Issue #1705618 by sun, nod_, mgifford, hanoii, clemens.tolboom, poker10, torotil, Wim Leers, Matt V., helmo, mcdruid, joseph.olstad, JvE, tim.plunkett, Bojhan, fawwad.nirvana, GuyPaddock, Dries, David_Rothstein: Double click prevention on form submission

Issue #2164025 by skipyT, mcdruid, pwolanin: Improve security of session ID against DB exposure or SQL injection

Issue #3293648 by mcdruid, poker10: [D7 backport] Update status does not verify the identity or authenticity of the release history URL

SA-CORE-2023-005 by benjifisher, Heine, cmlara, mlhess, larowlan, David_Rothstein, xjm, Wim Leers, DamienMcKenna, effulgentsia, pwolanin, mcdruid, poker10, jenlampton, longwave, kim.pepper, alexpott, drumm

Issue #3308929 by poker10, swentel, fago, catch, alexpott, Berdir: [D7] Cron lock time limit is too short and does not prevent multiple, concurrent cron runs

Issue #3293649 by mcdruid: drupal_http_request() fails to strip Cookie or Authorization headers on HTTP downgrade

SA-CORE-2022-012 by cmlara, GuyPaddock, larowlan, mondrake, effulgentsia, xjm, longwave, Dave Reid, lauriii, David Strauss, benjifisher, alexpott, mcdruid, Fabianx

Issue #1232572 by deviantintegral, mcdruid, joachim, cweagans, Lennard Westerveld, kenorb, hanoii, webflo, bleen, esod, johnennew, Elijah Lynn, ron_s, csmdgl, sriharsha.uppuluri, cman9090, Berdir, catch, q0rban, alexpott, anavarre: Backport skip_permissions_hardening

Issue #229825 by nod_, mcdruid, sun, ApacheEx, lightsurge, legovaer, pounard, RobLoach, Frederikvho, Robin Monks, cburschka, yched, keith.smith, Kiphaas7, treksler, jbrauer, catch, Dave Reid, aspilicious, Damien Tournoud, Wim Leers, giupenni, ressa, Fabianx, webchick: backport "$_COOKIE['has_js'] must die" patch to 7.x

Issue #3209976 by mcdruid, DamienMcKenna, Maeglin, antiorario, effulgentsia, gapple, rachel_norfolk, rootwork, phenaproxima, neclimdul, larowlan, longwave: Add Permissions-Policy header to block Google FLoC

Issue #3170525 by mcdruid, nullkernel, simonholt83, MustangGB, Znak, axle_foley00, Fabianx, akorkot, cilefen, thalemn, Ayesh, ressa, finne: Set samesite cookie attribute for PHP sessions

Issue #2470619 by mcdruid, pounard, hosef, heddn, DamienMcKenna, boyan.borisov, joelpittet, Fabianx, joseph.olstad, MustangGB, izmeez, oadaeh, joshmiller, marcingy, mikeytown2, discipolo, amateescu, Jordan Samouh, das-peter, ndobromirov, quietone, Ronino, mxr576, David_Rothstein, potop, dreamer777, btully: Do not attempt field storage write when field content did not change

Issue #3098058 by mcdruid, SAVEL, alexpott, alexandra.vecher, nikolas.tatianenko, kiamlaluno, sjerdo, RobLoach, catch, cburschka, carlos8f, penyaskito, gdud, theborg, pillarsdotnet, olamaekle, naxoc: [D7] Use site name in From: header for system e-mails

Issue #973436 by catch, joseph.olstad, beejeebus, karschsp, pillarsdotnet, mcdruid, DamienMcKenna, carlos8f, sun, dsobon, kentr, Damien Tournoud, pounard, Fabianx, xjm, fgm, Steven Jones, David_Rothstein, donquixote, amateescu, MustangGB, Lars Toomre, basicmagic.net, Jeremy, DanPir, nnewton, yonailo, Peter Bowey, RobLoach, gdaw, dsutter, joel_osc, nareshp, izmeez, joelpittet, torgosPizza, crea, tim.plunkett, YesCT, stefan.r, rwohleb: Overzealous locking in variable_initialize()

