6.x

Changes since 6.x-1.0-rc3:

• The item set and rated battleground APIs should now have a display name when viewing usage statistics.
• Replaced the arena and rated battleground APIs with the new PvP leaderboard API.

Initial 6.x-3.x release that should match 7.x-3.x-beta5 in terms of functionality.

This release is exactly the same as 6.x-1.14 except that it fixes issue #2324925: ShortURL and ShURLy shorteners broke in 6.x-1.14. If you weren't using the ShortURL or ShURLy modules, no changes in this release will affect you.

The reason those modules broke is because 6.x-1.14 started encoding URLs before shortening them, which makes sense when sending the URL as data to remote URL shorteners, but not when sending a URL directly to a local shortener. 6.x-1.15 makes an exception for local shorteners.

Bug fix: 1209164 hide fields not available
Bug fix: 1371296 Grouping view results by node reference: injects ">" after the field

Fixes HTTP header injection vulnerability

The 6.x versions prior to this release use a "Location: " header to redirect to the favicon path which is set in the admin settings for the theme. This uses the header() function from php rather than Drupal's header which is vulnerable to a header injection exploit.

These vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "administer theme".

This is only a problem for web sites running PHP 5.1 and below which is unsupported so no security advisory has been published.

• SSL support
• Typo fix