Releases for Drupal core

The fifth maintenance and security release of the Drupal 7 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 8.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

The third maintenance and security release of the Drupal 7 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 8.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

The second maintenance release of the Drupal 7 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 8.0 release.

This release includes the security fixes from Drupal 7.1 which was released alongside Drupal 7.2. No additional security fixes are included.

Known issues:

• #1169798: Field labels are not translated anymore after upgrading to D7.2: This change was made by design. Solution is to use the i18n_fields module, part of the i18n module.

The complete list of changes committed since Drupal 7.0 are as follows:

• Get CHANGELOG.txt caught up to speed with changes in Drupal 6 and Drupal 5 in the past three years.
• #1137074 by plach, Jose Reyero: notices and wrong links on translation tab for unpublished nodes.
• #1021270 by larowlan, wojtha: Fixed Blocks for custom menus are impossible to theme.
• #1096340 by plach, fietserwin, sun: Fixed Stale language types/negotation info after enabling/disabling modules.
• #1019352 by Jody Lynn: delete blog module's variable on hook_uninstall().
• #1019292 by TR, Jody Lynn: remove random nbsp characters.

The twentyfirst maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 8.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

Changes since DRUPAL-7-0-RC-3:

The twentieth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are now only being added to the Drupal 8.0 development version.

The complete list of changes committed since Drupal 6.19 are as follows:

• #494462 by z.stolar: modify robots.txt to give search engine crawlers permission to index content in /sites/*, such as images uploaded to the site
• #481142 by JohnAlbin, sociotech: theme settings forms were not inherited by sub-themes
• #764548 by Dave Reid, sun: backport hiding of hidden modules on the modules page, so if projects include hidden modules for testing, those will not confuse users
• #687674 by jefnguo, rdrh555: fix minor code documentation typo in menu.inc
• #881540 by bjaspan: make syslog identity configurable on the user interface (instead of hardwired to 'drupal')
• #280930 by pillarsdotnet, oadaeh, David_Rothstein: fall back on an empty array if hook_schema is not defined for a module
• #956320: clean up documentation for menu_set_active_trail

Changes since DRUPAL-7-0-BETA3:

Changes since DRUPAL-7-0-BETA1:

TODO.

The nineteenth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 7.0 release.

This release includes the security fixes from Drupal 6.18 which was released alongside Drupal 6.19. No additional security fixes are included.

The complete list of changes committed since Drupal 6.17 are as follows:

• #521370 by Damien Tournoud, marcingy, andypost: watchdog hook invocations should be ordered by weight, not name
• #828706 by oadaeh: use module_load_install() instead of module_load_include() in drupal_get_schema_unprocessed()
• #341136 by bwynants, jvandervort: taxonomy selection too dependent on node preview being present
• #826864 by mr.baileys: improve documentation for decode_entities()
• #360605 followup by Berdir, gpk: improve PHP 5.3 compatibility for misconfigured hosts even
• #824102 by cwgordon7: provide access callback for contrib token implementations too

Changes since DRUPAL-7-0-ALPHA5:

Numerous upgrade path fixes.
Numerous security path fixes.
Numerous API documentation additions -- all core hooks are documented now!
Lots and lots of critical bug fixes.

Changes since DRUPAL-7-0-ALPHA2:

The sixteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2010-001 - Drupal Core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.15 release:

• #673974 by sun: PHP notice when mass-unpublishing or deleting comments, and wrong form validation redirect
• #424372 by mr.baileys, bombatower, Arancaytar: :: in .info files caused fatal error, use list of constants for lookup instead
• #370958 by Rob Loach, drewish, c960657, neilnz: some Adobe Flash MIME types were missing from our MIME listing
• #284392 follow up by benoitg, brianV, mathieu, evoltech, tyr, Steven Jones, agentrickard, bl444137: better fix for issues around SQL rewrites adding DISTINCT

TODO

The twenty-first maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-009 - Drupal Core - Cross site scripting

The fourteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-008 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.13 release:

• #482646 follow up by Dave Reid: only check the db prefix for simpletest if it was a string (not running a multisite)
• #284392 by Passionate_Lass, Anselm Heaton, tassoman, agentrickard: DISTINCT handling in db_distinct_field()'s MySQL implementations was resulting in bogus queries
• #310139 by fonant, c960657, pwolanin: drupal_urlencode() and Drupal.encodeURIComponent was used to encode query strings and other components it should not have been used for
• #499254 by chx: Drupal lacked support for positive integer values in database queries, beyond PHP_INT_MAX; caused issues with twitter integration and big numbers in general

The thirteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.12 release:

• - Patch #463450 by wulff: fixed documentation glitch.
• #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() function does not behave like PHP explode(); causes problems with multiple node body break tags
• #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a possible CSS query character, since that is the Drupal path name character too
• #452704 by andypost, catch: Names of compressed CSS and JS files should have a prefix, so that names starting in ad* will not happen. Those are easily blocked by firewalls, Firefox's Adblock, etc.

The twelfth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

The seventeenth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-005 Drupal core - Cross site scripting

The tenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-003 - Local file inclusion on Windows

In addition to this security vulnerability, the following bugs have been fixed since the 6.9 release:

• - Patch #298722 by pwolanin: _menu_translate returns FALSE before to_arg is available. Drupal.org upgrade blocker.
• #310863 by bangpound, dboulet, catch, lee20: Locale variable results in locale module install, so skip adding empty variable when not needed.
• #275796 by Gribnif, Damien Tournoud, Dave Reid, vaish: module_list() should set its static variable to NULL instead of unset()-ing it, so it does not retain its value
• #328110 by marcingy, swentel, Damien Tournoud, pwolanin, David_Rothstein: the link argument is passed by reference to menu_link_save(), so avoid overwriting local variables in menu_enable().

The fifteenth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-001 Drupal core - Multiple vulnerabilities

The fourteenth maintenance release of the Drupal 5 series. Only fixes for bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

The following bug has been fixed since the 5.13 release:

• Rolling back #280934. PHP 4 incompatibility.

The seventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-073 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.6 release:

• - Patch #324118 by winterheart: fixed invalid XHTML being generated for forum topic listings.
• - Patch #329019 by dww, sun: fixed PHP warning.
• #315739 by sun: The theme name is in arg(4) on the block admin page, so only redirect to theme specific page if that is set.
• - Patch #329646 by Damien Tournoud: properly reset user_access().
• - Patch #255293 by Gribnif, maartenvg: incorrect regex causes some aggregated CSS to fail.
• #329998 by pwolanin: escape markup looking non-HTML tags in schema descriptions