Release info

Created by: David_Rothstein
Created on: November 20, 2013 - 20:55
Last updated: January 15, 2014 - 20:17
Core compatibility: 6.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

No other fixes are included.

No changes have been made to the top-level .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.

Important upgrade note:

Upgrading an existing Drupal site to this version requires manual changes to the .htaccess files in the site's files directories. See SA-CORE-2013-003 for instructions.

Known issues:

For a while after the release, sites running certain versions of Drupal core may have seen an erroneous message from the Update Status module recommending that they update to Drupal 6.27 rather than this release. This appears to be an issue related to the Drupal 7 upgrade which has since been fixed; see this issue for further details.

Major changes since 6.28:

  • This release contains a small change to the form API. It will have no effect on standard form API usage, but could affect code which does highly custom form processing; in particular, any code which calls functions like drupal_process_form() or drupal_validate_form() to process a form directly should be aware that when the form is validated, validation will now stop immediately in the case where the form's cross-site request forgery (CSRF) token fails validation. Previously all subsequent validation handlers would still be executed in this case.
  • There is a new drupal_random_key() API function. Its usage is recommended for any code that needs to obtain a permanent, randomly-generated string which is safe to insert in HTML pages and URLs.