix bugs with the invocation of that hook (API
|
|
|
+ change: https://www.drupal.org/node/2369141).
|
|
|
+- Security improvement: Made the database API's orderBy() method sanitize the
|
|
|
+ sort direction ("ASC" or "DESC") for queries built with db_select(), so that
|
|
|
+ calling code does not have to.
|
|
|
+- Changed the RDF module to consistently output RDF metadata for nodes and
|
|
|
+ comments near where the node is rendered in the HTML (minor markup and data
|
|
|
+ structure change).
|
|
|
+- Added an HTML class to RDFa metatags throughout Drupal to prevent them from
|
|
|
+ accidentally affecting the site appearance (minor markup change).
|
|
|
+- Fixed a bug in the Unicode requirements check which prevented installing
|
|
|
+ Drupal on PHP 5.6.
|
|
|
+- Fixed a bug which caused drupal_get_bootstrap_phase() to abort the bootstrap
|
|
|
+ when called early in the page request.
|
|
|
+- Renamed the "Search result" view mode to "Search result highlighting input"
|
|
|
+ to better reflect how it is used (UI change).
|
|
|
+- Improved database queries generated by EntityFieldQuery in the case where
|
|
|
+ delta or language condition groups are used, to reduce the number of INNER
|
|
|
+ JOINs (this is a minor data structure change affecting code which implements
|
|
|
+ hook_query_alter() on these queries).
|
|
|
+- Removed special-case behavior for file uploads which allowed user #1 to
|
|
|
+ bypass maximum file size and user quota limits.
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.32, 2014-10-15
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (SQL injection). See SA-CORE-2014-005.
|
|
|
+
|
|
|
+Drupal 7.31, 2014-08-06
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (denial of service). See SA-CORE-2014-004.
|
|
|
+
|
|
|
+Drupal 7.30, 2014-07-24
|
|
|
+-----------------------
|
|
|
+- Fixed a regression introduced in Drupal 7.29 that caused files or images
|
|
|
+ attached to taxonomy terms to be deleted when the taxonomy term was edited
|
|
|
+ and resaved (and other related bugs with contributed and custom modules).
|
|
|
+- Added a warning on the permissions page to recommend restricting access to
|
|
|
+ the "View site reports" permission to trusted administrators. See
|
|
|
+ DRUPAL-PSA-2014-002.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.29, 2014-07-16
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-003.
|
|
|
+
|
|
|
+Drupal 7.28, 2014-05-08
|
|
|
+-----------------------
|
|
|
+- Fixed a regression introduced in Drupal 7.27 that caused JavaScript to break
|
|
|
+ on older browsers (such as Internet Explorer 8 and earlier) when Ajax was
|
|
|
+ used.
|
|
|
+- Increased the timeout used by the Update Manager module when it fetches data
|
|
|
+ from drupal.org (from 5 seconds to 30 seconds), to work around a problem
|
|
|
+ which causes incomplete information about security updates to be presented to
|
|
|
+ site administrators. This fix may lead to a performance slowdown on the
|
|
|
+ Update Manager administration pages, when installing Drupal distributions,
|
|
|
+ and (for sites that use the automated cron feature) on occasional page loads
|
|
|
+ by site visitors.
|
|
|
+- Fixed the behavior of the token system's "[node:summary]" token when the body
|
|
|
+ field does not have a manual summary.
|
|
|
+- Changed the behavior of db_query_temporary() so that it works on SELECT
|
|
|
+ queries even when they have leading comments/whitespace. A side effect of
|
|
|
+ this fix is that db_query_temporary() will now fail with an error if it is
|
|
|
+ ever used on non-SELECT queries.
|
|
|
+- Added a "node_admin_filter" tag to the database query used to build the list
|
|
|
+ of nodes on the content administration page, to make it easier to alter.
|
|
|
+- Made the cron queue system log any exceptions that are thrown while an item
|
|
|
+ in the queue is being processed, rather than stopping the entire PHP request.
|
|
|
+- Improved screen reader support by adding an aria-live HTML attribute to file
|
|
|
+ upload fields when there is an error uploading the file (minor markup
|
|
|
+ change).
