Drupal 6.3 and 5.8 released, fixing security issues More information can be found -> HERE Drupal 6.3 and Drupal 5.8, maintenance releases fixing problems reported using the bug tracking system, as well as security vulnerabilities, are now available for download. Drupal 6.3 also includes some changes to the installer to prevent file ownership issues on shared hosts; upgrades jQuery to version 1.2.6; improves PostreSQL compatibility; fixes performance issues in search, menu and form API and contains a variety of other small improvements. It should also be noted that the Views for Drupal 6 release candidate requires Drupal 6.3 to run properly. Drupal 6.3 Release Note * SA-2008-044 - Drupal core - Multiple vulnerabilities * - Patch #245904 by boombatower: fixed E_NOTICE warning in the XML-RPC library. * - Patch #245826 by Jax: trust_root is not set for OpenID 1.0 due to an undefined variable. * - Patch #244942 by pwolanin: fixed outdated function name in schema description. * - Patch #236242 by jpoesen and Garrett Albright: fixed two typos in the node module's install file. * - Patch #232433 by mfb: make sure RSS feeds validate. * - Patch #249941 by John Morahan: fixed incorrect parameters of watchdog() calls. * - Patch #230932 by ryanlath: file_scan_directory() didn't scan the directory called '0'. * #153998 follow up by salvis: we should return NULL if access cannot be granted based on permissions so the node level permission system can take it forward * #241570 by merlinofchaos: original hook name was not carried over when using patterns, so preprocess function collection was broken in that case * #216504 by mcarbone and webchick: comment table was not properly aliased in comment_render()'s count query, so db_rewrite_sql() was not working well on the query * #127295 by yhager: module version numbers should always be displayed LTR * #88892 by darthsteven and flobruit: form_set_value() documentation was misleading, updating that * #226869 by boydj and hswong3i: minor code style cleanup with aggregator module queries * #234065 by David_Rothstein: (very minor) one dot missing from secondary links explanation on upgrade path from Drupal 5 * - Patch #225859 by webchick: fixed warning in author information block. * - Patch #231132 by snufkin: fixed invalid XML-RPC error messages due to HTML tags being inserted in the message string. * - Patch #253022 by beginner: fixed typo in code comments. * - Modified patch #230374 by killes, jakeg, Eaton et al: corrected problem with form API caches not being flushed. This could lead to performance issues. * - Patch #239958 by Steve Dondley: clearing cache does not immediately reload theme's .info file. * - Patch #256736 by flobruit: fixed bad HTML in help text. flobruit is on a patching spree! * - Patch #258128 by webchick: @parameter should be @param. Gets the Most Trivial Patch of the Month Award. * #258120 report by dag, patch my myself: l() attributes were not updated properly to Drupal 6 in theme_username() * #200824 by sammys, justinrandell, Arancaytar, test by vladimir.dolgopolov: drupal_write_record() returns array in some error cases when it should just return objects * #241570 follow up by merlinofchaos: the previous patch was inverting the problem with theme preprocess functions * - Patch #258405 by greggles: clean up MAINTAINERS.txt. * - Patch #259463 by dmitrig01: notification e-mail for pending user registrations had blank subject line. * #217957 by yched, quicksketch: header cell removal is broken when headers use colspans (and a little bit of performance improvement) * #238760 by Optalgin, boydjd, Damien Tournoud, pwolanin: reduce window for error in menu table rebuilding, only emptying the table once we have data to save to there * #249571 by pwolanin: primary and secondary links did not get the active-trail class * #189568 follow up by dvessel and Desbeers: we need to unset the CSS file overriden so that it is not added on CSS aggregation * #252580 by Robert Douglass, Gerhard Killesreiter, flobruit: avoid division by zero, when all search weights are set to 0 * #258192 by dww: strong and em tags could just as well have attributes as any other tag * - Patch #169899 by Island Usurper: taxonomy caching not always working. * #259483 by merlinofchaos, pwolanin: Undefined index: attributes in menu.inc line 517 * - Patch #268204 by aclight: fixed E_NOTICE. * - Patch #251402 by quicksketch: text can't be selected via click and drag when the Drupal drag and drop interface is present in IE7. * - Patch #269443 by dvessel: normalize node types. * - Patch #254553 by aclight: fixed E_NOTICE. * #257279 by robertDouglass and David Lesieur, tested by douggreen: removing an extra join which was not required in the do_search query; improves search speed. * #252921 by David_Rothstein and agentrickard: remove unused join, which caused column type compatibility problems with postgresql; improves postgresql compatibility * - Patch #271326 by keith.smith: fixed oxymoron in the installation guide. * - Patch #273761 by catch: removed inconsistent delete behavior of nodes. It would leave comments, ratings, etc behind in the database. * #258475 by alpritt: improve code documentation of the l() function * #266367 by zeta z: improve code documentation on how modules should provide default theme hook implementation * #180646 by Heine, John Morahan: taxonomy_get_term_by_name() should use = instead of LIKE in query, to allow for % to be a free tag * #266596 by pwolanin: menu performance improvement to not localize menu items which are not accessible * #277677 by yched: fix drupal_write_record() to support updating columns to NULL; required to make CCK work without workarounds * #170309 by Jaza, keith.smith, naquah, pwolanin, Nick Urban, Pasqualle: menu_set_active_trail() does not allways include all items; fixing