Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
* Add a possible fix of SA4931, too.
Drupal 6.27, 2012-12-19
----------------------
- Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004.
Drupal 6.24, 2012-02-01
----------------------
- Improved performance of search indexing and user operations by adding indexes.
- Fixed issues with themes getting disabled due to missing locking in
system_theme_data().
- Fix issue with blocks being disabled on updates in _block_rehash().
- Further improvements to PHP 5.3, PHP 4 and PostgreSQL compatibility.
- Improved code documentation at various places.
- Fixed a variety of other bugs.
Drupal 6.22, 2011-05-25
----------------------
- Made Drupal 6 work better with IIS and Internet Explorer.
- Fixed .po file imports to work better with custom textgroups.
- Improved code documentation at various places.
- Fixed a variety of other bugs.
- update patch provided by V.Seifert
ChangeLog:
- #494462 by z.stolar: modify robots.txt to give search engine crawlers
permission to index content in /sites/*, such as images uploaded to the
site #481142 by JohnAlbin, sociotech: theme settings forms were not
inherited by sub-themes
- #764548 by Dave Reid, sun: backport hiding of hidden modules on the
modules page, so if projects include hidden modules for testing, those
will not confuse users #687674 by jefnguo, rdrh555: fix minor code
documentation typo in menu.inc
- #881540 by bjaspan: make syslog identity configurable on the user
interface (instead of hardwired to 'drupal') #280930 by pillarsdotnet,
oadaeh, David_Rothstein: fall back on an empty array if hook_schema is
not defined for a module
- #956320: clean up documentation for menu_set_active_trail #903016 by
daniels220: path argument was not documented on the arg() function
- #618280 by daniels220: minor fix to drupal_add_css() documentation to
have correct path example #926440 by daniels220: document search_form()
return value properly
- #716348 by grendzy, hefox: document that drupal_get_path(),
drupal_load() and drupal_get_filename() can be used with 'profile' as
well #767408 by hunmonk: copy semaphore site creation to
update_fix_d6_requirements() to solve issues upgrading from any version
of Drupal 5
- #948520 by jhodgdon, mvc: fix formatting in Schema API documentation
lists #931304 by subnet_rx, webkenny: backport support for newly popular
tel: protocol in filter_xss_bad_protocols()
- #937508 by amateescu: document the return value of arg() better #505730
by alexanderpas, jhodgdon: document return value of
valid_email_address() better
- #930784 by Jay Matwichuk, daniels220: fix argument name in code
documentation for db_add_field() #225950 by mgriego, daniels220,
jhodgdon: improve documentation on theme_image()
- #698248 by andypost: fix notice in cache.inc when $user->cache is not
defined #872374 by sender: user_load() can take a uid not just an array;
document that properly
- #942718 by joachim: document where drupal_get_form() arguments end up in
form arrays #895858 by dstol: fix documentation of possible $item values
in menu_link_save()
- #379348 by dstol: refine documentation on node_submit() #403034 by
Andreas Wolf, roderik: node_assign_owner_action() should use
node_get_types('name', ...) to get the name of the node type
- #829968 by AlexisWilke, andypost: fix drupal_lookup_path() to always
return FALSE if the source was not found, not just for the 2nd call
onwards #245990 by David_Rothstein, Pedro Lozano, andypost: do not
follow any redirections in system_check_http_request() since we only
need data on whether HTTP requests worked at all
- #366768 by druppi, hass, plach, GiorgosK: do not link to unpublished
translation nodes, even if user would have access to them (once
published) #764234 by yan_nick, Zoltan Balogh and myself: backport width
of user filter labels in admin forms; better fit for some translations
- #971400 by myself, pp: backport change of language source URLs from
Drupal 7 #809616 by catch, hswong3i: fix notice in menu rebuild
