Drupal 4.6.1 released

The Drupal project has released version 4.6.1 of its open-source content management platform. Drupal 4.6.1 is a maintenance release that provides corrections of problems reported using the bug tracking system. Drupal 4.6.1 fixes a security vulnerability so it is recommended that you upgrade your existing Drupal sites. As the bug is also present in the Drupal 4.4 and 4.5 series, Drupal 4.4.3 and Drupal 4.5.3 have been released respectively.

There are no new features in these installments. For more information about the Drupal 4.6.x release series, please consult the Drupal 4.6.0 release announcement.

Download

• Drupal 4.6.1 can be downloaded from http://drupal.org/files/projects/drupal-4.6.1.tar.gz.
• Drupal 4.5.3 can be downloaded from http://drupal.org/files/projects/drupal-4.5.3.tar.gz.
• Drupal 4.4.3 can be downloaded from http://drupal.org/files/projects/drupal-4.4.3.tar.gz.

Security

Security is a primary focus of Drupal. An audit by the Drupal Security Team revealed a security bug in Drupal's user registration code.

To fix this problem, you can (1) disable public registrations, (2) upgrade Drupal or (3) patch your user module.

1. To disable public registrations, set the option Public registrations to Only site administrators can create new user accounts.
2. To upgrade Drupal, follow the instructions in INSTALL.txt and consult the information below.
3. To patch your user module, patch modules/user.module or replace modules/user.module with a new version:
   • For Drupal 4.6.0:
     • http://drupal.org/files/sa-2005-001/user-module-4.6.0.patch
     • http://drupal.org/files/sa-2005-001/user.module-4.6.0
   • For Drupal 4.5.2:
     • http://drupal.org/files/sa-2005-001/user-module-4.5.2.patch
     • http://drupal.org/files/sa-2005-001/user.module-4.5.2
   • For Drupal 4.4.2:
     • http://drupal.org/files/sa-2005-001/user-module-4.4.2.patch
     • http://drupal.org/files/sa-2005-001/user.module-4.4.2

An official security advisory can be found at http://drupal.org/sa-2005-001/advisory.txt.

Drupal 4.6.1

Bugs fixed

The most important bug fixes since Drupal 4.6.0 include:

• Patch #23360: fixed taxonomy terms disappearing if there are no node links in the Chameleon theme.
• Patch #16415: fixed character boundary problem in mime_header_encode().
• Patch #23700: fixed broken t() function that made it impossible to translate some strings.
• Patch #23213: fixed upload module checking and reporting upload size limits in megabytes, not bytes.
• Patch #23014: fixed forum module showing forum blocks when there are no forum topics to list.
• Patch #23285: allow theming of comment previews, like node previews.
• Patch #22192: fxed invalid XHTML code in the block module's help text.
• Patch #11791: trim passwords to avoid copy-paste mistakes.
• Patch #22469: added missing DISTINCT()s to SQL queries in the taxonomy module.
• Patch #23028: fixed problem with file_check_location().
• Patch #22804: fixed typo in the comment module's help text.
• Patch #22857: removed redundant DISTINCT() from SQL queries in the tracker module.
• Patch #22264: made some SQL queries PostgreSQL compliant.
• Patch #15841: fixed line-break filter tag matching being case-sensitive.
• Patch #22118: made file_transfer() more robust.
• Patch #22123: fixed off by one error in printer-friendly book pages.
• Patch #22154: fixed the aggregator module generating invalid XHTML for its blocks.
• Patch #21252: fixed the size of the locale module's location field.
• Patch #21445: added missing t() function.
• Patch #21687: fixed boroken 'delete'-link on the book administration page.
• Patch #15515: added missing GROUP BY to make one of the aggregator module's SQL queries work with PostgreSQL.
• Patch #15514: added missing parameter to call to variable_get() in blogapi.module.
• Patch #21249: added missing GROUP BY to make one of the locale module's SQL queries work with PostgreSQL.
• Patch #21246: made the prefix.sh script work with PostgreSQL.
• Patch #21195: fixed problem with the book administration page not working under PHP5.
• Patch #15390: fixed search index not being wiped upon changing the search settings.
• Patch #20868: fixed blogapi module using the old workflow variables.
• Patch #21021: wrong url in INSTALL.txt.
• Patch #20391: fixed popular content block not respecting the node access permissions.
• Patch #15298: made the auto-linebreak filter ignore the contents of <script> and <style>.
• Patch #20690: fixed editing users not clearing the menu cache.
• Patch #20661: fixed formatting of book navigation by adding a missing <div id=menu>.
• Fixed security vulnerability in the user registration code.
• Added missing check_plain(), check_url and theme('placeholder', ...) calls.
• Updated the translation templates (.POT-files).

A complete list of all bug fixes in the stable DRUPAL-4-6 branch can be found at http://drupal.org/cvs/drupal/?branch=DRUPAL-4-6.

Upgrading

For the most trouble free transition from an existing installation, it is recommended that you first upgrade to Drupal 4.6.0. If you are upgrading from Drupal 4.5.x or below, please consult the Drupal 4.6.0 release announcement for more information. To upgrade from Drupal 4.6.0, upload all of the files and directories in the Drupal 4.6.1 package to your webserver, replacing older copies of the files. As with any upgrade, it is a good idea to backup of your site and database first.

• Some database changes have been made since Drupal 4.6.0 so it is recommended that you run Drupal's upgrade script by pointing your browser to http://www.example.com/update.php.
• No API changes have been made since Drupal 4.6.0 so all contributed themes and modules that work for 4.6.0 will work with 4.6.1.

Bug reports

The Drupal 4.6 branch is still being maintained so given enough bug fixes (not just bug reports) more maintenance releases will be made available.