Security update

Bugfix release that fixes two security issues. See SA-2008-049 - Talk - Multiple vulnerabilities for details.

5--1.9
======

Hotfix release for 5.x-1.8.
- Fix array_merge() warning on upgrade (harmless).
- Fix parse error in nodereference.module.

5--1.8
======

The 1.8 release fixes two critical bugs :

- #292872 Data loss issue : fields and field data deleted for content types defined by disabled modules.
IMPORTANT: Since disabling all contrib modules is a recommended step prior to upgrading a D5 site to D6,
it is highly advised that D5 sites using CCK are updated to CCK 5.x-1.8 before starting the D6 upgrade process.

- #271577 Security issue (moderate): unsanitized output for some admin-defined content
('administer content' permission was required to exploit the security hole)
IMPORTANT: If your theme uses field templates, you will need to manually change this line in your theme's template.php :
function phptemplate_field() : [or possibly THEME_NAME_field()]
change:
'label' => t($field['widget']['label']),
to:
'label' => check_plain(t($field['widget']['label'])),
See SA-2008-048 : http://drupal.org/node/304093

Other notable fix :

- Content Copy: Fix multiple bugs when importing/exporting content types :
exporting field definition can alter the actual field's settings
'this post cannot be referenced' error when exporting nodereference fields
no export of default values

This release requires a visit to update.php

Other changes :

This release is broken - use CCK 5.x-1.9 instead.

This release fixes a vulnerability to mimetype spoofing that could be used in malicious posts. See SA-2008-051 - Mailsave - Cross site scripting for details.

Users should upgrade to Drupal 5.10 and this release of mailsave to guard against this issue.

This release fixes a vulnerability to mimetype spoofing that could be used in malicious posts. See SA-2008-051 - Mailsave - Cross site scripting for details.

Users should upgrade to Drupal 6.4 and this release of mailsave to guard against this issue.

The fourth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-047 - Drupal core - Multiple vulnerabilities

In addition to this security vulnerability, the following bugs have been fixed since the 6.3 release:

• #225880 follow up by webchick: improve error message when writable settings.php is not present
• - Patch #275801 by Damien Tournoud and Gribnif: fixed performance issue due to typo.
• - Patch #281943 by webchick, Arancaytar, dropcube et al: order install profiles alphabetically.
• - Patch #285467 by mustafau: fixed typo a MT blog API function.
• - Patch #238600 by scor: removed two unused links from context-sentive help.
• - Patch #268491 by mustafu, pwolanin, et al: fixed notice after deleting aggregator feed.
• - Patch #293434 by eMPee584 and Damien: fixed broken watchdog call.
• - Patch #254725 by Steve Dondley and BioALIEN: maxlength field for 'allowed HTML tags' is too short
• - Patch #290918 by pwolanin: don't unset project info during processing.
• - Patch #165642 by Damien Tournoud: error in SQL syntax in user.module.
• - Patch #246522 by mustafu, Dries: fixed typo in documentation.
• - Patch #283806 by mustafau, Aron Noval: improved error handling in drupal_http_request().
• - Patch #290869 by Wim Leers: AHAH functionality was not working for radio buttons.
• - Patch #293421 by Bart Jansens: fixed documentation of sess_count().
• - Patch #290869 by swenterl, cwgordon07: fixed notice in #ahah handling.
• - Patch #293343 by Bart Jansens: removed obsolete table name from documentation. Candidate for Most Trivial Patch of the Month Award.
• - Patch #293504 by Damien Tournoud: fixed search on PostgreSQL - argument of AND must be type boolean, not type integer.
• - Patch #283806 by mustafau: fixed bug in drupal_http_request()