Drupal 6.15 and 5.21 released, fixing security issues More information can be found -> HERE Drupal 6.15 and 5.21, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download. Both releases fix some other smaller issues as well. Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. Important update notes These releases did not change the (default.)settings.php and robots.txt files, so you can keep your existing files intact, if you have modifications in them. The .htaccess file was changed in Drupal 6.15, adding settings to let all PHP scripts set their own caching headers without those being overridden by the server. See http://drupal.org/node/550488 for more information. Drupal 6.15 Release Note This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement: * SA-CORE-2009-009 - Drupal Core - Cross site scripting In addition to this security vulnerability, the following bugs have been fixed since the 6.14 release: * #193383 follow up by TheRec: (regression) - some set_time_limit() numbers were inadvertently removed in the previous patch. * #499828 by Darren Oh, Dave Reid, dww: Wrong release dates were recorded on multi-module projects if deployed from CVS * #563526 by jhodgdon: fix @see and @code phpdoc in user-profile.tpl.php * #485350 by jhodgdon: better documentation and add code example for module_load_include() * #574862 by jhodgdon: better documentation for menu_set_active_trail() * #263517 by mfb: fix notice when parsing an RSS feed with file attachments * #319033 by Ralf, Dave Reid, dww: modules could bubble up in the update status listing if having submodules which are earlier in alphabetical ordering * #554992 by Davy Van Den Bremt, jhodgdon: code documentation for block_box_get() and block_box_save() * #456088 by JohnAlbin, dww: propagate (security) update information to subthemes from base themes * #525504 by gpk, Dave Reid, sun: anonymous users should not have a contact form; also with added code documentation * #336358 by Wesley Tanaka, brianV: fix slow query in ping module and correct its use of the database API * #618278 by JuliaKM: minor spelling fix in drupal_get_form()'s documentation * #208195 by marcingy, jvandyk, bombatower: fix notice in xmlrpcs.inc error handling * #539716 by Pasqualle, pp, jhodgdon: fix code documentation for actions_get_all_actions() * #472820 by rfay, Rob Loach, mfb, sun, andypost: do not remove newlines in CSS aggregation; it breaks certain valid CSS structures * #375931 by Senpai, Dave Reid: system.install should clear out module list and hook implementation statics before calling system_theme_data() * #624882 by robhybrid, jhodgdon: improve general documentation about hooks * #637228 by franz: minor code comment typo fix in menu.admin.inc * #647336 by Morbus Iff: No params for xmlrpc() causes PHP 5.3.x failure of XML-RPC. Initialize the XML-RPC message params property properly. * #640050 by heyrocker: fix code example in drupal_execute() phpdoc; password fields should have two string values * #550488 by c960657: Do not allow PHP scripts to be cached unless they explicitly send cache headers themselves. * #216101 by Arancaytar, aufumy, incidentist, scor, c960657: Fix OpenID registration workfow in case of errors; let users prefill fields when username or email address was not provided or the values were not valid for Drupal. * #528204 by rfay, drewish: menu item sorting should be case insensitive; lowercase titles for sorting * #280319 by robertDouglass: search_box_form_validate() is referenced in search form, but does not exist * #528822 by markDrupal, jhodgdon: update batch API example to document file key, reflow key listing to be an actual list * #644482 by hass (backport of #452936): use TRUNCATE to do full cache clearing, which results in a dramatic speed increase * #639708 by kiamlaluno, JuliaKM, jhodgdon: minor fix for documentation of return value in drupal_match_path() * #575796 follow up by myself: OpenID XRI check was not PHP 4 compatible Drupal 5.21 Release Note * SA-CORE-2009-009 - Drupal Core - Cross site scripting