Download drupal-6.37.tar.gztar.gz 1.06 MB
MD5: 93353eb918bccfcf4fb6f13ecb0f97d4
SHA-1: a5575b7327eacb0d713c7ad653498ff0cfaca789
SHA-256: e3db44fdeefa9c4b3edf31816a8cfcaffe300986dbebdc22769ec739d3296d5d
Download drupal-6.37.zipzip 1.23 MB
MD5: 34fbcfce999e41cc36286e9c488ed56c
SHA-1: 42fd7fceebe141c2ca683c6f2d9af6a5ebcdb172
SHA-256: 48c5c5be214ae8d55d69f4ba6b85ee24f29c3dc5661429c3b5e46749c51f3966

Release info

Created by: David_Rothstein
Created on: August 19, 2015 - 21:24
Last updated: March 4, 2016 - 17:28
Core compatibility: 6.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:


Major changes since 6.36:

  • For security reasons, the autocomplete system now makes Ajax requests to non-clean URLs only, although protection is also in place for custom code that does so using clean URLs. There is a new form API #process function on autocomplete-enabled text fields that is required for the autocomplete functionality to work; custom and contributed modules should ensure that they are not overriding this #process function accidentally when altering text fields on forms. Part of the security fix also includes changes to theme_textfield(); it is recommended that sites which override this theme function make those changes as well (see the theme_textfield section of this diff for details).
  • When form API token validation fails (for example, when a cross-site request forgery attempt is detected, or a user tries to submit a form after having logged out and back in again in the meantime), the form API now skips calling form element value callbacks, except for a select list of callbacks provided by Drupal core that are known to be safe. In rare cases, this could lead to data loss when a user submits a form and receives a token validation error, but the overall effect is expected to be minor.