Bug fixes

The second maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.

This release fixes security vulnerabilities and also changes APIs. Sites are urged to upgrade immediately after reading the security announcement:

• SA-2008-026 - Drupal core - Access bypass

In addition to this security vulnerability, the following bugs have been fixed since the 6.1 release:

• #228120 by jvandyk: typo in documentation in comment.tpl.php
• #226480 by gpk: fix wording on when node access rebuild button is displayed in node_configure()
• #229817 by mcarrera: l() attributes were not properly specified in theme.inc's theme_username()
• #234403 by alienbrain: PHP.net documents we should use CRLF in mail headers, so do that
• #226555 by jvandyk, Rok Zlender: fix notice level error in xmlrpc.inc
• #204415 by chx: actually use 'administer content types' permission for node type editing instead of 'administer nodes'
• #234699 by hass: theme_link() did not mark frontpage links active properly
• #237717 by hass: missing t() in system_clear_cache_submit()
• #232037 by pwolanin: (performance) block regions should only be populated when called for, not in all cases (fixes performance expectation on 403/404 pages)
• #226728 by chx: (performance) temporary cache table entries were not flushed, causing cache_menu and cache_form to grow big
• #231587 by pwolanin, killes: (performance) use two level cache in menus, instead of storing very large amounts of data multiple times
• #239196 by jvandyk and myself: missing status check on nodes in search indexing counter
• rolling back #234403 by Bevan and damz: we should keep using LF in mail headers, without CR, CRLF causes problems
• #238564 by scor: two missing t() calls in update.module
• #241629 by solotandem: dblog module left one more row in, when cleaning up in cron
• #244597 by kbahey: remove cruft from user_login(), that added extra message to the form was never used or displayed

New features:
- weekly or monthly re-run.
- configurable array of response codes NOT indicating broken links (e.g. 401 Authorisation Required)

Bug fixes:
- 404 code has been wrongly ignored as well as 401-403 as intended in the previous release

This release fixes compatibility with workflow-ng (namespace issues) and restores the ability for modules to implement hook_hook_info() and have tabs automatically show up on the trigger page.

This release addresses an access bypass security issue, DRUPAL-SA-2008-025, that would cause nodes to lose simple_access data under certain conditions. Sites should beware that nodes they thought were private might have been made public, especially if using other contributed modules.

Other changes since 5.x-1.2-2:

This release is just coding style fixes suggested by the coder module. Most people can feel free to skip this release.

Fix 0.1 too many unnecessery files.