Releases for Drupal

The fifteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-009 - Drupal Core - Cross site scripting

In addition to this security vulnerability, the following bugs have been fixed since the 6.14 release:

• #193383 follow up by TheRec: (regression) - some set_time_limit() numbers were inadvertently removed in the previous patch.
• #499828 by Darren Oh, Dave Reid, dww: Wrong release dates were recorded on multi-module projects if deployed from CVS
• #563526 by jhodgdon: fix @see and @code phpdoc in user-profile.tpl.php
• #485350 by jhodgdon: better documentation and add code example for module_load_include()
• #574862 by jhodgdon: better documentation for menu_set_active_trail()
• #263517 by mfb: fix notice when parsing an RSS feed with file attachments

The twentieth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-008 Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 5.19 release:

• Backport of #227228 by andypost, et al. Per-table cache_flush variables to avoid not flushing all but the first table when multiple tables are cleared.
• #141965 by jeffschuler: taxonomy_term_path() and its phpdoc block was separated by one blank line, thus disconnecting it for the API docs parser.
• #472160 by chx and Heine. Deny D6-style access elements.
• #109513 backport by Freso. Create temporary mysql tables in memory.
• #292565 second follow up by John Morahan: fix login destination again on 403/404 pages and make the search form work there if displayed

Placeholder release. The 8.x-dev series won't actually have any code until the DRUPAL-7 branch for core is created and HEAD is opened for business. This release just exists so that there's a "8.x-dev" option in the issue queue.

The thirteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.12 release:

• - Patch #463450 by wulff: fixed documentation glitch.
• #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() function does not behave like PHP explode(); causes problems with multiple node body break tags
• #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a possible CSS query character, since that is the Drupal path name character too
• #452704 by andypost, catch: Names of compressed CSS and JS files should have a prefix, so that names starting in ad* will not happen. Those are easily blocked by firewalls, Firefox's Adblock, etc.

The twelfth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-006 - Drupal core - Cross site scripting

In addition to this security vulnerability, the following bugs have been fixed since the 6.11 release:

• #353328 by catch, BrianV: When a new commment is added, the redirection path should point to page, where the new comment is.
• #239945 by Xano, JeremyFrench, Damien Tournoud, andypost: Should not iterate over the children in taxonomy_get_tree() anymore if we reached max_depth.
• #292565 by grendzy, John Morahan, Jody Linn: remove path munging on 403/404 pages, which caused problems for login redirects
• #448268 by dww: Make sure that submitting the themes admin form clears out the update status cache, just like the modules admin form does.

The eleventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-005 - Drupal core - Cross site scripting

In addition to this security vulnerability, the following bugs have been fixed since the 6.10 release:

• #376408 follow up by pwolanin: search_nodeapi() lacked break in switch; resulted in issue in logic not code flow
• #197864 by vito_swat, alpritt, Murz, catch: Use hook_term_path() in forum module instead of hook_link_alter(); simplfies code, improves performance and compatibility.
• #314314 by bastos, Dave Reid, mr.baileys, Pasqualle: fix invalid XHTML markup in update.php output
• #372914 by chx, pwolanin, webchick: Menu link title localization was broken when a non-t callback was used
• #395086 by Freso: call trim() before truncate_utf8() in comment module for better quality truncation.

The tenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-003 - Local file inclusion on Windows

In addition to this security vulnerability, the following bugs have been fixed since the 6.9 release:

• - Patch #298722 by pwolanin: _menu_translate returns FALSE before to_arg is available. Drupal.org upgrade blocker.
• #310863 by bangpound, dboulet, catch, lee20: Locale variable results in locale module install, so skip adding empty variable when not needed.
• #275796 by Gribnif, Damien Tournoud, Dave Reid, vaish: module_list() should set its static variable to NULL instead of unset()-ing it, so it does not retain its value
• #328110 by marcingy, swentel, Damien Tournoud, pwolanin, David_Rothstein: the link argument is passed by reference to menu_link_save(), so avoid overwriting local variables in menu_enable().

The fifteenth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-001 Drupal core - Multiple vulnerabilities

The fourteenth maintenance release of the Drupal 5 series. Only fixes for bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

The following bug has been fixed since the 5.13 release:

• Rolling back #280934. PHP 4 incompatibility.