Drupal 6.6 and 5.12 released, fixing security issues More information can be found -> HERE Drupal 6.6 and Drupal 5.12, maintenance releases fixing problems reported using the bug tracking system, as well as critical security vulnerabilities, are now available for download. Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. Drupal 6.6 Release Note * SA-2008-067 - Drupal core - Multiple vulnerabilities * - Patch #315656 by Damien Tournoud: fixed bug in drupal_lookup_path('wipe'). * - Patch #285165 by Heine, Gabor: fixed wildcard loader names with numbers. * #285165 follow up by Damien Tournoud, pwolanin, chx: fixed wildcard loader problem * - Patch #293078 by lilou: correction for user-profile.tpl.php documentation. * - Patch #321165 by Dave Reid: fixed exceptions in XML-RPC library. Backported from CVS HEAD. * #260372 by andershal and nedjo: All translations were removed from translation set when deleting a node and only two nodes are left. * #284887 by Dave Reid, dww: Avoid a 403 on autocomplete fields, when people do not have access to the path used for autocompletion; by disabling the autocomplete altogether in this case. * #317238 by Pedro Lozano: Fix incorrect path to remove orphaned actions. * #318102 by Dave Reid: hook_exit() was not invoked for some cached requests. * - Patch #316753 by dvessel: exanded PHP doc of path_to_theme(). * - Patch #320793 by hass: fixed translation issue. * #319769 reported by Pasqualle, patch by Dave Reid: drupal_init_language() should be called before drupal_maintenance_theme() in _db_error_page() to ensure that the language object exists on DB error pages. * #295626 by Damien Tournoud, wuf31, drewish: locale_block() generated incorrect paths for frontpage links * #20527 by mpare, bdragon, mfb: file_transfer() should only call ob_end_clean() if there was an actual output buffer opened * #320146 by pwolanin: little usability tweak to link the site offline admin message to the maintenance settings page * #293612 by egfrith, Bart Jansens: let user_authenticate() be called without cookies previously set; allows web service modules to start a session with the authentication * - Patch #302518 by AlexisWilke: fixed problem with PostgreSQL users not being able to delete blocks. * #277206 by Damien Tournoud, lilou, fp: untranslatable string in the installer * #249571 by pwolanin: Primary/secondary links did not get the 'active-trail' class properly on the list items * - Patch #324080 by winterheart: missing -tag. Drupal 5.12 Release Note * SA-2008-067 - Drupal core - Multiple vulnerabilities