Drupal 6.5 and 5.11 released, fixing security issues
More information can be found -> HERE
Drupal 6.5 and Drupal 5.11, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download.
Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases.
Drupal 6.5 Release Note
* SA-2008-060 - Drupal core - Multiple vulnerabilities
* - Patch #246143 by bjaspan, Damien Tournoud: make sure updates are run in numeric order, not in definition order.
* - Patch #221230 by Heine: convert requirement error on update to requirement warning.
* - Patch #252430 by quicksketch: allow base theme prefix in preprocessor function names to correct expected behavior.
* - Patch #245322 by mfb: fixed breadcrumb behavior.
* - Patch #287949 by Freso, Damien Tournoud: keep language icons in consistent order across nodes.
* - Patch #265899 by mfb: uri_brief mail token did not support https URLs.
* - Patch #272952 by NancyDru and chx: fixed documentation issue.
* - Patch #170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
* - Patch #243063 by GoofyX: fixed typo in context-sensitve help.
* - Patch #295152 by dww, Damien Tournoud, et al: fixed version comparison.
* - Patch #278759 by douggreen, fletchgqc: improved code comment.
* - Patch #276018 by mfb: extend the lifetime of temporary files.
* - Patch #228576 by sun: too ambiguous stylesheet in dblog.css when form_altering the watchdog table.
* - Patch #285309 by pwolanin: menu_name in hook_menu is ignored on updates.
* - Patch #261859 by rse, Damien Tournoud: make the trigger module work on PostgreSQL.
* - Patch #305436 by Damien Tournoud, lelutin: fixed unclosed li tag in the context-sensitive help.
* #305920 originally reported by hass at #217884, patch by myself: JavaScript cache was not invalidated when a translation of a string was edited
* - Patch #308549 by lyrincz, Dave Reid: fixed broken link in PHPdoc.
* #227486 by profix898: 'menu_router's 'load_functions' and 'to_arg_functions' were too short to contain long function names and/or multiple arguments as required by complex Views and Panels
* #278458 reported by j0hn-smith, patch by pwolanin: the menu cache was not cleared properly in menu_link_maintain()
* #188246 by deekayen, mfb et al.: some icon and class definitions were missing from dblog, causing notice level errors themselves
* #214516 by mfb: Add the Real Time Streaming Protocol (RTSP) to the allowed protocol list in filter_xss_bad_protocol().
* #253577 by Morbus Iff, nevergone: Allow setting comment timestamp in comment_save(). Enabled import scripts to import dates for comments.
* #208270 reported by Dries, patch by jvandyk: it was not possible to clear the XML-RPC error cache, making it impossible to do multiple queries in one request. Add xmlrpc_clear_error() and slightly modify xmlrpc_error() to fix.
* #257912 by douggreen and Damien Tournoud: improve performance of search indexing by swapping two queries for the one which is successful more often
* #254242 report by bwooster47, patch by dropcube: (regression) preview forcing on nodes had its setting kept, but was not enforced in code; restoring Drupal 5 behavior
* #213699 reported by gpk, patch by c960657: Race condition in sess_write() caused duplicate entry errors in the sessions table, fix that.
* #201799 by yched, quicksketch: compute identation width for draggables better, counting on padding and margin as well as measuring the width at the place where it is used (taking possible CSS overrides into account)
* #230932 follow up by drumm, drewish: Capitalize false to FALSE (minor code style fix).
* #308713 by fletchgqc: The database schema for locale module allows for 128 chars in the domain name, so the form should allow up to that length as well (instead of 64).
* #228761 by zsanmartin, roborn: Installer did not recognize language files with dashes in them, such as pt-pt or zh-hans. Fixing pattern and pt-pt language code.
* #297952 by aaron, merlinofchaos, dvessel: Reserve the 'template_file' variable instead of the too generic 'file' for template file inclusion. This makes 'file' available for themes.
* follow up to #280621 by lilou: the object tag was disallowed in a previous version in filter_xss_admin(), so disallow param as well, which is only meaningful inside an object tag
* #277214 reported by Damien Tournoud, patch by dereine, lilou: _load() functions should return FALSE on failure but taxonomy_vocabulary_load() was returning NULL
* #224006 by Daniel Jalkut: blogapi_metaweblog_get_category_list() verified user access for the given content type but did not log in the user first
* #158992 by bangpound, sun, Dries: Inline JavaScript was invalid in XHTML. It needs to be properly wrapped in CDATA.
* #180063 by andremolnar, TheMystic, R.Muilwijk: There was no way to flush form errors during iterative programatic form submission. Slight API expansion.
* #267724 by cpugeniusmv, dww, maartenvg: Update module was not checking for new data when the cache was cleared, until the set time was elapsed. Now checks on cron after the cache was cleared.
* #268006 by pwolanin: Help from hook_help() was displayed on 403/404 pages.
* #299672 by fago, chx: Cache form only if any of its element set #cache to TRUE (not if #cache is set at all)
* #314564 by m1mic: fix HTML validation in the pushbutton theme - footer paragraph wrapping and bgcolor invalid.
* #312982 by hass: The text '(source)' was not translatable in translation.pages.inc
* #184143 by redndahead, tested by yoroy, quicksketch: tableheader.js interfered with #anchors in table rows
* - Patch #273743 by meba, jsaints: fixed exmaple code.
* #261148 by chx, pwolanin: The menu's first rebuild does not always happen properly due to race conditions, so look to rebuild the menu if the masks are empty.
* #268584 by agentrickard, Dries, Rob Loach, webchick: move to a 100 terms per page default for the taxonomy administration pages, since with the current 10 default, the drag and drop ordering is not useful at all.
Drupal 5.11 Release Note
* SA-2008-060 - Drupal core - Multiple vulnerabilities
* - Patch #265899 by mfb: uri_brief mail token did not support https URLs.
* - Patch #170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
* #296096 by Damien Tournoud. Fix 5.10 Postgres install & update.
* - Patch #246143 by bjaspan, Damien Tournoud: make sure updates are run in numeric order, not in definition order.
* #181831 by Rob Loach. Backport of #130630 by chx: provide an id on the form item wrapper div.
* #283026 by Damien Tournoud. Make user_authenticate from external source (for existing users) work with no server part.
* #298535 by mkalkbrenner. Correct HTTP status code for failed connection.
* #108717 by add1sun and neclimdul. Code style.
* - Patch #230932 by ryanlath: file_scan_directory() didn't scan the directory called '0'. Backport by cridenour.
* follow up to #280621 by lilou: the object tag was disallowed in a previous version in filter_xss_admin(), so disallow param as well, which is only meaningful inside an object tag
* #208270 reported by Dries, patch by jvandyk: it was not possible to clear the XML-RPC error cache, making it impossible to do multiple queries in one request. Add xmlrpc_clear_error() and slightly modify xmlrpc_error() to fix.
* - Patch #308549 by lyrincz, Dave Reid: fixed broken link in PHPdoc.
* #67895 patch by goba, tested by JirkaRybka and blackdog: move poll votes with poll options, when an option is removed, instead of dropping all old votes, solving an old data loss bug. Backport by dww.
* #312730 by Damien Tournoud. hook_requirements('install') should work for modules that don't reside in the main './modules' folder.
- 5 years 6 months ago
- 5 years 8 months ago
- 7 years 2 months ago
- 7 years 3 months ago
- 7 years 10 months ago
- 8 years ago
- 8 years ago
- 8 years 4 months ago
- 8 years 6 months ago
- 8 years 8 months ago