For the e-Commerce module there is a wrong security update warning, and even worse, there is no way to ignore it.

Last stable version, as far as I can tell is 3.4, there is a security update for 4.0 alpha (but that is alpha).

First, this should not be reported as a security update.

Second, it should be possible to ignore it. But the only option is 3.4 in the ignore list (and that won't make any difference of course).

CommentFileSizeAuthor
#2 update_ignore_higher_branches.d5.patch1.64 KBdww
#2 update_ignore_higher_branches.d6.patch1.57 KBdww
e-CommerceUpdateStatus.png22.88 KBmariuss

Comments

dww’s picture

dww
we/he/they
commented
Assigned: Unassigned » dww

Argh, yes. Confirmed. :( Debugging now.

dww’s picture

dww
we/he/they
commented
Title: wrong security update for e-Commerce module » Security releases from higher branches not ignored in all cases
Project: Update Status » Drupal core
Version: 5.x-2.1 » 6.0-rc3
Component: Code » update.module
Status: Active » Needs review
StatusFileSize
new update_ignore_higher_branches.d6.patch1.57 KB
new update_ignore_higher_branches.d5.patch1.64 KB

Drat. :( The problem is that there's code to ignore releases from higher branches, other then finding the "Also available" release. However, there's really two things going on inside this code block: 1) find "Also available" if we don't have it, 2) ignore the release. Unfortunately, #1 requires that the higher branch is considered a supported release, whereas we *always* want to do #2. :( So, the if clause just needs to be split up into 2 pieces, so that we always test the major version, then, inside that if block, we see if the higher version is supported and if we need to populate "Also available". but then, even if it's not supported, we ignore the release by hitting the "continue". Tested on D5 and fixes the originally reported bug. This should go into core ASAP (I hope before the 6.0 final release). If the original reporter of this bug could test the D5 version of the patch attached here and confirm it solves the problem, that'd be great.

Thanks,
-Derek

webernet’s picture

webernet commented
Status: Needs review » Reviewed & tested by the community

Tested the 5.x patch, and it successfully fixes the problem for ecommerce.

The 6.x code is the same, applies cleanly, and doesn't seem to break anything, so this should be ready to go.

coltrane’s picture

coltrane
he/him
commented

Tested D5 patch and it fixes the issue.

Drupal 5.7 with ecommerce installed. Installed update_status module and received security warning. Applied patch and warning went away. Installed old pathauto module (pathauto-5.x-1.2) and received security warning recommending upgrade to pathauto-5.x-2.0.

dww’s picture

dww
we/he/they
commented
Title: Security releases from higher branches not ignored in all cases » 6.0 blocker: Security releases from higher branches not ignored in all cases

Note: this patch also fixes the bug reported at http://drupal.org/node/216309

Given the further testing and reviews in here (and more testing myself), I committed the D5 version to update_status contrib DRUPAL-5--2: http://drupal.org/cvs?commit=98869

6.0 really shouldn't go out with this code, so I'm changing the title appropriately.

Sorry about this bug -- it was introduced fixing other bugs, and I never tested the case where newer releases went out that aren't supported. :(

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Status: Reviewed & tested by the community » Fixed

Hm, discussed this with dww on Skype as well. Looks good, committed. Thanks for testing!

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.