|
|
|
+- Made the pager on the Tracker module listing pages show the same number of
|
|
|
+ items as other pagers throughout Drupal core (minor UI change).
|
|
|
+- Fixed a bug which caused caches not to be properly cleared when a file entity
|
|
|
+ was saved or deleted.
|
|
|
+- Added several missing countries to the default list returned by
|
|
|
+ country_get_list() (string change).
|
|
|
+- Replaced the term "weight" with "influence" in the content ranking settings
|
|
|
+ for search, and added help text for administrators (string change).
|
|
|
+- Fixed untranslatable text strings in the administrative interface for the
|
|
|
+ "Crop" effect provided by the Image module (minor string change).
|
|
|
+- Fixed a bug in the Taxonomy module update function introduced in Drupal 7.26
|
|
|
+ that caused memory and CPU problems on sites with very large numbers of
|
|
|
+ unpublished nodes.
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.27, 2014-04-16
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (information disclosure). See SA-CORE-2014-002.
|
|
|
+
|
|
|
+Drupal 7.26, 2014-01-15
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities). See SA-CORE-2014-001.
|
|
|
+
|
|
|
+Drupal 7.25, 2014-01-02
|
|
|
+-----------------------
|
|
|
+- Fixed a bug in node_save() which prevented the saved node from being updated
|
|
|
+ in hook_node_insert() and other similar hooks.
|
|
|
+- Added a meta tag to install.php to prevent it from being indexed by search
|
|
|
+ engines even when Drupal is installed in a subfolder (minor markup change).
|
|
|
+- Fixed a bug in the database API that caused frequent deadlock errors when
|
|
|
+ running merge queries on some servers.
|
|
|
+- Performance improvement: Prevented block rehashing from writing blocks to the
|
|
|
+ database on every cache clear and cron run when the blocks have not changed.
|
|
|
+ This fix results in an extra 'saved' key which is added and set to TRUE for
|
|
|
+ each block returned by _block_rehash() that actually is saved to the database
|
|
|
+ (data structure change).
|
|
|
+- Added an optional 'skip on cron' parameter to hook_cron_queue_info() to allow
|
|
|
+ queues to avoid being automatically processed on cron runs (API addition).
|
|
|
+- Fixed a bug which caused hook_block_view_MODULE_DELTA_alter() to never be
|
|
|
+ invoked if the block delta had a hyphen in it. To implement the hook when the
|
|
|
+ block delta has a hyphen, modules should now replace hyphens with underscores
|
|
|
+ when constructing the function name for the hook implementation.
|
|
|
+- Fixed a bug which caused cached pages to sometimes be sent to the browser
|
|
|
+ with incorrect compression. The fix adds a new 'page_compressed' key to the
|
|
|
+ $cache->data array returned by drupal_page_get_cache() (minor data structure
|
|
|
+ change).
|
|
|
+- Fixed broken tests on PHP 5.5.
|
|
|
+- Made the File and Image modules more robust when saving entities that have
|
|
|
+ deleted files attached. The code in file_field_presave() will now remove the
|
|
|
+ record of the deleted file from the entity before saving (minor data
|
|
|
+ structure change).
|
|
|
+- Standardized menu callback functions throughout Drupal core to return
|
|
|
+ MENU_NOT_FOUND and MENU_ACCESS_DENIED rather than printing their own "page
|
|
|
+ not found" or "access denied" pages (minor API change in the return value of
|
|
|
+ these functions under some circumstances).
|
|
|
+- Fixed a bug in which caches were not properly cleared when a node was deleted
|
|
|
+ via the administrative interface.
|
|
|
+- Changed the Bartik theme to render content contained in <pre>, <code> and
|
|
|
+ similar tags in a larger font size, so it is easier to read.
|
|
|
+- Fixed a bug in the Search module that caused exceptions to be thrown during
|
|
|
+ searches if the server was not configured to represent decimal points as a
|
|
|
+ period.