- #973242 by pp: log type name not properly translated in dblog.module
- #147000 by pwolanin, mikeytown2, et. al.: avoid multiple, parallel
rebuildings of module and theme data
- #969252 by Dave Reid: save hook_help implementation in upload.module for
admin/settings/uploads #993834 by adamgerbert, nenne: fix documentation
of return value in do_search
- #991944 by Jacine: theme_locale_admin_manage_screen() doesn't exist
- #841134 by daniels220, jhodgdon: file_save_upload() documentation
corrections
- #287647 by bjaspan, lilou, mikejoconnor, cafuego, Déja: cast invalid
hook_schema() results into arrays at all times #917670 by mr.baileys,
rdrh555: fix documentation for drupal_alter()
- #357785 by arnoldc, gravalsyr, miro_dietiker, plach: retain the tnid
value for new nodes saved, so the node object reflects the database
- #422218 by salvis, jeremiah.snapp: fix a case in forum module where non
forum tids might get picked as the forum topic tid
- #488166 by EmanueleQuinto, Damien Tournoud, jhodgdon: search relevance
calculation fails if last_comment_timestamp is NULL #881132 by HLopes,
Garrett Albright: CSS files with non-UTF-8 characters broke CSS
optimization
- #772678 by sun, jpmckinney, Berdir, markus_petrux: no way to specify
default collation, entirely depended on database configuration (which
might be inappropriate) #212130 by salvis, boydjd, Steven, grendzy,
Damien Tournoud: more complete support for unicode entities, to account
for previously missing entities in decode_entities()
- #307636 by zbricoleur, sreynen, quicksketch: fix file identification bug
with image file processing on Microsoft IIS Roll back #147000, prevented
Drupal from being installed.
- #986682 by pkiraly: improve code documentation for db_table_exists() and
db_column_exists()
Drupal 6.17, 2010-06-02
----------------------
- Improved PostgreSQL compatibility
- Better PHP 5.3 and PHP 4 compatibility
- Better browser compatibility of CSS and JS aggregation
- Improved logging for login failures
- Fixed an incompatibility with some contributed modules and the locking system
- Fixed a variety of other bugs.
Drupal 6.16, 2010-03-03
----------------------
- Fixed security issues (Installation cross site scripting, Open redirection,
Locale module cross site scripting, Blocked user session regeneration),
see SA-CORE-2010-001.
- Better support for updated jQuery versions.
- Reduced resource usage of update.module.
- Fixed several issues relating to support of install profiles and
distributions.
- Added a locking framework to avoid data corruption on long operations.
- Fixed a variety of other bugs.
Drupal 6.15, 2009-12-16
----------------------
- Fixed security issues (Cross site scripting), see SA-CORE-2009-009.
- Fixed a variety of other bugs.
other pkgsrc changes:
* Add PKG_DESTDIR_SUPPORT spport.
* Use REPLACE_INTERPRETER.
* Change default.settings.php handling to fix PR pkg/42355.
pkgsrc change: add LICENSE.
Drupal 6.14, 2009-09-16
----------------------
- Fixed security issues (OpenID association cross site request forgeries,
OpenID impersonation and File upload), see SA-CORE-2009-008.
- Changed the system modules page to not run all cache rebuilds; use the
button on the performance settings page to achieve the same effect.
- Added support for PHP 5.3.0 out of the box.
- Fixed a variety of small bugs.
* SA-CORE-2009-007 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.12 release:
* - Patch #463450 by wulff: fixed documentation glitch.
* #193577 by Rob Loach, Damien Tournoud, andypost: JavaScript string split() function does not behave like PHP explode(); causes problems with multiple node body break tags
* #454992 by sun, bengtan: _drupal_flush_css_js() should not have 'q' as a possible CSS query character, since that is the Drupal path name character too
* #452704 by andypost, catch: Names of compressed CSS and JS files should have a prefix, so that names starting in ad* will not happen. Those are easily blocked by firewalls, Firefox's Adblock, etc.
