Drupal 4.5.2 released
The Drupal project has released version 4.5.2 of its open-source content management platform. Drupal 4.5.2 is a maintenance release that provides corrections of problems reported using the bug tracking system. Drupal 4.5.2 fixes a cross-site scripting (XSS) vulnerability so it is recommended that you upgrade your existing Drupal sites. There are no new features in this installment. For more information about the Drupal 4.5.x release series, please consult the Drupal 4.5.0 release announcement and the Drupal 4.5.1 release announcement. For more information about the Drupal 4.5.2 release in particular, read on.
Download
Drupal 4.5.2 is available for free under the GNU General Public License and can be downloaded from http://drupal.org/files/projects/drupal-4.5.2.tar.gz.
Bugs fixed
The most important bug fixes since Drupal 4.5.1 include:
- Fix by Dries and Steven: improved the input checking to prevent cross-site scripting (XSS) attack.
- Fix #15500 by Morbus: ignore unpublished comments on the tracker module's recent posts page.
- Fix #15172 by Steven: fixed bug with punctuation stripping while building the search index.
- Fix #15399 by adschar: fixed PHP5 error when a new session is inserted into the session table.
- Fix #15328 by Goba: improved error handling of textareas by marking them red upon error.
- Fix #15254 by Anonymous: fixed a bug that prevented PostgreSQL users to run several Drupal sites from a single database.
- Fix #11366 by Junyor: fixed problem with comment counts after upgrading from Drupal 4.4. Requires you to run the upgrade script.
- Fix #14545 by nysus: don't grant access to files if the node is not accessible.
- Fix #11548 by Steven: ensured that only valid node fields are saved.
- Fix #13531 by Steven: reintroduced the Xtemplate's
{directory}
-tag. - Fix #14709 by matteo: made sure the RSS backend calls the node API's 'view'-hook.
- Fix #14710 by tangent: only show the 'Post comment'-button if preview is optional or if we are in preview mode.
- Fix #12366 by mathias: fixed missing 'edit'-tab for book pages.
- Fix #14609 by Dries: improved the user module's status messages and avoid empty roles being saved.
- Fix #14614 by Neil: made the archive module respect the node-level permissions.
- Fix #14288 by Goba: made it possible to translate the days in the header of the calendar block.
- Fix by Goba: don't save user roles in the serialized data field of the user table.
- Fix #14035 by Goba: fixed profile module problem with UTF-8 conversion when mixing
LOWER()
(SQL function) andstrtolower()
(PHP function). - Fix #14006 by Neil: fixed broken URL in the user module.
- Fix #13786 by drumm: fixed the RSS aggregator's handling of HTTP 301 response codes.
- The translation templates (.POT-files) have been updated.
A complete list of all bug fixes in the stable DRUPAL-4-5 branch can be found at http://drupal.org/cvs/drupal/?branch=DRUPAL-4-5.
Security
Security is a primary focus of Drupal however due to an input validation flaw, Drupal was vulnerable to a cross-site scripting (XSS) attack that allowed Javascript to be injected. Drupal 4.5.2 fixes this vulnerability. All previous releases of Drupal, including the Drupal 4.4 and Drupal 4.5 release series, are affected. It is recommended that you upgrade to Drupal 4.5.2.
If you are running Drupal 4.5.0 or Drupal 4.5.1 and you don't want to upgrade to Drupal 4.5.2, you can apply this security patch (HOWTO). Alternatively, if you upgraded to Drupal 4.5.1 (not Drupal 4.5.0), you can replace the file includes/common.inc
with the one from Drupal 4.5.2.
If you are running the development version of Drupal, upgrade to CVS HEAD or grab a new snapshot from the Drupal project page.
Upgrading
For the most trouble free transition from an existing installation, it is recommended that you first upgrade to Drupal 4.5.0 or Drupal 4.5.1. If you are upgrading from Drupal 4.4.x or below, please consult the Drupal 4.5.0 release announcement for more information. To upgrade from Drupal 4.5.0 or Drupal 4.5.1, upload all of the files and directories in the Drupal 4.5.2 package to your webserver, replacing older copies of the files. As with any upgrade, it is a good idea to backup of your site and database first.
- No database changes have been made since Drupal 4.5.0 so there is no need to run Drupal's upgrade script. If you upgraded from Drupal 4.4 or below you can optionally run the upgrade script to fix a problem with the comment counts.
- No API changes have been made since Drupal 4.5.0 so all contributed themes and modules that work for 4.5.0 and 4.5.1 will work with 4.5.2.
Bug reports
The Drupal 4.5 branch is still being maintained so given enough bug fixes (not just bug reports) more maintenance releases will be made available.