Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.
No changes have been made to the .htaccess, robots.txt or settings.php files in this release, so upgrading custom versions of those files is not necessary.
The twentysixth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 8.0 release.
Drupal 6.26 builds on top of Drupal 6.25 and includes all the previous bugfixes and security improvements. The complete list of changes committed since Drupal 6.25 are as follows:
#1145700 by jbrown, mr.baileys, joachim: harden link display on dblogoverview screen in case the link might be dependent on user input with any contrib module
#183435 by TR, gregmac: make drupal_http_request() more tolerant of faulty newlines in the response headers
#341588 by voxpelli, mikl, Albert Volkman, dawehner: use the right JSON MIME type in drupal_json()
#1352272 by Albert Volkman, sven.lauer, LSU_JBob: fix phpdoc for system_settings_overview()
#260934 by catch, ShawnClark, Jody Lynn, Island Usurper, joshmiller, anrikun, roychri, pdrake, Dave Cohen, sun, plach, bjaspan: When drupal_execute()ing multiple forms with same form_id in a page request, only the first one was validated.
#784864 by Niklas Fiekas, kbgordon7, rdrh555, lisarex: Link in update.php instructions was pointing to an outdated handbook page. Update it.
#655048 by Gábor Hojtsy, gumanist, intuited, Albert Volkman: Plural formula information was blanked when importing a poorly-formed .po file.
#751578 by xamanu, sanduhrs, Gábor Hojtsy: OpenID realm should not be language dependent.
#800968 by JacobSingh, ksenzee, Big Z: Tabledrag.js should not use for...in to iterate over an array.
#1446372 by Heine, bserem, champlin: Invalid Unicode code range in PREG_CLASS_UNICODE_WORD_BOUNDARY fails with PCRE 8.30.
#736556 by Albert Volkman, daniels220, jeckman: Improve theme_links() documentation.
#300279 by achton, pillarsdotnet, unknownguy: Improve db_query_temporary() documentation to apply even if persistent database connections are used.
#1441852 by chris.leversuch, cafuego: Better return value documentation for db_query().
#1436074 by Pat Redmond, tstoeckler, fureigh: Minor documentation fix in the batch_set() docs.
#1432708 by scorchio, mkalkbrenner: Expand drupal_goto() documentation for query argument.
#1416212 by pontus_nilsson, ibot: Documentation cleanup for _user_mail_notify().
#1421330 by Albert Volkman, heyrocker: Crosslink cache_set() and cache_get() documentation with @see.
The twentyfifth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 8.0 release.
Drupal 6.25 builds on top of Drupal 6.24 and includes all the previous bugfixes and security improvements The complete list of changes committed since Drupal 6.24 are as follows:
The twentyfourth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 8.0 release.
This release includes the security fixes from Drupal 6.23 which was released alongside Drupal 6.24. No additional security fixes are included.
The complete list of changes committed since Drupal 6.22 are as follows:
#879270 by Ben Coleman: query in taxonomy_node_get_terms() needs the v.weight field added to the SELECT because it was already present in the ORDER BY; improved PostgreSQL compatibility
#12274 by markoshust, DamienMcKenna, seanbfuller, cburschka, aufumy: do not accept email addresses with dots at the end as valid
#600836 by tim.cosgrove, dww, naxoc, Dave Reid: prevent batches from going indefinitely if their 'finished' value becomes bigger than 1
#289504 by mikeryan, catch, moshe weitzman: backport indexes from Drupal 7 on comments and node_comment_statistics to improve performance of mass-user operations such as deleting users en masse
The twentythird maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 8.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The twentysecond maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 8.0 release.
This release includes the security fixes from Drupal 6.21 which was released alongside Drupal 6.22. No additional security fixes are included.
The complete list of changes committed since Drupal 6.20 are as follows:
#113611 by crischan, jjrey, JuliaKM, salvis, Offlein: Forum post counts incorrect when using node access control modules
#321063 by eMPee584, Kars-T, pillarsdotnet: Path book/export/html/N with a non-book nid should abort and return 404 not found.