* #468732 by andypost: cache_clear_all() mentioned cache_flush_delay incorrectly; it should say we use cache_lifetime
* #460420 by wulff, andypost: drupal_set_title() in forum_overview() is not needed; menu already sets the title and is localized
* #398902 by Nick Urban, alexanderpas, kscheirer: password equality checking was not using strict type checking; we should assume these are strings and compared character to character
* #479216 by jhedstrom: fix grammar in forum module messages
* #445748 by Dave Reid, dww: Fix module support for disabled module update status checking and do not track usage in that case.
* #465190 by Heine: The Anonymous name is a plain text setting, so it should be escaped properly for output.
* #246096 by Sutharsan, Pedro Lozano, mr.baileys, andypost: Actions set to run on cron were not actually triggered.
* #226479 by gpk, BrianV, catch: We should always show the node access rebuild button. The check on when to show it was fragile, so the button might not have been there when actually needed.
* #482646 by Dave Reid: For proper HTTP query simpletesting, we should pass on the instance identifier (database prefix).
* #197266 by ufku, lilou, Dave Reid, c960657, drewish: Save a query by only calling file_space_used() when a limit is provided.
* #408876 by Pasqualle, JamesAn: The 'serialize' Schema API property was used but not documented.
* #145733 by kepten, brianV: The session.use_cookies PHP setting is required by Drupal, but it can be turned off, so try to ensure it is turned on at all times.
* #373225 by jpulles, Josh Waihi: When changing columns, PostgreSQL needs explicit type casting to ensure that values are kept properly.
* #236657 by hctom, swentel: In system_clear_cache_submit(), the function arguments were swapped (but it did not affect how it actually worked).
* #243253 by Benjamin Melançon, dww: Update status should not attempt to request update data until a limit is reached. Fixed Drupal instances when drupal.org is down and gets less load on Drupal.org if data is not found.
* #339466 by patryk, c960657, alexanderpas: Remove url() wrapping from remote links and link in a more user friendly OpenID provider list.
* #461938 by grendzy, JamesAn: Use filter_xss_admin() on site name and site slogan, just like footer message and mission
* #455172 by budda, RoboPhred, andypost: Fix drupal_mail() documentation, so that it encourages to set the body of the email as an array (like core does).
* #329797 by berenddeboer, redndahead, danielb: The tablesort code did not account for possibly nested tables; only match immediate descendats, so elements of nested tables are not matched.
* #352121 by valthebald, Damien Tournoud, mr.baileys: The safe string check on translations should only be applied to the default textgroup. Strings in other textgroups such as blocks and menu items are displayed via escaping and filtering, and might contain arbitrary HTML.
The twelfth maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-CORE-2009-006 - Drupal core - Cross site scripting
In addition to this security vulnerability, the following bugs have been fixed since the 6.11 release:
* #353328 by catch, BrianV: When a new commment is added, the redirection path should point to page, where the new comment is.
* #239945 by Xano, JeremyFrench, Damien Tournoud, andypost: Should not iterate over the children in taxonomy_get_tree() anymore if we reached max_depth.
* #292565 by grendzy, John Morahan, Jody Linn: remove path munging on 403/404 pages, which caused problems for login redirects
* #448268 by dww: Make sure that submitting the themes admin form clears out the update status cache, just like the modules admin form does.
This release fixes a security vulnerability. Sites are urged to upgrade immediately after reading the security announcement:
* SA-CORE-2009-005 - Drupal core - Cross site scripting
In addition to this security vulnerability, the following bugs have been fixed since the 6.10 release:
* #376408 follow up by pwolanin: search_nodeapi() lacked break in switch; resulted in issue in logic not code flow
* #197864 by vito_swat, alpritt, Murz, catch: Use hook_term_path() in forum module instead of hook_link_alter(); simplfies code, improves performance and compatibility.
* #314314 by bastos, Dave Reid, mr.baileys, Pasqualle: fix invalid XHTML markup in update.php output
* #372914 by chx, pwolanin, webchick: Menu link title localization was broken when a non-t callback was used
* #395086 by Freso: call trim() before truncate_utf8() in comment module for better quality truncation.
* #404244 by cwgordon7: minor code style fix in openid_help().
* #357031 by hinfox, dereine, aaronbauman: trigger_nodeapi() passed a4 twice and did not pass a3 to the action when the action type was other then node
* #141965 by jeffschuler: taxonomy_term_path() and its phpdoc block was separated by one blank line, thus disconnecting it for the API docs parser
* #408962 by brianV: improve phpdoc documentation for menu_tree_collect_node_links() and menu_tree_check_access().
* #290561 by mustafau, AlexisWilke: aggregator_save_category() should ask for the last insert ID in 'aggregator_category', not 'aggregator' when saving.
* #292565 by lyricnz, Damien Tournoud, Jody Lynn, kleinmp, John Morahan, akalsey: Make forms work on 404 and 403 pages. Remove any fake destination set by drupal_not_found() or drupal_access_denied() so that we can properly redirect from those pages.
* #325810 by darren.ferguson, miglius: in tableheader.js $('td'+ location.hash).offset() does not alway return an object, which breaks all JavaScript on the page, so check for the return value before using it.
* #297972 by wilson98, scor, Steven Jones, yched, heyrocker: make the batch API compatible with drupal_execute(), so things like creating a CCK type or adding fields to it (by submitting forms programatically) are possible in update functions
* #365996 by sammys: the correct full name for the timestamp field in postgresql is timestamp without time zone; improve compatibility with PostgreSQL / schema module
* #279233 by Aren Cambre, jbomb: Message printed when email is not being possible to send was informal and had a grammar problem.
* - Patch #316515 by jmburnz, momendo: fixed position of OpenID logo.
* - Patch #372414 by JohnAlbin: don't output empty div when no comment exist.
* - Patch #228477 by anuradha: corrected Sinhala language.
* - Patch #286374 by jhodgdon: fixed documentation of file_save_upload() validators.
* #382096 by Arancaytar: clean up #maxlength use in the installer; remove arbitrary 45 character limits, put reasonable limits in place where it makes sense
* #330084 by c960657: Remove unnecessary duplication of the From header value in Reply-to; standards indicate setting the From header should be sufficient
* #385602 by Damien Tournoud, desbeers: log messages were not remembered on node preview
* #437120 by mfb: avoid double escaping of taxonomy term names in feed links and channel titles
* #437930 by soxofaan: remove unnecessary tabindex attribute from login form; makes altering harder
* #160226 by kymmx, karschsp, Dave Reid, Berdir: statistics module was matching on prefixes of node paths instead of the node paths themselves (and possible subtabs)
* #401304 by Darren Oh: make conditional in statistics_link() more explicit to catch node related invocations
* #363262 follow up by Dave Reid: fix phpdoc comments on update functions to properly mark update functions added after 6.0 was released
* #317775 by Starminder, pwolanin: do not store the menu router table serialized in cache, since it cases more performance problems then it solves
* #282852 by Arancaytar, will_in_wi: remove negative margin on .node in Garland, so nodes do no overlap the messages area on the page
* #227228 by ilmaestro, gpk, ball.in.th, catch, andypost: use per-table cache_flush variables to avoid not flushing all but the first table when multiple tables are cleared
* #445600 by Rob Loach: allow for as few as 1 required word in submission of a node of a content type if the admin wants to set so
* #343415 by Damien Tournoud: the form cache is not automatically cleared on submit if the page cache is activated
* Rolling back #343415 given disputes around its change in Drupal 7.
* #229660 by Dave Reid: use theme('username', ...) to display usernames on the user contact page
* #447700 by dww: Earl Miles is not update.module maintainer anymore
* #431148 by pwolanin, dww: Make it easier to visually distinguish security updates on Updates report
* #396224 by pwolanin: Further harden template file name discovery
* #220592 by dww and pwolanin: Always use the database for caching in update module, so that drupal.org project data persists. Improves both local and drupal.org site performance.
* SA-CORE-2009-003 - Local file inclusion on Windows
In addition to this security vulnerability, the following bugs have been fixed since the 6.9 release:
* - Patch #298722 by pwolanin: _menu_translate returns FALSE before to_arg is available. Drupal.org upgrade blocker.
* #310863 by bangpound, dboulet, catch, lee20: Locale variable results in locale module install, so skip adding empty variable when not needed.
* #275796 by Gribnif, Damien Tournoud, Dave Reid, vaish: module_list() should set its static variable to NULL instead of unset()-ing it, so it does not retain its value
* #328110 by marcingy, swentel, Damien Tournoud, pwolanin, David_Rothstein: the link argument is passed by reference to menu_link_save(), so avoid overwriting local variables in menu_enable().
* #62926 by karschsp: increase the free tagging field maximum length to 1024; the database limits are per-tag.
* #220559 by eMPee584, Desbeers, Damien Tournoud: only ever add the active class to links in l() and theme_links(), if the language was set and is the current language or if the language was not set on the link
* #365183 by Eaton: node_feed() did not use the same API functions as node_view() did, so custom fields were missing from the output
* #356721 by c960657, Dave Reid: remove static caching of the clean URLs setting in url() to help automated tests; the setting is cached through variable_get(), which however allows altering of the setting
* #290282 by kratib, jvandyk, ainigma32: Only track/limit the recursive invocations of actions_do(), instead of tracking/limiting them all.
* #320395 by qutoz, swentel: Set node format to 0 in node_submit() if the body was turned off to avoid a minor notice.
* #359918 by Dave Reid: database.inc documents the 'unique key' key, while it should be 'unique keys'
* #152098 by hunthunthunt, mgifford, Dave Reid: add 'for' attribute to 'label' tags on checkboxes and radio buttons, even if the 'label' wraps the element - accessibility best practice
* #314286 backport of some of #229129 by assimonds: disbaled checkboxes did not receive their values properly from the default value set
* #243524 by christefano, chx: our phpinfo page was very limited; give all info possible instead
* #203323 by JirkaRybka, robertgarrigos, lilou, thePanz, c960657, sun: move the LANGUAGE_* constants to bootstrap.inc and remove several defined() checks on them now that they are always defined
* #276174 by nbz, John Morahan, slightly modified: do not escape username more then once at multiple places in blog.module
* #310768 by bob_hirnlego, cdale: missing primary table and field specification in db_rewrite_sql() when called from taxonomy_overview_terms()
* #363262 by catch, chx: in Drupal 6, the url_alias table introduced a language column, but did not extend its index to that; though queries are formed on src and language
* #326210 by AlexisWilke, grendzy, jhedstrom: Take the menu item in its first submission and menu_nodeapi() by reference, so that any modifications of the item in the saving process will carry over to other submit handlers; making itpossible to write modules extending menu item manipulation
* - Patch #383318 by mr.baileys: incorrect memory shortage warning when memory limit is unlimited.
* #337162 by midkemia and ainigma32: keep the Drupal 5 menu items descriptions when upgrading to Drupal 6
* - Patch #381438 by drumm: do not use page cache for drupal.sh requests.
* #109588 by fago, cdale: use the existing user account objects instead of arg() checks, as well as fix use of where it should be
* #296082 by jandd, stefanor, nigel: avoid table aliasing in UPDATE query in system_update_6001() since PostreSQL does not support that
* #376408 by ajevans85, pwolanin: Prevent an empty anchor tag and parenthesis appearing in the output for the search index in search_nodeapi()
* #383724 by Heine, bjaspan: SA-CORE-2009-003
* Rolling back #280934. PHP 4 incompatibility.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-CORE-2009-001- Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.8 release:
* - Patch #331708 by chx: poll_choice_js uses FAPI2.
* - Patch #350708 by dww: t() documentation clean-up.
