Comment 5 for bug 1978555

SPIP does not meet the bulleted criteria in https://wiki.ubuntu.com/StableReleaseUpdates#New_upstream_microreleases. However, these microreleases are acceptable because all changes can be SRUed.

Approximate translation of the changes in CHANGELOG.TXT (added in the Focal debdiff):

3.2.14 -> 3.2.15
8283532c9 (1) Suppress argument `formulaire_action_sign` from the ACTION url
2ce34e62e (2) Increment spip_version_code to recompile the templates
ac67fc5be (1) Secure the return value of nettoyer_titre_email when it is used from a template
901f58302 (1) Also hide sensitive cookies from $_SERVER['HTTP_COOKIE'] and $_ENV['HTTP_COOKIE']
871777b0f (1) Escape sel_db before reinserting it in a hidden (but it is quite theoretical because if we arrive at it is because we have managed to connect it, so the name could not have special characters)
754677579 (1) Secure HTTP_HOST and REQUEST_URI in url_de_base()
97845aa30 (1) Use \b instead of \s for being more robust in the regex of _PROTEGE_BLOCS
d99890f66 (1) Secure construction of the regex in parametre_url
e9a03a38d (1) Secure the error display when it comes from the url
772a4baed (1) Secure the use of var_mode_xx in the debugger
b28e1f9a3 (1) spip_htmlspecialchars() over all variable displays in the html + filter $adresse_ldap
edb6a01c6 (1) Do not accept a test_dir with .. inside the test for writing directories
3b99287c9 (3) Fix the buggy function in not using in not using the unreliable shortcut keys, but the other (reliable) keys, depending on the requested source (link or not)
SVP/bf0ff95* (1) Escape the URL in the displayed html

3.2.13 -> 3.2.14
medias/e4a3137* (3) Remove typing from PHP views
medias/3014b84* (1,3) Deprecate and secure the insertion of a gallery in the add document forms. This mode is not used in SPIP since 3.0.
mots/844893f* (3) A question mark for id_groupe that allows the display of the groups you want in a public keyword association form
squelettes-dist/93cee41* (3) Report of 8505e7c0ed9118ee31 which was in the dist, and not reported from the neodist template

3.2.12 -> 3.2.13
9ed1818f1 (1) Verify that you have the right to modify the login before accepting a post on this variable
dec69cb7d (3) Tags of each plugin in plugins-dist.json
39fbb0a8e (3) feat(header_silencieux): apply filter |header_silencieux
00222255b (3) Do not store formulaire_action_sign in the plugin configurations
e48c92558 (4) Support .jpeg files when adding a remote document
b2f8e3a59 (1) Also apply rawurlencode() on arrays passed as an argument of parametre_url()
f1b7feae8 (3) Avoid undefined error if get_spip_script() is called after mes_options, before the _SPIP_SCRIPT constant is defined
b6236a92e (3) Restore treatment _TRAITEMENT_TYPO_SANS_NUMERO (multi, supprimer_numero, etc.) on the tag #NOM of the authors
712f5b5df (3) Redirect without loops in a var_mode problem (that sometimes happens on a somewhat wobbly installation)
d793f599e (1 or 3) On some sites, we absolutely want to keep certain caches, so we can inhibit the purge of these directories to avoid any problems.
c4a362f35 (2) Drop misplaced changelog
squelettes-dist/f872fdb* (2) Version 3.2.5
squelettes-dist/ae985dd* (4) feat(header_silencieux): apply filter |header_silencieux