#235673 by yched, Damien Tournoud, swentel, pwolanin, redndahead, sun, carlos8f, c960657: Changes to block caching mode not caught
#384794 by trond, mvc, alduya, intuited, jaydublu, jhedstrom: trim() .po file comments on import, so that custom textgroup imports will find their right database equivalent
#163445 by webengr, mlsamuelson, greg.1.anderson, pescetti: fix issues with IE not being able to download private files served over SSL with additional headers
The twentyfirst maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 8.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The twentieth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are now only being added to the Drupal 8.0 development version.
The complete list of changes committed since Drupal 6.19 are as follows:
#494462 by z.stolar: modify robots.txt to give search engine crawlers permission to index content in /sites/*, such as images uploaded to the site
#481142 by JohnAlbin, sociotech: theme settings forms were not inherited by sub-themes
#764548 by Dave Reid, sun: backport hiding of hidden modules on the modules page, so if projects include hidden modules for testing, those will not confuse users
#687674 by jefnguo, rdrh555: fix minor code documentation typo in menu.inc
#881540 by bjaspan: make syslog identity configurable on the user interface (instead of hardwired to 'drupal')
#280930 by pillarsdotnet, oadaeh, David_Rothstein: fall back on an empty array if hook_schema is not defined for a module
#956320: clean up documentation for menu_set_active_trail
The nineteenth maintenance release of the Drupal 6 series. Only bugfixes have been committed. No security fixes are included in this release. New features are only being added to the forthcoming Drupal 7.0 release.
This release includes the security fixes from Drupal 6.18 which was released alongside Drupal 6.19. No additional security fixes are included.
The complete list of changes committed since Drupal 6.17 are as follows:
#521370 by Damien Tournoud, marcingy, andypost: watchdog hook invocations should be ordered by weight, not name
#828706 by oadaeh: use module_load_install() instead of module_load_include() in drupal_get_schema_unprocessed()
#341136 by bwynants, jvandervort: taxonomy selection too dependent on node preview being present
#826864 by mr.baileys: improve documentation for decode_entities()
#360605 followup by Berdir, gpk: improve PHP 5.3 compatibility for misconfigured hosts even
#824102 by cwgordon7: provide access callback for contrib token implementations too
The eighteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The seventeenth maintenance release of the Drupal 6 series. Only bugfixes and minor improvements have been committed. New features are only being added to the forthcoming Drupal 7.0 release. This release does not fix any security issues.
The following patches have been committed since the 6.16 release:
The sixteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the 6.15 release:
#673974 by sun: PHP notice when mass-unpublishing or deleting comments, and wrong form validation redirect
#424372 by mr.baileys, bombatower, Arancaytar: :: in .info files caused fatal error, use list of constants for lookup instead
#370958 by Rob Loach, drewish, c960657, neilnz: some Adobe Flash MIME types were missing from our MIME listing
#284392 follow up by benoitg, brianV, mathieu, evoltech, tyr, Steven Jones, agentrickard, bl444137: better fix for issues around SQL rewrites adding DISTINCT
The fifteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The fourteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the 6.13 release:
#482646 follow up by Dave Reid: only check the db prefix for simpletest if it was a string (not running a multisite)
#284392 by Passionate_Lass, Anselm Heaton, tassoman, agentrickard: DISTINCT handling in db_distinct_field()'s MySQL implementations was resulting in bogus queries
#310139 by fonant, c960657, pwolanin: drupal_urlencode() and Drupal.encodeURIComponent was used to encode query strings and other components it should not have been used for
#499254 by chx: Drupal lacked support for positive integer values in database queries, beyond PHP_INT_MAX; caused issues with twitter integration and big numbers in general
The thirteenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the 6.12 release:
- Patch #463450 by wulff: fixed documentation glitch.
#193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() function does not behave like PHP explode(); causes problems with multiple node body break tags
#454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a possible CSS query character, since that is the Drupal path name character too
#452704 by andypost, catch: Names of compressed CSS and JS files should have a prefix, so that names starting in ad* will not happen. Those are easily blocked by firewalls, Firefox's Adblock, etc.
The twelfth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The eleventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the 6.10 release:
#376408 follow up by pwolanin: search_nodeapi() lacked break in switch; resulted in issue in logic not code flow
#197864 by vito_swat, alpritt, Murz, catch: Use hook_term_path() in forum module instead of hook_link_alter(); simplfies code, improves performance and compatibility.
