Releases for Drupal core

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

• SA-CORE-2014-004 - Drupal core - Denial of service

No other fixes are included.

The Drupal core repository is now open for the forthcoming 8.0.x series. This is a development snapshot release for the 8.0.x series. This is not stable, and production sites should not run this code. However, users wishing to help test and develop the next version of Drupal are encouraged to use this for test sites.

Maintenance release of the Drupal 7 series. Includes bug fixes only, including a fix for regressions introduced in Drupal 7.29.

No security fixes are included in this release.

Besides documentation fixes, no changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:

None.

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

No other fixes are included.

Changes since 8.0-alpha11:

Changes since 8.0-alpha10:

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2014-002 - Drupal core - Information Disclosure

No other fixes are included.

Changes since 8.0-alpha8:

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2014-001 - Drupal core - Multiple vulnerabilities

No other fixes are included.

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major new functionality); significant new features are only being added to the forthcoming Drupal 8.0 release.

No security fixes are included in this release.

This is a hot-fix to alpha5 in order to fix problems on Windows. It also includes the initial migrate in core patch.

Changes since 8.0-alpha5:

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities

No other fixes are included.

Changes since 8.0-alpha3:

Maintenance release of the Drupal 7 series. Includes bug fixes and small API/feature improvements only (no major new functionality); significant new features are only being added to the forthcoming Drupal 8.0 release.

No security fixes are included in this release.

As with any release, sites should run update.php after updating the code, but for this release it is particularly important to do so due to database changes in the Image module. In addition, sites which perform updates using Drush (rather than via the user interface) may need to run an explicit cache clear after the updates have run to avoid Image module errors.

Besides documentation fixes, no changes have been made to the robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

There are two changes to the .htaccess file in this release:

1. A change to add support for HTTP authorization in CGI environments (see #670454).
2. A fix for a regression in Drupal 7.22 that caused internal server errors for sites running on very old Apache 1.x web servers (see #1962780).

There is also one change to the web.config file for IIS servers in this release:

Maintenance release of the Drupal 7 series. Includes bugfixes and small API/feature improvements only (no major new functionality); significant new features are only being added to the forthcoming Drupal 8.0 release.

No security fixes are included in this release.

Besides documentation fixes, no changes have been made to the robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary. There are two changes to the .htaccess file in this release:

1. An improvement to the default rewrite rules to help avoid man-in-the-middle attacks on sites which are accessed over HTTP and HTTPS (see #1733476).
2. A change to the list of file extensions which are blocked by .htaccess, to prevent temporary files created by text editors from being accessed (see #1907704). Note: This change may cause issues for sites running very old versions of the Apache web server (1.x); see the "Known issues" section below.

Upgrading custom versions of the .htaccess file is recommended.

Known issues:

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2013-002 - Drupal core - Denial of service

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.

Important update notes (and known issues):

If you encountered difficulties upgrading to Drupal 7.20 as described below, try upgrading to Drupal 7.21 and following the instructions there.

The security fixes in this release change all image derivative URLs generated by Drupal to append a token as a query string. ("Image derivatives" are copies of images which the Drupal Image module automatically creates based on configured image styles; for example, thumbnail, medium, large, etc.)

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2013-001 - Drupal core - Multiple vulnerabilities

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2012-004 - Drupal core - Multiple vulnerabilities

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2012-003 - Drupal core - Arbitrary PHP code execution and Information disclosure

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.

Maintenance release of the Drupal 7 series. Includes bugfixes only (no new functionality), plus the security fixes from Drupal 7.13 which was released alongside Drupal 7.14.

Major changes since 7.13:

- Fixed "integrity constraint" fatal errors when rebuilding registry.
- Fixed custom logo and favicon functionality referencing incorrect paths.
- Fixed DB Case Sensitivity: Allow BINARY attribute in MySQL.
- Split field_bundle_settings out per bundle.
- Improve UX for machine names for fields (UI change).
- Fixed User pictures are not removed properly.
- Fixed HTTPS sessions not working in all cases.
- Fixed Regression: Required radios throw illegal choice error when none selected.
- Fixed allow autocompletion requests to include slashes.
- Eliminate $user->cache and {session}.cache in favor of $_SESSION['cache_expiration'][$bin] (Performance).
- Fixed focus jumps to tab when pressing enter on a form element within tab.
- Fixed race condition in locale() - duplicates in {locales_source}.
- Fixed Missing "Default image" per field instance.
- Quit clobbering people's work when they click the filter tips link
- Form API #states: Fix conditionals to allow OR and XOR constructions.
- Fixed Focus jumps to tab when pressing enter on a form element within tab. (Accessibility)
- Improved performance of node_access queries.

The twentysixth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 8.0 release.

