[META] double check all security releases of D7 and make sure fixes are in Backdrop

[jenlampton]

Since the issues for the security fixes are all private, we may not have caught them in our meta issue of patches that were added to D7 since we forked. This is an issue for double checking that all security fixes to D7 are absolutely positively included in Backdrop 1.0

• SA-CORE-2012-002 - Multiple vulnerabilities #184 SA-CORE-2012-002 - Multiple vulnerabilities | Drupal 7.13 release notes
• SA-CORE-2012-003 - Arbitrary PHP code execution #183 SA-CORE-2012-003 - Arbitrary PHP code execution | Drupal 7.16 release notes
• SA-CORE-2012-004 - Multiple vulnerabilities #182 SA-CORE-2012-004 - Multiple vulnerabilities | Drupal 7.18 release notes
• SA-CORE-2013-001 - Multiple vulnerabilities #181 SA-CORE-2013-001 - Multiple vulnerabilities | Drupal 7.19 release notes
• SA-CORE-2013-002 - Denial of service #34 SA-CORE-2013-002 - Denial of service | Drupal 7.20 release notes
• SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities #133 SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities | Drupal 7.24 release notes
• SA-CORE-2014-001 - Multiple vulnerabilities #161 SA-CORE-2014-001 - Multiple vulnerabilities | Drupal 7.26 release notes
• Issue #180: Drupal 7.27 release backports. backdrop#340 SA-CORE-2014-002 - Information Disclosure Drupal 7.27 release notes
• SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities #343 SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities Drupal 7.29 release notes
• SA-CORE-2014-004 - Drupal core - Denial of service #358 SA-CORE-2014-004 - Drupal core - Denial of service Drupal 7.31 release notes
• SA-CORE-2014-005 - Drupal core - SQL injection #359 SA-CORE-2014-005 - Drupal core - SQL injection Drupal 7.32 release notes
• SA-CORE-2014-006 #481 SA-CORE-2014-006 - Drupal Core - Moderately Critical - Multiple Vulnerabilities Drupal 7.34 release notes

The process for doing security updates is as follows:

• Look for the commit that contains only the Drupal release number.
• Review the diff (or create a patch from it)
• Apply these same changes to Backdrop.

For reference, here are all D7 releases

[quicksketch]

It looks like Drupal 7.31 fixed an issue in XML-RPC, but we've removed xmlrpc.php from Backdrop entirely, so that issue does not apply to us. There was also an issue with OpenID, but we've removed that as well. So I've marked the 7.31 task as fixed.

[quicksketch]

We're (currently) all up-to-date on security releases! Yay!

Let's actually do the "double-checking" part now that all the individual patches are in (or an equivalent).

[quicksketch]

All of these have now been reviewed a second time to ensure they're all included. We're done here!