#314314 by bastos, Dave Reid, mr.baileys, Pasqualle: fix invalid XHTML markup in update.php output
#372914 by chx, pwolanin, webchick: Menu link title localization was broken when a non-t callback was used
#395086 by Freso: call trim() before truncate_utf8() in comment module for better quality truncation.
The tenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the 6.9 release:
- Patch #298722 by pwolanin: _menu_translate returns FALSE before to_arg is available. Drupal.org upgrade blocker.
#310863 by bangpound, dboulet, catch, lee20: Locale variable results in locale module install, so skip adding empty variable when not needed.
#275796 by Gribnif, Damien Tournoud, Dave Reid, vaish: module_list() should set its static variable to NULL instead of unset()-ing it, so it does not retain its value
#328110 by marcingy, swentel, Damien Tournoud, pwolanin, David_Rothstein: the link argument is passed by reference to menu_link_save(), so avoid overwriting local variables in menu_enable().
The ninth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the 6.8 release:
- Patch #331708 by chx: poll_choice_js uses FAPI2.
- Patch #350708 by dww: t() documentation clean-up.
#245990 by Dave Reid, chx, dww: Look for the www.example.com page when a HTTP request seems to fail. Looking for the local page caused problems for people with interactive authentication, redirects, hosting added JavaScript code, and so on.
- Patch #262920 by ainigma32: language selection for domain should look at HTTP_HOST not SERVER_NAME.
- Patch #353886 by killes: too many arguments to SQL query in locale import.
The eight maintenance release of the Drupal 6 series. Only fixes for bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
The following bug has been fixed since the 6.7 release:
The seventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The sixth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The fifth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The fourth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The third maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
The second maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities and also changes APIs. Sites are urged to upgrade immediately after reading the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the 6.1 release:
#228120 by jvandyk: typo in documentation in comment.tpl.php
#226480 by gpk: fix wording on when node access rebuild button is displayed in node_configure()
#229817 by mcarrera: l() attributes were not properly specified in theme.inc's theme_username()
#234403 by alienbrain: PHP.net documents we should use CRLF in mail headers, so do that
#226555 by jvandyk, Rok Zlender: fix notice level error in xmlrpc.inc
#204415 by chx: actually use 'administer content types' permission for node type editing instead of 'administer nodes'
#234699 by hass: theme_link() did not mark frontpage links active properly
#237717 by hass: missing t() in system_clear_cache_submit()
#232037 by pwolanin: (performance) block regions should only be populated when called for, not in all cases (fixes performance expectation on 403/404 pages)
#226728 by chx: (performance) temporary cache table entries were not flushed, causing cache_menu and cache_form to grow big
#231587 by pwolanin, killes: (performance) use two level cache in menus, instead of storing very large amounts of data multiple times
#239196 by jvandyk and myself: missing status check on nodes in search indexing counter
rolling back #234403 by Bevan and damz: we should keep using LF in mail headers, without CR, CRLF causes problems
#238564 by scor: two missing t() calls in update.module
#241629 by solotandem: dblog module left one more row in, when cleaning up in cron
#244597 by kbahey: remove cruft from user_login(), that added extra message to the form was never used or displayed
The first maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately. For more details, please see the security announcement:
For more information on this release candidate and about compatible modules, themes and translations, refer to: http://drupal.org/drupal-6.0-rc3
This release candidate fixes a security vulnerability. Those running the previous release candidate are urged to upgrade immediately. For more details, please see the security announcement:
For more information on this release candidate and about compatible modules, themes and translations, refer to: http://drupal.org/drupal-6.0-rc2
This release candidate fixes security vulnerabilities. Those running the previous release candidate are urged to upgrade immediately. For more details, please see the security announcement:
In addition to this security vulnerability, the following bugs have been fixed since the first release candidate:
#199241 by bjaspan, Heine: fix documentation on how confirm forms are constructed; port of Drupal 5 fix
#202925 report by beholder, patch by myself: (notice fix) only consider languages with a host set when comparing with the current host in domain language negotiation
The 6.x series of Drupal core is our legacy stable release. Bug fixes and security patches are maintained in the 6.x branch of our Git repository.
Production sites are encouraged to use the official releases; however, to provide testers easier access to these bug fixes that are on their way to becoming the next 6.x release, we generate a tarball from the 6.x Git branch twice a day.