Drupal 6.26 builds on top of Drupal 6.25 and includes all the previous bugfixes and security improvements. The complete list of changes committed since Drupal 6.25 are as follows:

• #1145700 by jbrown, mr.baileys, joachim: harden link display on dblogoverview screen in case the link might be dependent on user input with any contrib module
• #183435 by TR, gregmac: make drupal_http_request() more tolerant of faulty newlines in the response headers
• #341588 by voxpelli, mikl, Albert Volkman, dawehner: use the right JSON MIME type in drupal_json()
• #1352272 by Albert Volkman, sven.lauer, LSU_JBob: fix phpdoc for system_settings_overview()
• #260934 by catch, ShawnClark, Jody Lynn, Island Usurper, joshmiller, anrikun, roychri, pdrake, Dave Cohen, sun, plach, bjaspan: When drupal_execute()ing multiple forms with same form_id in a page request, only the first one was validated.
• #784864 by Niklas Fiekas, kbgordon7, rdrh555, lisarex: Link in update.php instructions was pointing to an outdated handbook page. Update it.
• #655048 by Gábor Hojtsy, gumanist, intuited, Albert Volkman: Plural formula information was blanked when importing a poorly-formed .po file.
• #751578 by xamanu, sanduhrs, Gábor Hojtsy: OpenID realm should not be language dependent.
• #800968 by JacobSingh, ksenzee, Big Z: Tabledrag.js should not use for...in to iterate over an array.
• #1446372 by Heine, bserem, champlin: Invalid Unicode code range in PREG_CLASS_UNICODE_WORD_BOUNDARY fails with PCRE 8.30.
• #736556 by Albert Volkman, daniels220, jeckman: Improve theme_links() documentation.
• #300279 by achton, pillarsdotnet, unknownguy: Improve db_query_temporary() documentation to apply even if persistent database connections are used.
• #1441852 by chris.leversuch, cafuego: Better return value documentation for db_query().
• #1436074 by Pat Redmond, tstoeckler, fureigh: Minor documentation fix in the batch_set() docs.
• #1432708 by scorchio, mkalkbrenner: Expand drupal_goto() documentation for query argument.
• #1416212 by pontus_nilsson, ibot: Documentation cleanup for _user_mail_notify().
• #1421330 by Albert Volkman, heyrocker: Crosslink cache_set() and cache_get() documentation with @see.

Maintenance release of the Drupal 7 series. Includes bugfixes only (no new functionality), plus the security fixes from Drupal 7.11 which was released alongside Drupal 7.12.

All changes committed since Drupal 7.10 are as follows:

• #336483 by brianV, catch: Fixed Performance: SELECT MAX(comment_count()) FROM node_comment_statistics() does full table scan.
• #289504 by catch, mikeryan, moshe weitzman: Fixed user_delete() performance: index comment uid columns.
• #1326482 by ryanissamson: Clean up minor code style issues in archiver.inc.
• #996236 by fago, sun, pillarsdotnet, xjm: Fixed drupal_flush_all_caches() does not clear entity info cache.
• Rollback of Issue #1280792 by andypost: Key length too long error.
• #569076 by rocket_nova, wamilton, alonpeer: Test that taxonomy term page contains a link to parent terms in the breadcrumbs.
• #1367000 by chris.leversuch, oriol_e9g, David_Rothstein: Clean up API docs for php module.
• #1421330 by heyrocker: Fixed Add @see for cache_set() and cache_get() .

Important!! It was discovered post-release that this version of Drupal only includes bug fixes from Drupal 7.9, not Drupal 7.10! Users are encouraged to use Drupal 7.12 instead. Discussion is happening at #1430404: Drupal 7.11 is missing all the bug fixes from Drupal 7.10

Highlights

• Fixed Content-Language HTTP header to not cause issues with Drush 5.x.
• Reduce memory usage of theme registry (performance).
• Fixed PECL upload progress bar for FileField
• Fixed running update.php doesn't always clear the cache.
• Fixed PDO exceptions on long titles.
• Fixed Overlay redirect does not include query string.
• Fixed D6 modules satisfy D7 module dependencies.
• Fixed the ordering of module hooks when using module_implements_alter().
• Fixed "floating" submit buttons during AJAX requests.
• Fixed timezone selected on install not propogating to admin account.
• Added msgctx context to JS translation functions, for feature parity with t().
• Profiles' .install files now available during hook_install_tasks().
• Added test coverage of 7.0 -> 7.x upgrade path.
• Numerous notice fixes.
• Numerous documentation improvements.
• Additional automated test coverage.

Update notes

• None at this time.

Known issues

• None at this time.

Full list of changes since 7.9:

• #1318316 by xjm: AssertTaxonomyPage is missing documentation.