drupal 6.7

The seventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-073 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.6 release:

• - Patch #324118 by winterheart: fixed invalid XHTML being generated for forum topic listings.
• - Patch #329019 by dww, sun: fixed PHP warning.
• #315739 by sun: The theme name is in arg(4) on the block admin page, so only redirect to theme specific page if that is set.
• - Patch #329646 by Damien Tournoud: properly reset user_access().
• - Patch #255293 by Gribnif, maartenvg: incorrect regex causes some aggregated CSS to fail.
• #329998 by pwolanin: escape markup looking non-HTML tags in schema descriptions
• #258089 by JohnAlbin, Arancaytar, merlinofchaos: themes cannot have a preprocess function without a corresponding .tpl.php file
• #255150 by dropcube, tested by catch, asimmonds: content type names were double escaped on create content page
• #329660 by pwolanin: node_configure_validate() should be replaced with a #submit handler to conform to FormAPI rules
• #299742 by Darren Oh: missing #ahah support on checkboxes
• #193580 follow up by gpk: late but important changelog entry for Drupal 6.0
• #302638 by pwolanin: avoid running several no-op queries while the menu is being rebuilt; improves performance
• Rolling back #302638, it caused problems reported in #328110
• #319165 by Alex_Tutubalin: add explicit UTF-8 client encoding setting for PostgreSQL
• - Patch #277644 by lilou: documentation improvement.
• - Patch #335385 by Dave Reid: fixed maxlength of path alias fields to be consistent with the database.
• - Patch #337454 by earnie: fixed the phpdoc of drupal_render_form().
• - Patch #293370 by swentel et al: make block sorting work when there are more than 20 blocks.
• - Patch #325908 by kbahey: removed redundant cache flusing.
• - Patch #281131 by Damien Tournoud: document the missing quote in .htaccess.
• - Patch #336115 by Nedjo: better documentation for t().
• - Patch #342988 by ultimateboy: fixed order of attributes in PHPdoc.
• #324875 by pwolanin: improve HTTP_HOST checking, ensuring that the host is lowercased and only valid characters are allowed.
• #280934 follow up by pwolanin: harden the cookie handling in sess_regenerate() by setting our session cookie to be an HTTP only cookie, thus reducing the risk of session stealing via XSS
• #28776 by Uwe Hermann, Morbus Iff, jvandyk: Protect *.test files and SVN metafiles from being exposed under Drupal
• #299582 by hass: Remove outdated items from robots.txt and fix ordering of items to make stuff easier to find.
• #305653 by snowball43, cdale, Dave Reid, sun: All themes were disabled when update.php was run
• #344661 by Dave Reid: fix phpdoc documentation on translation_translation_link_alter()
• #333060 by neclimdul, merlinofchaos, dvessel: child themes did not inherit patterns correctly, so more specific template files are not detected
• #206138 by pwolanin et al: little documentation fix for node base module name handling
• #276111 by pwolanin, meba and myself: disallow possibly dangerous submissions in locale translations and imports
• #345167 by JacobSingh, pwolanin, Heine: drupal_http_request() includes an extra CRLF, not conformant to HTTP specs