Release Notes: When pages are cached for anonymous users (either by Drupal or by an external system), the form state may leak between anonymous users. As a consequence, there is a chance that interim form input recorded for one anonymous user (which may include sensitive or private information, depending on the nature of the form) will be disclosed to other users interacting with the same form at the same time. This especially affects multi-step Ajax forms because the window of opportunity (i.e., the time span between user input and final form submission) is indeterminable. This release fixes this.
Release Notes: This release fixes an XSRF vulnerability in the Aggregator module, verifies signed attributes in SREG and AX for OpenID, and fixes an access bypass in the File module.
Release Notes: This release fixes an XSRF vulnerability in the Aggregator module and verification of signed attributes in SREG and AX for OpenID.