Issue #2978575 by mcdruid, Ayesh, Ronino, fietserwin, emilcarpenter, elijahoyekunle, berenddeboer, Mixologic, almaudoh, tfranz, izmeez, TR, Charlie ChX Negyesi, joseph.olstad, mmjvb, gisle, MustangGB, ronlee, pyQlo, TrevorBradley, alexpott, mfb, Fabianx, Andrés Chandía, buddym, rjt1224, saxmeister, Pol, shenzhuxi, sjerdo, aparna_kondala, seamus_lee, andrew_rs, bernig, andyrandom, xpiku, Kevin Morse, SivaprasadC, lakshmi_a, vensires, waqarit, joergM: Mysql 8 Support on Drupal 7

Issue #2989985 by mcdruid, colorfulCoder, tatarbj, Fabianx, paulocs: User module's flood controls should do better logging, plus add new hook_user_flood_control()

Issue #2482549 by Pol, marcelovani, ndf, drupal@guusvandewal.nl, jenlampton, ufku, kaidjohnson, MiSc, David_Rothstein, RobLoach, SebCorbin, geerlingguy, pablo.guerino, JohnAlbin, joelpittet, afoster: Ignore node_module folder in core to use Drupal with npm/grunt/nodejs

Issue #2091511 by Cameron Tod, mcdruid, mpdonadio, David_Rothstein, lokapujya, stefan.r, Berdir, alexpott, damiankloip, cosmicdreams, das-peter, heddn, xjm, catch, tstoeckler, anavarre, naveenvalecha, tim.plunkett, dawehner: Make cache_form expiration configurable, to mitigate runaway cache_form tables

Issue #2009584 by hgoto, jtwalters, rteijeiro, ry5n, emattias, Fabianx: Allow double underscores to pass through drupal_clean_css_identifier as per new CSS standards

Issue #2766537 by bhavikshah9, mforbes: Missing asterisk in one line of default.settings.php documentation block

Issue #2488180 by stefan.r, stovak, pwolanin, David_Rothstein, Noe_, typhonius, KhaledBlah, joelpittet, Fabianx, geerlingguy, nithinkolekar, mikeytown2, jduhls, scuba_fly, travelvc, hass: Support full UTF-8 (emojis, Asian symbols, mathematical symbols) on MySQL and other database drivers when they are configured to allow it

Issue #2115737 by darol100, owenpm3, rhuffstedtler, andythomnz, jemandy, ijf8090, zealfire, er.pushpinderrana, jhodgdon, corbacho, spitcher, abenamer, holingpoon, ay1n: Make the text in modules, themes, and profiles README.txt files more user-friendly

Issue #2500101 by David_Rothstein: sites/all/modules/README.txt should not imply that clearing caches always works after moving a module to a new subdirectory

Issue #667058 by greggles, DamienMcKenna, cweagans, travelertt, Dave Reid, tstoeckler, geerlingguy: Add a sites/all/libraries folder and encourage people to use it properly

Issue #1930960 by pounard, iamEAP, pjcdawkins, msonnabaum, David_Rothstein: Fixed Block caching disable hardcoded on sites with hook_node_grant() causes serious performance troubles when not necessary.

Issue #1221772 by pounard, colan, jcisio | sivaji: Fixed Transaction database settings is misleading in settings.php.

Issue #692366 by  mariacha1, hosef, Albert Volkman, xjm, underq, kid_icarus, willmoy, bradweikel: Replace US-centric php.net URLs with language-neutral URLs

Issue #1436814 by gary4gar, kid_icarus, netol, webchick, droplet, andypost: Fixed Fast 404 'Not found' pages are missing a doctype.

Issue #932110 by Albert Volkman, David_Rothstein, marji, jurgenhaas, dcam: On some servers, the Update Manager allows administrators to directly execute arbitrary code even without the PHP module. (Documentation fix)