Resolved Bugs
1238487 – drupal7-views_bulk_operations-3.3 is available<br
## 7.x-3.3
**See [SA-CONTRIB-2015-131](https://www.drupal.org/node/2516688)**
**Changes since 7.x-3.2:**
* Fix security vulnerability, by AdamPS.
* Remove an entity_label() workaround that core no longer needs.
* Issue #2427381 by axel.rutz: Rules component lacks entity type
* Issue #2418751 by anrikun: Archive action fails silently
* Issue #2318273 by bojanz, PascalAnimateur: Added Hide action links from confirmation pages.
* Issue #2364849 by rudiedirkx: Fixed Don’t export unselected actions.
* Issue #1817978 by ofry, samalone: Fixed Undefined index: triggers in flag_flag->get_valid_actions() .
* Issue #2341283 by JvE: Fixed views_bulk_operations_cron says 1 day but uses 10 days.
* Issue #2345667 by PascalAnimateur: Fixed Translate properties / available tokens titles.
* Issue #2312547 by bennybobw, lmeurs: Fixed Broken view titles, they often only display a Total being passed to action with Views 3.8.
* Clean up previous patch.
* Issue #1781704 by juampy: Added Make the ability to click on a row and activate the checkbox optional.
* Issue #2254871 by jorisdejong: Fixed No default action behavior set in getAccessMask().
* Issue #2280213: Make the OR string in theme_views_bulk_operations_select_all() translatable.
* Issue #1618474 followup by acbramley: Hide operations selector & checkboxes if no operation available.
* Issue #2192775 by Berdir: views_bulk_operations_load_action_includes() uses relative path in include_once

**Horde_Form 2.0.10**
* [jan] SECURITY: Fixed XSS in form renderer.
**Horde_Icalendar 2.1.1**
* [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).
**Horde_Auth 2.1.10**
* [jan] SECURITY: Don’t allow to login to LDAP with an emtpy password.
**Horde_Core 2.20.6**
* [jan] SECURITY: Don’t allow to login with an emtpy password.
* [jan] Give administrators access to all groups, even with $conf[‘share’][‘any_group’] disabled.

Resolved Bugs
1238486 – drupal7-migrate-2.8 is available<br
## 7.x-2.8
**See [SA-CONTRIB-2015-130](https://www.drupal.org/node/2516678)**
**Features and enhancements**
* Issue #2379289: migrate-import –update does not seem to work as expected, if map is not joinable, due to highwater field?
* Issue #2403643: Migration::applyMappings() unable to handle multifield subfields
* Issue #2472045: Add language subfields only if field is translatable
* Issue #2474809: Obtuse error message when migration dependencies are missing
* Issue #2397791: MigrationBase::handleException should handle multiple errors via field_attach_validate()
* Issue #2309563: Add support for running migrations via wildcard name
* Issue #2095841: Add MigrationBase methods to enable/disable mail system.
* Issue #2419373: Performance improvement when using Source migrations in combination with MigrateSQLMap
* Issue #2141687: Make error messages include more information when migrating files
**Bug fixes**
* Field sanitization added to prevent possibility of XSS – see security advisory https://security.drupal.org/node/155268.
* Issue #2447115: Mapping editor does not properly save XML mappings
* Issue #2497015: Remapping taxonomy terms breaks term reference import on dependant migrations
* Issue #2488560: MigrateSourceList and MigrateSourceMultiItems getNextRow() stops after only one iteration
* Issue #2446105: Source fields getting reset as “do not migrate” after mapping and saving
* Issue #2415977: /tmp is hard-coded in migrate_ui
* Issue #2475473: Drush idlist option broken
* Issue #2465387: Unknown option: –stop during migrate-import via Drush
**Important: If you are upgrading from Migrate 2.5 or earlier**
Migration developers will need to add the “advanced migration information” permission to their roles to continue seeing all the info in the UI they’re used to.
Auto-registration (having classes be registered just based on their class name, with no call to registerMigration or definition in hook_migrate_api()) is no longer supported. Registration of classes defined in hook_migrate_api() is no longer automatic – do a drush migrate-register or use the Register button in the UI to register them.
Migration class constructors should now always accept an $arguments array as the first parameter and pass it to its parent. This version does support legacy migrations which pass a group object, or nothing, but these methods are deprecated.

