Security update

Fix for #1679412 -- SA-CONTRIB-2012-106 - Listhandler - Access Bypass

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.

See SA-CONTRIB-2012-156 - Search API - Cross Site Request Forgery (CSRF)

This is a security release, containing an important security fix. Users of the project are strongly encouraged to update to this version as soon as possible.
In older versions, the “enable server” and “enable index” functionalities aren't properly guarded against CSRF attacks, leading to an attacker being able to enable any disabled server and all disabled indexes that are connected to a server. See the security advisory for details.

This is the third beta release. Major new features are postponed until Payment 7.x-2.x. Only bug fixes and minor improvements will continue to be added to 7.x-1.x.

Remember to run the update script (update.php) when upgrading to this version from 7.x-1.0-beta1.

Changes since version 7.x-1.0-beta2:

• SA-CONTRIB-2012-155 - ShareThis - Cross Site Scripting (XSS)
• Issue #1485556: Use https for administration
• Issue #1422330 by Rob Loach, ghindle: Page load performance
• Issue #1677262 by SpaceGoat1701 and Rob Loach: Allowing customization of Twitter handle

Correct some security problems and some potential security problems reported in SA-CONTRIB-2012-154 - Basic webmail - Multiple vulnerabilities: