Download drupal-6.38.tar.gztar.gz 1.06 MB
MD5: 2ece34c3bb74e8bff5708593fa83eaac
SHA-1: a041690cf79cb7551535e789d5b08b335e3478ba
SHA-256: 46a6d7ec170e74f3c85b11fdf0fae74ce0691d4260b848bf5faff1f0f5f31d4b
Download drupal-6.38.zipzip 1.23 MB
MD5: af4525538fef391c86e98ef889bf5e44
SHA-1: 19368055646026f32596e97fe22701f7436830ba
SHA-256: a83f88b87eb4c7ce98e7dc12fd5e4db6271ce28e91db41cd4f061dede151a703

Release info

Created by: Gábor Hojtsy
Created on: 24 Feb 2016 at 19:26 UTC
Last updated: 24 Feb 2016 at 19:56 UTC
Core compatibility: 6.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

This is the last community-supported release of Drupal 6, which has now reached its end of life.

Because this is the last release, it also includes some small documentation improvements (that were previously on the development branch) in addition to the security fixes. No other fixes are included.

Besides documentation fixes, no changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:


Major changes since 6.37:

  • The form API has changed such that form buttons which have the #access property set to FALSE in the form definition array can no longer be submitted. This should not affect most uses cases (since under normal operation a button with #access set to FALSE would not have been displayed to users anyway) but could affect some unusual forms. If you need to hide a button in the HTML output but still want to allow it to be submitted (e.g. by client-side code), you can either (a) hide the button using CSS or JavaScript, or (b) set #access to FALSE in an #after_build callback rather than in the form definition (see this change in the FileField module for example code).
  • The drupal_goto() function will no longer attempt to decode URLs passed to it via the "destination" query parameter in the URL. This could affect destination query parameters that were encoded using drupal_urlencode() before placing them on the page, but this should not be common since the drupal_urlencode() documentation already warned that using it in this manner could lead to unwanted double encoding.
  • The "system.multicall" method in Drupal's XML-RPC server has changed such that, by default, it only supports one call for each distinct RPC method (in other words, within a single XML-RPC request you may call four different methods but you can no longer call the same method four times). No changes have been made to Drupal's XML-RPC client code that is used for making XML-RPC requests from your site to other XML-RPC servers; this only affects calls from other servers to your Drupal site. This was not a commonly used feature, but if you have a use case that requires multiple calls to the same XML-RPC method in a single request, a new "xmlrpc_multicall_duplicate_method_limit" variable has been provided that allows you to do so. For example, in settings.php:
      // Allow the same method to be called up to 10 times in a single
      // "system.multicall" request.
      $conf['xmlrpc_multicall_duplicate_method_limit'] = 10;


      // Setting the variable to 0 or lower will remove the limit and restore the
      // prior behavior, although this also weakens protection against brute-force
      // attacks.
      $conf['xmlrpc_multicall_duplicate_method_limit'] = 0;


The selected release is the release that will be used for automated testing. Optional projects are only used for testing.


No required projects


No optional projects