|
|
|
+- Fixed a regression in the Image module that made image_style_url() not work
|
|
|
+ when a relative path (rather than a complete file URI) was passed to it.
|
|
|
+- Added an optional feature to the Statistics module to allow node views to be
|
|
|
+ tracked by Ajax requests rather than during the server-side generation of the
|
|
|
+ page. This allows the node counter to work on sites that use external page
|
|
|
+ caches (string change and new administrative option:
|
|
|
+ https://drupal.org/node/2164069).
|
|
|
+- Added a link to the drupal.org documentation page for cron to the Cron
|
|
|
+ settings page (string change).
|
|
|
+- Added a 'drupal_anonymous_user_object' variable to allow the anonymous user
|
|
|
+ object returned by drupal_anonymous_user() to be overridden with a classed
|
|
|
+ object (API addition).
|
|
|
+- Changed the database API to allow inserts based on a SELECT * query to work
|
|
|
+ correctly.
|
|
|
+- Changed the database schema of the {file_managed} table to allow Drupal to
|
|
|
+ manage files larger than 4 GB.
|
|
|
+- Changed the File module's hook_field_load() implementation to prevent file
|
|
|
+ entity properties which have the same name as file or image field properties
|
|
|
+ from overwriting the field properties (minor API change).
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
+
|
|
|
+Drupal 7.24, 2013-11-20
|
|
|
+-----------------------
|
|
|
+- Fixed security issues (multiple vulnerabilities), see SA-CORE-2013-003.
|
|
|
+
|
|
|
+Drupal 7.23, 2013-08-07
|
|
|
+-----------------------
|
|
|
+- Fixed a fatal error on PostgreSQL databases when updating the Taxonomy module
|
|
|
+ from Drupal 6 to Drupal 7.
|
|
|
+- Fixed the default ordering of CSS files for sites using right-to-left
|
|
|
+ languages, to consistently place the right-to-left override file immediately
|
|
|
+ after the CSS it is overriding (API change: https://drupal.org/node/2058463).
|
|
|
+- Added a drupal_check_memory_limit() API function to allow the memory limit to
|
|
|
+ be checked consistently (API addition).
|
|
|
+- Changed the default web.config file for IIS servers to allow favicon.ico
|
|
|
+ files which are present in the filesystem to be accessed.
|
|
|
+- Fixed inconsistent support for the 'tel' protocol in Drupal's URL filtering
|
|
|
+ functions.
|
|
|
+- Performance improvement: Allowed all hooks to be included in the
|
|
|
+ module_implements() cache, even those that are only invoked on HTTP POST
|
|
|
+ requests.
|
|
|
+- Made the database system replace truncate queries with delete queries when
|
|
|
+ inside a transaction, to fix issues with PostgreSQL and other databases.
|
|
|
+- Fixed a bug which caused nested contextual links to display improperly.
|
|
|
+- Fixed a bug which prevented cached image derivatives from being flushed for
|
|
|
+ private files and other non-default file schemes.
|
|
|
+- Fixed drupal_render() to always return an empty string when there is no
|
|
|
+ output, rather than sometimes returning NULL (minor API change).
|
|
|
+- Added protection to cache_clear_all() to ensure that non-cache tables cannot
|
|
|
+ be truncated (API addition: a new isValidBin() method has been added to the
|
|
|
+ default database cache implementation).
|
|
|
+- Changed the default .htaccess file to support HTTP authorization in CGI
|
|
|
+ environments.
|
|
|
+- Changed the password reset form to pre-fill the username when requested via a
|
|
|
+ URL query parameter, and used this in the error message that appears after a
|
|
|
+ failed login attempt (minor data structure and behavior change).
|
|
|
+- Fixed broken support for foreign keys in the field API.
|
|
|
+- Fixed "No active batch" error when a user cancels their own account.
|
|
|
+- Added a description to the "access content overview" permission on the
|
|
|
+ permissions page (string change).
|
|
|
+- Added a drupal_array_diff_assoc_recursive() function to allow associative
|
|
|
+ arrays to be compared recursively (API addition).
