adm/index.php | 2 1 + 1 - 0 !
common.php | 2 2 + 0 - 0 !
includes/acp/acp_styles.php | 10 5 + 5 - 0 !
3 files changed, 8 insertions(+), 6 deletions(-)

 overrides the version display, such that it is clear a debian package is used.

includes/acp/acp_main.php | 6 5 + 1 - 0 !
includes/acp/acp_update.php | 16 8 + 8 - 0 !
2 files changed, 13 insertions(+), 9 deletions(-)

 disables upstream version check.

cron.php | 4 3 + 1 - 0 !
includes/acm/acm_file.php | 12 10 + 2 - 0 !
includes/acm/acm_memory.php | 4 2 + 2 - 0 !
includes/acp/acp_database.php | 14 9 + 5 - 0 !
includes/acp/acp_language.php | 28 17 + 11 - 0 !
includes/acp/acp_styles.php | 36 20 + 16 - 0 !
includes/functions.php | 4 2 + 2 - 0 !
includes/functions_compress.php | 8 4 + 4 - 0 !
includes/functions_messenger.php | 4 2 + 2 - 0 !
includes/functions_posting.php | 1 1 + 0 - 0 !
includes/functions_transfer.php | 4 2 + 2 - 0 !
includes/functions_user.php | 1 1 + 0 - 0 !
includes/template.php | 8 4 + 4 - 0 !
13 files changed, 77 insertions(+), 51 deletions(-)

 makes caches, file uploads, etc. work when multiple forums use the same codebase.
Bug-Debian: http://bugs.debian.org/437836

install/database_update.php | 2 1 + 1 - 0 !
install/index.php | 4 2 + 2 - 0 !
install/install_convert.php | 2 1 + 1 - 0 !
install/install_install.php | 22 18 + 4 - 0 !
install/install_main.php | 2 1 + 1 - 0 !
language/en/install.php | 2 1 + 1 - 0 !
6 files changed, 24 insertions(+), 10 deletions(-)

 modifies the newly shipped installer to
 - NOT show convert tab
 - be able to run even though config.php is there (which in Debian, it is always)
 - remove output that has no meaning/is confusing here or links to unexisting files

install/database_update.php | 2 2 + 0 - 0 !
install/index.php | 6 4 + 2 - 0 !
2 files changed, 6 insertions(+), 2 deletions(-)

 fix phpbb_root_path in install-xxx (used in multiboard).
Bug-Debian: http://bugs.debian.org/644276

includes/functions.php | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 fix chown in cache
 Ensure files in cache belong to www-data. phpBB tries to set them to
 the same owner than common.php, that belongs to root under Debian, and
 then set them world writable because it cant change the owner (nor
 group) to root.

l10n-pl/language/pl/email/index.htm | 19 0 + 19 - 0 !
1 file changed, 19 deletions(-)

 do not fetch data from an external website
 Even if the page is not supposed to be displayed, linking to an
 external CSS is bad taste.

includes/startup.php | 48 48 + 0 - 0 !
1 file changed, 48 insertions(+)

 explicitly disallow trailing paths
 CSRF potentially allowing an attacker to modify the private message
 setting that determines how full folders are handled (i.e. whether to
 delete the oldest message or hold the new message until further space
 is available).
 [CVE-2015-1432]

includes/ucp/ucp_pm_options.php | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 correctly validate the ucp_pm_options form key
 This allows an attacker to load arbitrary CSS in Internet Explorer by
 crafting a URL with trailing paths after a PHP file (for example
 /path/index.php/more/path). This is only possible if the webserver
 configuration allows accessing PHP files in this manner.

includes/acp/acp_main.php | 4 2 + 2 - 0 !
install/install_install.php | 7 4 + 3 - 0 !
2 files changed, 6 insertions(+), 5 deletions(-)

 handle mbstring.http_{in,out}put for php5.6
 Having mbstring.http_input set to '' is as good as 'pass'.
 Fix mbstring warnings in ACP for PHP 5.6 compatibility. 

includes/auth/auth_ldap.php | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 add phpbb_ prefix to ldap_escape() 
 Since ldap_escape() has been added to PHP 5.6.0+, its internal
 declaration throws a fatal error:
   Cannot redeclare ldap_escape() at line 300 in /includes/auth/auth_ldap.php