breadcrumbs to include parants properly * #230029 by killes: rework node saving code to remove possible race condition with node and node revision saves; solves duplicate key errors on busy sites * #272636 by evolvingweb, dvessel: add 'js' class to html tag in drupal.js instead of overwriting all its classes with 'js' * #256285 by hass, mfer, tested by mfer: upgrade to jQuery 1.2.6, fixing some JavaScript interaction bugs; also improves JavaScript performance * Fixing CVS Id tag on jquery.js * - Patch #273523 by aclight: fixed E_NOTICE in theme_fieldset(). * Rolling back #227677: caused issues with node_save() after its race condition was resolved in #230029 * - Patch #276846 by pwolanin: fixed malformed cid. * - Patch #278617 by asimmonds: fixed broken link. * #174940 by gpk: avoid calling up the full Drupal bootstrap for nonexistent favicon.ico * #276860 by pwolanin: remove unused code in book module (made obsolote by AHAH improvements) * #197124: even though documented and intended, themes could not remove module stylesheets by specifying their name with a non-existent file * #128846 by takashi, chx, bdragon, wedge, salvis, Shiny: rewritten queries on PostreSQL need to have matching DISTINCT ON and ORDER BY expressions * #277604 by gpk: code documentation formatting fixes for url() and some other functions in common.inc * #272900 by pwolanin: avoid saving book (menu) data when another user changed the book in the meantime * #273129 by luddet, pwolanin: the fix to add the active-trail class to menu items resulted in overwriting of existing attributes * #225880 by pwolanin, keith.smith: get the user create settings.php instead of Drupal, so upgrading getseasier Drupal 5.8 Release Note * SA-2008-044 - Drupal core - Multiple vulnerabilities * #215252 by bdragon: reset the cache flush variable before the cache is flushed, so busy sites will not attempt multiple cache flushes at a time * #165642 by Bart Jansens. Use a local variable rather than overwriting the global $user. * Remove typo. * #157652 by beginner, Steven Merrill and killes: block_user() had a global user object and a user parameter colliding * #216404 by Rob Loach: path_nodeapi() only worked for users with permissions, although node loading requires the path to be loaded. * #101904 by David_Rothstein. Make secondary links work for primary links with '' path. * #84754: fix 404 and 403 error pages if the path set for these error pages does not exist * #176503 by chx and bennybobw: hidden profile fields cannot be required and cannot be put on the registration form, so we needed warnings on the editing form to not let admins save forms set with these combinations. Backport by Bart Jansens. * #104220 by ChrisKennedy: remove arbitrary half post max size restriction on maximum uploadable file size. Backport by Bart Jansens. * #209488 by Bart Jansens. Use mysqli_connect_error() when mysqli database connection fails. * #211825 by webchick. Fix revision revert log message. * #213172 by skiquel: let color module run properly without a base image * #212864 suggestion by pp, patch by gdevlugt: use format_date() for RSS item dates instead of date() to honor site time zone settings * #171951 by dvessel: fix account specific theme selection form Backport in #109459. * #208023 by traxer. Order node/add by name, not internal type. * #204415 by pwolanin et al. Blacklist problematic machine-readable content type names. * #75916 follow up patch by Richard Eriksson: allow aggregator pages to be indexed by default * #113318 by dww: correct Postgres support. * #176273 by Bart Jansens. Fix argument order. * #227548 by Heine, AjK: misuse of db_escape_string(), when db_escape_table() should have been used * #244597 by kbahey: remove cruft from user_login(), that added extra message to the form was never used or displayed * #232037 by pwolanin: (performance) block regions should only be populated when called for, not in all cases (fixes performance expectation on 403/404 pages) * #226869 by boydj and hswong3i: minor code style cleanup with aggregator module queries * #175743 by Desbeers: fix numerous issues around node submission dates and content editing. 5.x backport by Freso. * - Patch #231132 by snufkin: fixed invalid XML-RPC error messages due to HTML tags being inserted in the message string. * #208888 by jvandyk: set access time when externally authenticated user first logs in Backport by joshk and stevecrozz. * #246476 by Jacine. Correct block admin column count. * #104662 by chx: the search block form might not be available on the search page itself, so that target was not right for search block form submissions. Backport by webchick. * - Patch #258128 by webchick: @parameter should be @param. Gets the Most Trivial Patch of the Month Award. Backport by gpk. * #140162 by maartenvg. Clear the PHP stat cache after resizing images. * #214390 by shrop. Partial backport of #153998, use a separate permission for blogapi since it does not depend on blog module. * #264647 by clemens.tolboom. Fix seconds parsing for XML-RPC dates. * #155337 by gpk and Bevan: only treat newlines teaser breakers, if the newline filter is present in the particular input format * - Patch #169899 by Island Usurper: taxonomy caching not always working. * #171461 by chx, ejhildreth and dvessel: empty tbody fails validation. Backport by m1mic. * #193891 by mvc: fix NOTICE in database.mysqli.inc because of possibly missing port number * - Patch #273761 by catch: removed inconsistent delete behavior of nodes. It would leave comments, ratings, etc behind in the database. * #159538 by Wesley Tanaka. 404 instead of showing recent blog posts for invalid paths. * - Patch #180646 by John Morahan: SQL in taxonomy_get_term_by_name() should use = instead of LIKE. * #276615 by JacobSingh. Clear page cache when CSS cache is cleared?