Drupal Release: 6.7

TL;DR

Drupal 6.7 brings important security enhancements, bug fixes, and performance improvements

This maintenance release focuses on security hardening with improved HTTP host validation and session cookie protection. It addresses several bugs in theme handling, form API functionality, and CSS processing. While not introducing major new features, Drupal 6.7 provides important fixes that improve stability, security, and performance for all Drupal 6 sites.

Highlight of the Release

• Enhanced security with improved HTTP_HOST validation and HTTP-only session cookies
• Fixed theme handling issues including child theme template inheritance and theme disabling during updates
• Improved form API functionality with proper #submit handlers and #ahah support for checkboxes
• Better protection of sensitive files through .htaccess improvements
• Fixed CSS aggregation issues that caused some styles to fail

Migration Guide

No specific migration steps are required for this maintenance release. Drupal 6.7 is a drop-in replacement for previous Drupal 6.x versions and does not introduce any API changes that would require code modifications.

When upgrading:

1. Back up your database and site files
2. Put your site in maintenance mode
3. Replace your existing Drupal core files with the new 6.7 release
4. Run update.php to apply any database changes
5. Take your site out of maintenance mode

Note that this release includes security improvements, so upgrading is highly recommended for all Drupal 6 sites.

Upgrade Recommendations

Priority: Medium-High

This release contains several important security enhancements and bug fixes that improve the stability and security of Drupal 6 sites. While it doesn't address critical vulnerabilities, the security hardening measures (improved HTTP host validation and HTTP-only session cookies) provide valuable protection against potential attacks.

All Drupal 6 sites should plan to upgrade to this version in their next regular maintenance window. Sites experiencing any of the specific issues fixed in this release (particularly theme-related problems or form API issues) should prioritize upgrading sooner.

Bug Fixes

Theme System Fixes

• Fixed issue where themes could not have a preprocess function without a corresponding .tpl.php file (#258089)
• Fixed child themes not inheriting patterns correctly from parent themes, causing more specific template files to not be detected (#333060)
• Fixed problem where all themes were disabled when update.php was run (#305653)
• Fixed invalid XHTML being generated for forum topic listings (#324118)

Form and UI Fixes

• Fixed content type names being double escaped on create content page (#255150)
• Added missing #ahah support on checkboxes (#299742)
• Fixed block sorting when there are more than 20 blocks (#293370)
• Fixed incorrect regex causing some aggregated CSS to fail (#255293)
• Fixed path alias fields to have consistent maximum length with the database (#335385)

Other Fixes

• Fixed PHP warning in various contexts (#329019)
• Fixed user_access() not being properly reset (#329646)
• Fixed drupal_http_request() including an extra CRLF, making it non-conformant to HTTP specs (#345167)
• Fixed explicit UTF-8 client encoding setting for PostgreSQL (#319165)

New Features

No significant new features were introduced in this maintenance release. Drupal 6.7 focuses primarily on security enhancements, bug fixes, and performance improvements to the existing functionality.

Security Updates

Security Enhancements

• Improved HTTP_HOST checking by ensuring the host is lowercased and only valid characters are allowed (#324875)
• Enhanced cookie handling in sess_regenerate() by setting session cookies as HTTP-only, reducing the risk of session stealing via XSS attacks (#280934)
• Added protection for *.test files and SVN metafiles to prevent them from being exposed under Drupal (#28776)
• Improved security for locale translations and imports by disallowing potentially dangerous submissions (#276111)
• Updated robots.txt to remove outdated items and improve organization (#299582)
• Added escaping for markup-looking non-HTML tags in schema descriptions to prevent potential XSS issues (#329998)

Performance Improvements

Performance Enhancements

• Removed redundant cache flushing operations (#325908)
• Attempted to improve performance by avoiding no-op queries during menu rebuilding, though this change was later rolled back due to reported issues (#302638)

Impact Summary

Drupal 6.7 is primarily a maintenance and security enhancement release that addresses several important issues without introducing major new functionality. The most significant improvements focus on security hardening through better HTTP host validation and session cookie protection, which help defend against potential attacks.

Theme developers will benefit from fixes to several long-standing issues, including the ability to create preprocess functions without corresponding template files and proper inheritance of template patterns in child themes. Site administrators will appreciate the fixed block sorting functionality when managing larger numbers of blocks.

The release also includes various documentation improvements, performance optimizations, and fixes for form API functionality. While individually modest, these changes collectively improve the stability, security, and developer experience of Drupal 6.

Note that despite the commit message mentioning WordPress, this is a Drupal CMS release. The reference to WordPress appears to be an error in the provided information.