|
|
|
+- Added human-readable labels to image styles, in addition to the existing
|
|
|
+ machine-readable name (API change: https://drupal.org/node/2058503).
|
|
|
+- Moved the drupal_get_hash_salt() function to bootstrap.inc and used it in
|
|
|
+ additional places in the code, for added security in the case where there is
|
|
|
+ no hash salt in settings.php.
|
|
|
+- Fixed a regression in Drupal 7.22 that caused internal server errors for
|
|
|
+ sites running on very old Apache 1.x web servers.
|
|
|
+- Numerous small bug fixes.
|
|
|
+- Numerous API documentation improvements.
|
|
|
+- Additional automated test coverage.
|
|
|
|
|
|
Drupal 7.22, 2013-04-03
|
|
|
-----------------------
|
|
@@ -53,7 +752,7 @@ Drupal 7.22, 2013-04-03
|
|
|
downloaded via the Update Manager (UI change).
|
|
|
- Added an optional "exclusive" flag to installation profile .info files which
|
|
|
allows Drupal distributions to force a profile to be selected during
|
|
|
- installation (API addition).
|
|
|
+ installation (API addition: http://drupal.org/node/1961012).
|
|
|
- Fixed a bug which caused the database API to not properly close database
|
|
|
connections.
|
|
|
- Added a link to the URL for running cron from outside the site to the Cron
|
|
@@ -202,8 +901,8 @@ Drupal 7.15, 2012-08-01
|
|
|
- Numerous API documentation improvements.
|
|
|
- Additional automated test coverage.
|
|
|
|
|
|
-Drupal 7.14 2012-05-02
|
|
|
-----------------------
|
|
|
+Drupal 7.14, 2012-05-02
|
|
|
+-----------------------
|
|
|
- Fixed "integrity constraint" fatal errors when rebuilding registry.
|
|
|
- Fixed custom logo and favicon functionality referencing incorrect paths.
|
|
|
- Fixed DB Case Sensitivity: Allow BINARY attribute in MySQL.
|
|
@@ -251,12 +950,12 @@ Drupal 7.14 2012-05-02
|
|
|
- system_update_7061() converts filepaths too aggressively.
|
|
|
- Trigger upgrade path: Node triggers removed when upgrading to 7-x from 6.25.
|
|
|
|
|
|
-Drupal 7.13 2012-05-02
|
|
|
-----------------------
|
|
|
+Drupal 7.13, 2012-05-02
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Multiple vulnerabilities), see SA-CORE-2012-002.
|
|
|
|
|
|
Drupal 7.12, 2012-02-01
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed bug preventing custom menus from receiving an active trail.
|
|
|
- Fixed hook_field_delete() no longer invoked during field_purge_data().
|
|
|
- Fixed bug causing entity info cache to not be cleared with the rest of caches.
|
|
@@ -290,11 +989,11 @@ Drupal 7.12, 2012-02-01
|
|
|
cache.
|
|
|
|
|
|
Drupal 7.11, 2012-02-01
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Multiple vulnerabilities), see SA-CORE-2012-001.
|
|
|
|
|
|
Drupal 7.10, 2011-12-05
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed Content-Language HTTP header to not cause issues with Drush 5.x.
|
|
|
- Reduce memory usage of theme registry (performance).
|
|
|
- Fixed PECL upload progress bar for FileField
|
|
@@ -647,7 +1346,7 @@ Drupal 7.0, 2011-01-05
|
|
|
requests.
|
|
|
|
|
|
Drupal 6.23-dev, xxxx-xx-xx (development release)
|
|
|
------------------------
|
|
|
+---------------------------
|
|
|
|
|
|
Drupal 6.22, 2011-05-25
|
|
|
-----------------------
|
|
@@ -657,25 +1356,25 @@ Drupal 6.22, 2011-05-25
|
|
|
- Fixed a variety of other bugs.
|
|
|
|
|
|
Drupal 6.21, 2011-05-25
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Cross site scripting), see SA-CORE-2011-001.
|
|
|
|
|
|
Drupal 6.20, 2010-12-15
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed a variety of small bugs, improved code documentation.
