Drupal Release: 4.7.6

TL;DR

Drupal 4.7.6 is a security and bug fix release addressing critical issues like cookie domain mismatches causing login problems, contact form spam vulnerabilities, and autocomplete security concerns. This maintenance release improves stability and security without introducing new features, making it an essential upgrade for all Drupal 4.7.x sites.

Highlight of the Release

• Fixed login problems caused by cookie domain mismatches between www and non-www domains
• Security update addressing anonymous user autocomplete vulnerabilities
• Improved spam protection for contact forms
• Better error handling during site updates
• Fixed permission matching issues

Migration Guide

No specific migration steps are required when upgrading from Drupal 4.7.5 to 4.7.6. This is a maintenance release that fixes bugs and security issues without changing APIs or database structures.

Standard upgrade procedure:

1. Back up your database and site files
2. Put your site in maintenance mode
3. Replace your existing Drupal files with the new 4.7.6 release
4. Run the update script by visiting update.php in your browser
5. Take your site out of maintenance mode

Upgrade Recommendations

Urgency: High

All sites running Drupal 4.7.x should upgrade to 4.7.6 as soon as possible due to the security fixes included in this release. The security advisory SA-2007-005 addresses critical vulnerabilities that could potentially be exploited if left unpatched.

This is a maintenance release with minimal risk of introducing new issues. The fixes address specific bugs and security concerns without changing core functionality or APIs.

Bug Fixes

• Login Functionality: Fixed issues with cookie domain mismatches between www and non-www domains that were preventing successful logins (#108663)
• Text Formatting: Fixed issues with the autop function that handles paragraph formatting (#100679)
• Variable Initialization: Fixed potential issues by properly initializing variables (#44882)
• Update Process: Improved error handling during the update process (#73615)
• Permissions System: Fixed problems with matching permissions that could affect site functionality (#81891)
• Caching: Corrected usage of mod_expires when available for better browser caching (#104506)

New Features

No new features were introduced in this maintenance release. Drupal 4.7.6 focuses exclusively on security fixes and bug corrections to improve stability and security of existing functionality.

Security Updates

• SA-2007-005: Addressed security vulnerabilities detailed in Security Advisory 2007-005
• Autocomplete Protection: Fixed security issue that could expose anonymous user entries in autocomplete fields (#108130)
• Contact Form Spam Prevention: Implemented measures to prevent spam abuse of contact forms by anonymous users (#69202)
• Cookie Handling: Improved cookie handling to conform to RFC 2109 standards, enhancing security of user sessions

Performance Improvements

This release does not contain significant performance improvements. The focus was primarily on security enhancements and bug fixes rather than performance optimizations.

Impact Summary

Drupal 4.7.6 is primarily a security and bug fix release that addresses several critical issues affecting site security and functionality. The most notable impacts include:

1. Enhanced Security: Multiple security vulnerabilities have been patched, particularly around anonymous user access and contact forms.

2. Improved Login Reliability: Users will experience fewer login problems, especially on sites that use both www and non-www domains.

3. Better Spam Protection: Site administrators will see reduced spam submissions through contact forms due to improved protections.

4. More Stable Updates: The update process is now more robust with better error handling.

5. Text Formatting Improvements: Content will display more consistently with fixes to the autop function.

This release maintains backward compatibility with previous 4.7.x versions while addressing security concerns, making it an essential upgrade for all Drupal 4.7.x sites.