3.2.11 -> 3.2.12
19c3592b9 (1 or 3) Improve valider_url_distante(): We use filter_var rather than regexp and we add a control on the TTL of the domain so that what we validate is the same thing seen in the rest of the hit
685a2c0bd (4) The plugin mots and its editer_mot() form still contains old code that was not reformatted, so let's reactivate this feature in 3.2, it was a case story to change this on this branch
28c2cd60b (1) When uploading documents, handle the case of files with multiple extensions: we leave only those that are allowed to be uploaded if possible, otherwise we keep only the last one
aefb90d6a (2) spip_version_code must be incremented because all forms must be recalculated
299219036 (1) Oops, error in 1b8e4f404: empty must be used because an empty signature can potentially be posted (was able to lodge and probably post on any anonymous form)
361cc2608 (1) Nom, nom_site and bio, being fields freely modifiable by users, are protected as in forums, via safehtml
fea5b5b45 (1 or 3) #FORMULAIRE tag: clean dead code that is no longer used, improve security by adding a signature of the arguments of the form as soon as the author identifies himself.
96e283e4a (5) Simplify the regex, it is not worse (cfreal)
fca83dc95 (3) Fix/refactor query_echappe_textes() which sometimes did not detect the chains completely and correctly
1a3fda815 (4) A constant _HTML_BG_CRON_INHIB allows inhibiting the insertion of HTML markup to launch the cron via a background image or an XMLHttpRequest when it is unwanted (case of sites that provide proprietary pseudo HTML content for example and that do not support this markup)
e2d9ac340 (3) Update the code of http_status to use the PHP function directly
f3ddc3f10 (3) Small vicious bug on the cache flush button when in _CACHE_CONTEXTES_AJAX mode
8eecb049c (5) Declare the corresponding branches in the list of plugins-dist in that distribution
a63f9e608 (4) Renaming source_champ to index_champ, declaring in the Loop class, and phpdoc.
ae4f817fc (3) Use the same source loop for calculating the filters of a tag as the one used for the tag value
50e30a4b5 (2) Shell in the typo, it sucks
7969d18f6 (3) Allow to overload the typo treatment constants without a notice.
c7091877a (3) We adapt the fields declared 'TIMESTAMP' in recent versions of MySQL (for example 8) so that they behave as expected in SPIP, that is to say with an update of the date at each update.
ad29547ec (3) Place quotes around attributes
6c200052e (1 or 3) Now that we know how to manage the error rating JS in case the AJAX context is lost, we can purge contexts with more than 48 hours without risk.
When an AJAX context is invalid (corrupt or too long, or the cache on disk was cleared), return a 400 Bad Request error + JS rating treat the error case, mark the invalid AJAX block, and redirect without AJAX if it was the new URL of the page
ebe3911aa (3) translate a la volee the current_timestamp() introduced by MariaDB but that SQlite does not know (b_b and marcimat)
3d9882412 (3) In the generic API for any object: switch to calculer_rubrique_if also the info of which object we have just modified... It is still a function that tests a modification that has just been made, and we did not have the info of what. So it allows you to test the real statuses considered published of THIS precise object, not a hard thing.
ec7a876a0 (3) Fix a bug on the autosave that sometimes brought back a value yet entered in case of post ajax and multiple session files: the JS sends a save on action=session just before the POST of the form, and if there are several sessions the update takes a little time and we find ourselves in competition. In this case the final actualiser_session() returned the value in session although it was deleted.
4d2ea673d (3) Management of loop aliases in the treatment of fields
de928fda2 (3) Allow verifying a specific stage to put its own global error message.
82cf0ba8d (3) Multi-stage CVT: allow fast advance to another stage, without triggering an error at the stage where we arrive
bcc3c3606 (3) Pipeline saisies_verifier_tapes: also pass as arguments the entered stage, the total number of stages and the requested stage.
240ca1577 (3) Multi-stage CVT: move the search for 'aller_a_etape' after the checks of each of the past stages, which could well decide, depending on the results of the verification, that it is necessary to move elsewhere in the queue of stages.
378975997 (3) it is necessary to indicate a etape_demandee > than the number of steps to go directly to the final validation (ie 1000 for example)
979babd7f (1) In 'objet_modifier_champs()' there is a check that verifies that, after the modification of the line via 'sql_updateq()', what is read when returning from 'sql_fetsel()' is what is asked to be recorded. This check also has a bug for integers. It does not emit an error message if '''' is sent to 'sql_updateq()' and '0' is found at the output of 'sql_fetsel()'. ...

Legend:
* in SPIP-plugins-dist
(1) Security vulnerability fix
(2) Necessary change
(3) https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases, point 1
(4) https://wiki.ubuntu.com/StableReleaseUpdates#Other_safe_cases, point 3
(5) Code readability improvements