Resolved Bugs
1241143 – CVE-2015-3281 haproxy: information leak in buffer_slow_realign() [fedora-all]
1239181 – haproxy-1.5.14 is available
1239072 – CVE-2015-3281 haproxy: information leak in buffer_slow_realign()<br
Security fix for CVE-2015-3281

Resolved Bugs
1238487 – drupal7-views_bulk_operations-3.3 is available<br
## 7.x-3.3
**See [SA-CONTRIB-2015-131](https://www.drupal.org/node/2516688)**
**Changes since 7.x-3.2:**
* Fix security vulnerability, by AdamPS.
* Remove an entity_label() workaround that core no longer needs.
* Issue #2427381 by axel.rutz: Rules component lacks entity type
* Issue #2418751 by anrikun: Archive action fails silently
* Issue #2318273 by bojanz, PascalAnimateur: Added Hide action links from confirmation pages.
* Issue #2364849 by rudiedirkx: Fixed Don’t export unselected actions.
* Issue #1817978 by ofry, samalone: Fixed Undefined index: triggers in flag_flag->get_valid_actions() .
* Issue #2341283 by JvE: Fixed views_bulk_operations_cron says 1 day but uses 10 days.
* Issue #2345667 by PascalAnimateur: Fixed Translate properties / available tokens titles.
* Issue #2312547 by bennybobw, lmeurs: Fixed Broken view titles, they often only display a Total being passed to action with Views 3.8.
* Clean up previous patch.
* Issue #1781704 by juampy: Added Make the ability to click on a row and activate the checkbox optional.
* Issue #2254871 by jorisdejong: Fixed No default action behavior set in getAccessMask().
* Issue #2280213: Make the OR string in theme_views_bulk_operations_select_all() translatable.
* Issue #1618474 followup by acbramley: Hide operations selector & checkboxes if no operation available.
* Issue #2192775 by Berdir: views_bulk_operations_load_action_includes() uses relative path in include_once

xl command line config handling stack overflow [XSA-137, CVE-2015-3259]

Resolved Bugs
1239072 – CVE-2015-3281 haproxy: information leak in buffer_slow_realign()
1239181 – haproxy-1.5.14 is available
1241143 – CVE-2015-3281 haproxy: information leak in buffer_slow_realign() [fedora-all]<br
Security fix for CVE-2015-3281

**Horde_Form 2.0.10**
* [jan] SECURITY: Fixed XSS in form renderer.
**Horde_Icalendar 2.1.1**
* [jan] Fix generated VALARM TRIGGER attributes with empty duration (Ralf Becker).
**Horde_Auth 2.1.10**
* [jan] SECURITY: Don’t allow to login to LDAP with an emtpy password.
**Horde_Core 2.20.6**
* [jan] SECURITY: Don’t allow to login with an emtpy password.
* [jan] Give administrators access to all groups, even with $conf[‘share’][‘any_group’] disabled.

Update to nx-libs 3.5.0.32:
– Proper integration of all patches in the source tarballs. Bugs in the tarball generation script and patch file names prohibited inclusion of many patches previously, including security fixes.
– Better support for debug (DEBUG, TEST, TRACE and other directives) builds, in part thanks to Nito Martinez.
– Build fixes due to underlinking of libdl thanks to Bernard Cafarelli.
– Retroactively document correct GPLv2 licensing of previously potentially offending DXPC code.
– Help text fixups.
– Restart reading if interrupted, gets rid of “Negotiation in stage 10” errors thanks to Vadim Troshchinskiy.
– A dozen X.Org Server fixes backported by Ulrich Sibiller.
The X2Go Project thanks Bernard Cafarelli, Nito Martinez (Qindel Group), Vadim Troshchinskiy (Qindel Group) and Ulrich Sibiller for their contributions.