Security update

SA-2008-063 http://drupal.org/node/318739

security fix SA-2008-062: access bypass

The fifth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-060 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.4 release:

• - Patch #246143 by bjaspan, Damien Tournoud: make sure updates are run in numeric order, not in definition order.
• - Patch #221230 by Heine: convert requirement error on update to requirement warning.
• - Patch #252430 by quicksketch: allow base theme prefix in preprocessor function names to correct expected behavior.
• - Patch #245322 by mfb: fixed breadcrumb behavior.
• - Patch #287949 by Freso, Damien Tournoud: keep language icons in consistent order across nodes.
• - Patch #265899 by mfb: uri_brief mail token did not support https URLs.

The eleventh maintenance and security release of the Drupal 5 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-060 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed in the 5.11 release:

• - Patch #265899 by mfb: uri_brief mail token did not support https URLs.
• - Patch #170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
• #296096 by Damien Tournoud. Fix 5.10 Postgres install & update.
• - Patch #246143 by bjaspan, Damien Tournoud: make sure updates are run in numeric order, not in definition order.
• #181831 by Rob Loach. Backport of #130630 by chx: provide an id on the form item wrapper div.
• #283026 by Damien Tournoud. Make user_authenticate from external source (for existing users) work with no server part.
• #298535 by mkalkbrenner. Correct HTTP status code for failed connection.
• #108717 by add1sun and neclimdul. Code style.
• - Patch #230932 by ryanlath: file_scan_directory() didn't scan the directory called '0'. Backport by cridenour.
• follow up to #280621 by lilou: the object tag was disallowed in a previous version in filter_xss_admin(), so disallow param as well, which is only meaningful inside an object tag
• #208270 reported by Dries, patch by jvandyk: it was not possible to clear the XML-RPC error cache, making it impossible to do multiple queries in one request. Add xmlrpc_clear_error() and slightly modify xmlrpc_error() to fix.
• - Patch #308549 by lyrincz, Dave Reid: fixed broken link in PHPdoc.
• #67895 patch by goba, tested by JirkaRybka and blackdog: move poll votes with poll options, when an option is removed, instead of dropping all old votes, solving an old data loss bug. Backport by dww.
• #312730 by Damien Tournoud. hook_requirements('install') should work for modules that don't reside in the main './modules' folder.

SA-2008-0059

Thanks to kbahey for his excellent help.

Fix to JS.

Fixes two security vulnerabilities. See SA-2008-057 - Ajax checklist - Multiple vulnerabilities for details.