Drupal 6.13 and 5.19 released, fixing security issues More information can be found -> HERE Drupal 6.13 and 5.19, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download. Both releases fix some other smaller issues as well. Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. Important update notes It is important to run update.php. These releases did not change the .htaccess, robots.txt and (default.)settings.php files, so you can keep your existing files intact, if you have modifications in them. Drupal 6.13 Release Note * SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities * - Patch #463450 by wulff: fixed documentation glitch. * #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() function does not behave like PHP explode(); causes problems with multiple node body break tags * #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a possible CSS query character, since that is the Drupal path name character too * #452704 by andypost, catch: Names of compressed CSS and JS files should have a prefix, so that names starting in ad* will not happen. Those are easily blocked by firewalls, Firefox's Adblock, etc. * #468732 by andypost: cache_clear_all() mentioned cache_flush_delay incorrectly; it should say we use cache_lifetime * #460420 by wulff, andypost: drupal_set_title() in forum_overview() is not needed; menu already sets the title and is localized * #398902 by Nick Urban, alexanderpas, kscheirer: password equality checking was not using strict type checking; we should assume these are strings and compared character to character * #479216 by jhedstrom: fix grammar in forum module messages * #445748 by Dave Reid, dww: Fix module support for disabled module update status checking and do not track usage in that case. * #465190 by Heine: The Anonymous name is a plain text setting, so it should be escaped properly for output. * #246096 by Sutharsan, Pedro Lozano, mr.baileys, andypost: Actions set to run on cron were not actually triggered. * #226479 by gpk, BrianV, catch: We should always show the node access rebuild button. The check on when to show it was fragile, so the button might not have been there when actually needed. * #482646 by Dave Reid: For proper HTTP query simpletesting, we should pass on the instance identifier (database prefix). * #197266 by ufku, lilou, Dave Reid, c960657, drewish: Save a query by only calling file_space_used() when a limit is provided. * #408876 by Pasqualle, JamesAn: The 'serialize' Schema API property was used but not documented. * #145733 by kepten, brianV: The session.use_cookies PHP setting is required by Drupal, but it can be turned off, so try to ensure it is turned on at all times. * #373225 by jpulles, Josh Waihi: When changing columns, PostgreSQL needs explicit type casting to ensure that values are kept properly. * #236657 by hctom, swentel: In system_clear_cache_submit(), the function arguments were swapped (but it did not affect how it actually worked). * #243253 by Benjamin Melançon, dww: Update status should not attempt to request update data until a limit is reached. Fixed Drupal instances when drupal.org is down and gets less load on Drupal.org if data is not found. * #339466 by patryk, c960657, alexanderpas: Remove url() wrapping from remote links and link in a more user friendly OpenID provider list. * #461938 by grendzy, JamesAn: Use filter_xss_admin() on site name and site slogan, just like footer message and mission * #455172 by budda, RoboPhred, andypost: Fix drupal_mail() documentation, so that it encourages to set the body of the email as an array (like core does). * #329797 by berenddeboer, redndahead, danielb: The tablesort code did not account for possibly nested tables; only match immediate descendats, so elements of nested tables are not matched. * #352121 by valthebald, Damien Tournoud, mr.baileys: The safe string check on translations should only be applied to the default textgroup. Strings in other textgroups such as blocks and menu items are displayed via escaping and filtering, and might contain arbitrary HTML. Drupal 5.19 Release Note * SA-CORE-2009-007 Drupal core - Multiple vulnerabilities * #212285 by wrwrwr: hr should be treated as a block level tag. Backport by alexanderpas. * #145733 by kepten, brianV: The session.use_cookies PHP setting is required by Drupal, but it can be turned off, so try to ensure it is turned on at all times.