Security update

The sixteenth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-004 Drupal core - Local file inclusion on Windows

The tenth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-003 - Local file inclusion on Windows

In addition to this security vulnerability, the following bugs have been fixed since the 6.9 release:

• - Patch #298722 by pwolanin: _menu_translate returns FALSE before to_arg is available. Drupal.org upgrade blocker.
• #310863 by bangpound, dboulet, catch, lee20: Locale variable results in locale module install, so skip adding empty variable when not needed.
• #275796 by Gribnif, Damien Tournoud, Dave Reid, vaish: module_list() should set its static variable to NULL instead of unset()-ing it, so it does not retain its value
• #328110 by marcingy, swentel, Damien Tournoud, pwolanin, David_Rothstein: the link argument is passed by reference to menu_link_save(), so avoid overwriting local variables in menu_enable().

First 6.x release candidate.
SA-CONTRIB-2009-007 - Advertisement Cross-site scripting

SA-CONTRIB-2009-007 - Advertisement Cross-site scripting

Be sure to follow step #9 from documentation/INSTALL.txt even when upgrading from an earlier version of the ad module.

This release fixes an XSS vulnerability. See DRUPAL-SA-CONTRIB-2009-005 - Views bulk operations - Cross site scripting for additional information.

The ninth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-001- Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.8 release:

• - Patch #331708 by chx: poll_choice_js uses FAPI2.
• - Patch #350708 by dww: t() documentation clean-up.
• #245990 by Dave Reid, chx, dww: Look for the www.example.com page when a HTTP request seems to fail. Looking for the local page caused problems for people with interactive authentication, redirects, hosting added JavaScript code, and so on.
• - Patch #262920 by ainigma32: language selection for domain should look at HTTP_HOST not SERVER_NAME.
• - Patch #353886 by killes: too many arguments to SQL query in locale import.
• - Rollback of #325908.