* #245990 by Dave Reid, chx, dww: Look for the www.example.com page when a HTTP request seems to fail. Looking for the local page caused problems for people with interactive authentication, redirects, hosting added JavaScript code, and so on.
* - Patch #262920 by ainigma32: language selection for domain should look at HTTP_HOST not SERVER_NAME.
* - Patch #353886 by killes: too many arguments to SQL query in locale import.
* - Rollback of #325908.
* #347228 by kajetan: user was redirected to admin/build/translate instead of admin/build/translate/import
* #332123 by webchick, lilou, andypost: backport of removal of t() around schema desciptions
* #257009 by bjaspan, Freso, Darren Oh: check to not create global constraints twice in PostgreSQL (for example, when the testing framework is running)
* #169937 by Heine, drumm, alexanderpas, Darren Oh: only regenerate session if the user is the current global user
* #308526 by chx: Also reset actions_list() cache on actions_synchronize()
* #323474 by gpk, Dave Reid, catch: hook_boot() was not called on non-cached pages when agreesive caching was on
* #61108 by Uwe Hermann: update LICENSE.txt with latest version of GPL2 text
* #328977 by Dave Reid, hgmichna: comment_controls() form function lacks first form_state parameter, so passed values are incorrectly used
* #323386 by mariuss: The selection type in profile module expects items each on their own line and should not break items on commas
* #347485 by cdale: only add upload submit handler if the upload form is added
* #344052 by salvis: remove unused $update_node variable from node module
* #356782 by quicksketch: remove unused unset($edit) from _form_builder_handle_input_element()
* #124492 by m3avrck, mfer: more accurate checking for valid URLs in valid_url()
* #346285 by grendzy, Damien Tournoud, thekevinday et al: fixed problem when HTTP_HOST is not transmitted
* #245990 follow up by Damien Tournoud, David_Rothstein, pwolanin: Move back to an internal URL check for HTTP request checking and make the request checking less intrusive on what requests can be accomplished
The seventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-2008-073 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.6 release:
* - Patch #324118 by winterheart: fixed invalid XHTML being generated for forum topic listings.
* - Patch #329019 by dww, sun: fixed PHP warning.
* #315739 by sun: The theme name is in arg(4) on the block admin page, so only redirect to theme specific page if that is set.
* - Patch #329646 by Damien Tournoud: properly reset user_access().
* - Patch #255293 by Gribnif, maartenvg: incorrect regex causes some aggregated CSS to fail.
* #329998 by pwolanin: escape markup looking non-HTML tags in schema descriptions
* #258089 by JohnAlbin, Arancaytar, merlinofchaos: themes cannot have a preprocess function without a corresponding .tpl.php file
* #255150 by dropcube, tested by catch, asimmonds: content type names were double escaped on create content page
* #329660 by pwolanin: node_configure_validate() should be replaced with a #submit handler to conform to FormAPI rules
* #299742 by Darren Oh: missing #ahah support on checkboxes
* #193580 follow up by gpk: late but important changelog entry for Drupal 6.0
* #302638 by pwolanin: avoid running several no-op queries while the menu is being rebuilt; improves performance
* Rolling back #302638, it caused problems reported in #328110
* #319165 by Alex_Tutubalin: add explicit UTF-8 client encoding setting for PostgreSQL
* - Patch #277644 by lilou: documentation improvement.
* - Patch #335385 by Dave Reid: fixed maxlength of path alias fields to be consistent with the database.
* - Patch #337454 by earnie: fixed the phpdoc of drupal_render_form().
* - Patch #293370 by swentel et al: make block sorting work when there are more than 20 blocks.
* - Patch #325908 by kbahey: removed redundant cache flusing.
* - Patch #281131 by Damien Tournoud: document the missing quote in .htaccess.
* - Patch #336115 by Nedjo: better documentation for t().
* - Patch #342988 by ultimateboy: fixed order of attributes in PHPdoc.
