Security update

The fifteenth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-CORE-2009-001 Drupal core - Multiple vulnerabilities

This release fixes a security issue. See SA-CONTRIB-2009-004 - Notify - Privilege escalation for details. This release also contains other bug fixes.

This release fixes two security vulnerabilities described in DRUPAL-SA-CONTRIB-2009-001. Sites are urged to upgrade immediately. In addition to these security updates, this release includes the following changes since version 5.x-1.2:

Project module

Bug fixes

• #235037 by aclight and dww: Fixed critical bugs in project_page_overview() query and logic. It wasn't using the {project_release_supported_versions} table, so download links were sometimes pointing to the wrong releases.
• #239240 by aclight and hunmonk: Fixed bug where browse by date only worked with project_release and taxonomy modules (for no good reason).
• #211188 by aclight: Fixed bug where project node teasers were different when filtering by a version which was caused by the node type not being included in the query for the project browsing pages.
• #233052 by aclight: Fixed bug with hook_project_page_link_alter() when a project disables its issue tracker.
• #327285 by dww: Fixed bug introduced in #218571 where release-related links were added to project nodes that had disabled releases.

This release fixes two security vulnerabilities described in DRUPAL-SA-CONTRIB-2009-002. Sites are urged to upgrade immediately. Other changes since version 5.x-2.2:

Bug fixes

• #209507 by aclight: Fixed critical bug introduced with #188198 where the original poster of an issue wouldn't get notification emails about that issue unless they also commented on it.
• #283332 by hunmonk: {project_issues} table not being created when module is enabled. Removed erroneous default value from original_issue_data text column. No database update is necessary because MySQL simply tosses the default value declaration if it does install the table.
• #272618 by aclight: Fixed bug where 'Create Issue' menu item was visible even when 'create project issues' permission is disabled.
• #11211 by Gabor Hojtsy: proper use of drupal_add_feed().
• #293882 by agentrickard and scor: Fixed broken project lookup in mailhandler code.
• #275323 by aclight and hunmonk: Prevent project_issue_generate_issue_comments() from causing fatal errors in rare cases.

This release fixes a security issue. See SA-2008-075 - Views - SQL Injection for details.

Bugs fixed:

• #305756: Number formatting caused illogical rounding.
• #324272 by neochief: hook_pre_render never called.
• #324058: Broken queries created by string values in multiple fields.
• #324726: "tag" fields should be autocomplete in View edit.
• #324058 by yched: Make aliases safer for many to one tables.
• #325765: Prevent key merge errors on query::add_where and query::add_having.
• #324378: Minor usability improvements to the list page.
• #326934: Need another check to make sure already added aliases do not get blown away.
• #324513: If a relationship table was added more than 1 hop away from the base, SQL errors resulted.

The thirteenth maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-073 - Drupal core - Multiple vulnerabilities