It fix a vulnerability problem Reproducible: Always
http://drupal.org/node/731710 -- SA-CORE-2010-001 * Installation cross site scripting (6.x only) A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed. * Open redirection (5.x and 6.x) The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL. * Locale module cross site scripting (5.x and 6.x) (CVE-2009-4371) Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly… -> bug 300199 * Blocked user session regeneration (5.x and 6.x) Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.
Closing noglsa. +*drupal-6.16 (05 Mar 2010) +*drupal-5.22 (05 Mar 2010) + + 05 Mar 2010; Alex Legler <a3li@gentoo.org> -drupal-5.21.ebuild, + +drupal-5.22.ebuild, -drupal-6.15.ebuild, +drupal-6.16.ebuild, + files/postinstall-en.txt: + Non-maintainer commit: Version bumps for security bugs 307811, 300199, + 238571. +
*** Bug 308225 has been marked as a duplicate of this bug. ***