|
|
|
|
|
|
Drupal 6.19, 2010-08-11
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed a variety of small bugs, improved code documentation.
|
|
|
|
|
|
Drupal 6.18, 2010-08-11
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (OpenID authentication bypass, File download access
|
|
|
bypass, Comment unpublishing bypass, Actions cross site scripting),
|
|
|
see SA-CORE-2010-002.
|
|
|
|
|
|
Drupal 6.17, 2010-06-02
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Improved PostgreSQL compatibility
|
|
|
- Better PHP 5.3 and PHP 4 compatibility
|
|
|
- Better browser compatibility of CSS and JS aggregation
|
|
@@ -684,7 +1383,7 @@ Drupal 6.17, 2010-06-02
|
|
|
- Fixed a variety of other bugs.
|
|
|
|
|
|
Drupal 6.16, 2010-03-03
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Installation cross site scripting, Open redirection,
|
|
|
Locale module cross site scripting, Blocked user session regeneration),
|
|
|
see SA-CORE-2010-001.
|
|
@@ -696,12 +1395,12 @@ Drupal 6.16, 2010-03-03
|
|
|
- Fixed a variety of other bugs.
|
|
|
|
|
|
Drupal 6.15, 2009-12-16
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Cross site scripting), see SA-CORE-2009-009.
|
|
|
- Fixed a variety of other bugs.
|
|
|
|
|
|
Drupal 6.14, 2009-09-16
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (OpenID association cross site request forgeries,
|
|
|
OpenID impersonation and File upload), see SA-CORE-2009-008.
|
|
|
- Changed the system modules page to not run all cache rebuilds; use the
|
|
@@ -710,18 +1409,18 @@ Drupal 6.14, 2009-09-16
|
|
|
- Fixed a variety of small bugs.
|
|
|
|
|
|
Drupal 6.13, 2009-07-01
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Cross site scripting, Input format access bypass and
|
|
|
Password leakage in URL), see SA-CORE-2009-007.
|
|
|
- Fixed a variety of small bugs.
|
|
|
|
|
|
Drupal 6.12, 2009-05-13
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Cross site scripting), see SA-CORE-2009-006.
|
|
|
- Fixed a variety of small bugs.
|
|
|
|
|
|
Drupal 6.11, 2009-04-29
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed security issues (Cross site scripting and limited information
|
|
|
disclosure), see SA-CORE-2009-005
|
|
|
- Fixed performance issues with the menu router cache, the update
|
|
@@ -729,7 +1428,7 @@ Drupal 6.11, 2009-04-29
|
|
|
- Fixed a variety of small bugs.
|
|
|
|
|
|
Drupal 6.10, 2009-02-25
|
|
|
-----------------------
|
|
|
+-----------------------
|
|
|
- Fixed a security issue, (Local file inclusion on Windows),
|
|
|
see SA-CORE-2009-003
|
|
|
- Fixed node_feed() so custom fields can show up in RSS feeds.
|
|
@@ -1125,7 +1824,7 @@ Drupal 4.7.9, 2007-12-05
|
|
|
- fixed a security issue (SQL injection), see SA-2007-031
|
|
|
|
|
|
Drupal 4.7.8, 2007-10-17
|
|
|
-----------------------
|
|
|
+------------------------
|
|
|
- fixed a security issue (HTTP response splitting), see SA-2007-024
|
|
|
- fixed a security issue (Cross site scripting via uploads), see SA-2007-026
|
|
|
- fixed a security issue (API handling of unpublished comment), see SA-2007-030
|
|
@@ -1238,7 +1937,7 @@ Drupal 4.6.11, 2007-01-05
|
|
|
- Fixed security issue (DoS), see SA-2007-002
|
|
|
|
|
|
Drupal 4.6.10, 2006-10-18
|
|
|
-------------------------
|
|
|
+-------------------------
|
|
|
- Fixed security issue (XSS), see SA-2006-024
|
|
|
- Fixed security issue (CSRF), see SA-2006-025
|
|
|
- Fixed security issue (Form action attribute injection), see SA-2006-026
|