* #324875 by pwolanin: improve HTTP_HOST checking, ensuring that the host is lowercased and only valid characters are allowed.
* #280934 follow up by pwolanin: harden the cookie handling in sess_regenerate() by setting our session cookie to be an HTTP only cookie, thus reducing the risk of session stealing via XSS
* #28776 by Uwe Hermann, Morbus Iff, jvandyk: Protect *.test files and SVN metafiles from being exposed under Drupal
* #299582 by hass: Remove outdated items from robots.txt and fix ordering of items to make stuff easier to find.
* #305653 by snowball43, cdale, Dave Reid, sun: All themes were disabled when update.php was run
* #344661 by Dave Reid: fix phpdoc documentation on translation_translation_link_alter()
* #333060 by neclimdul, merlinofchaos, dvessel: child themes did not inherit patterns correctly, so more specific template files are not detected
* #206138 by pwolanin et al: little documentation fix for node base module name handling
* #276111 by pwolanin, meba and myself: disallow possibly dangerous submissions in locale translations and imports
* #345167 by JacobSingh, pwolanin, Heine: drupal_http_request() includes an extra CRLF, not conformant to HTTP specs
http://drupal.org/node/345462
After some feedback from Roy Marples set up the package so it's easier
to get drupal to run under other web servers than apache. As the
default web server, apache will remain. Users can disable it using
the options.mk framework.
Rename APACHE_* variables to WWW_* and set some sane defaults.
The sixth maintenance and security release of the Drupal 6 series. Only
fixes for security vulnerabilities and other bugs have been committed. New
features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the security announcement:
* SA-2008-067 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been
fixed since the 6.5 release:
- Patch #315656 by Damien Tournoud: fixed bug in drupal_lookup_path('wipe').
#318102 by Dave Reid: hook_exit() was not invoked for some cached requests.
#277206 by Damien Tournoud, lilou, fp: untranslatable string in the installer
- Patch #324080 by winterheart: missing </td>-tag.
See http://drupal.org/node/324832 for all the details
* SA-2008-060 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.4 release:
* - Patch 246143 by bjaspan, Damien Tournoud: make sure updates are run in numeric order, not in definition order.
* - Patch 221230 by Heine: convert requirement error on update to requirement warning.
* - Patch 252430 by quicksketch: allow base theme prefix in preprocessor function names to correct expected behavior.
* - Patch 245322 by mfb: fixed breadcrumb behavior.
* - Patch 287949 by Freso, Damien Tournoud: keep language icons in consistent order across nodes.
* - Patch 265899 by mfb: uri_brief mail token did not support https URLs.
* - Patch 272952 by NancyDru and chx: fixed documentation issue.
* - Patch 170310 by mfb, JohnAlbin: avoid SSL cookie getting over-written by non-SSL cookie.
* - Patch 243063 by GoofyX: fixed typo in context-sensitve help.
* - Patch 295152 by dww, Damien Tournoud, et al: fixed version comparison.
* - Patch 278759 by douggreen, fletchgqc: improved code comment.
* - Patch 276018 by mfb: extend the lifetime of temporary files.
* - Patch 228576 by sun: too ambiguous stylesheet in dblog.css when form_altering the watchdog table.
* - Patch 285309 by pwolanin: menu_name in hook_menu is ignored on updates.
* - Patch 261859 by rse, Damien Tournoud: make the trigger module work on PostgreSQL.
* - Patch 305436 by Damien Tournoud, lelutin: fixed unclosed <li> tag in the context-sensitive help.
Any many more. See http://drupal.org/node/318701 for all the details
Drupal 6.4, 2008-08-13
----------------------
- Fixed a security issue (Cross site scripting, Arbitrary file uploads via
BlogAPI, Cross site request forgeries and Various Upload module
vulnerabilities), see SA-2008-047.
- Improved error messages during installation.
- Fixed a bug that prevented AHAH handlers to be attached to radios widgets.
- Fixed a variety of small bugs.
