- Patch #241629 by solotandem: the cron.php query left an extra row in the watchdog table due to a off-by-one error.

- Patch #241021 by keith.smith: we forgot to remove a reference to the 'story' node type.  It was renamed to 'article'.

  This is a big and important patch for Drupal's security.  We are switching
  to much stronger password hashes that are also compatible with the Portable
  PHP password hashing framework.

  The new password hashes defeat a number of attacks, including:

  - The ability to try candidate passwords against multiple hashes at once.
  - The ability to use pre-hashed lists of candidate passwords.
  - The ability to determine whether two users have the same (or different)
    password without actually having to guess one of the passwords.

  Also implemented a pluggable password hashing API (similar to how an alternate
  cache mechanism can be used) to allow developers to readily substitute an
  alternative hashing and authentication scheme.

  Thanks all!

- Patch #235821 by kbahey and pwolanin: include upgrade path for cron changes, improved security of key.

- Patch #232037 by pwolanin and flobruit: block_list() renders all blocks even on 404.  Refactored the code a bit so ithere is a split between loading and rendering of blocks.  By doing so, we are no longer forced to render _all_ blocks if we know they won't be shown.  There is more room for improvement here, I believe, but this is an incremental improvement.

- Patch #81931 by webchick et al: made the recent comments block configurable.  Somme minor changes by me.

- Patch #30984 by webchick, keith.smith, kkaefer, Crell et al: provide descriptions for permissions on the permission administration page.

- Patch #222183 by Gabor and Keith: make the input formats reorderable as a first step towards better input format handling, and ultimately, good WYSIWYIG support.

- Patch #181578 by Moshe: removed distributed authentication code from user_save().  Factored the relevant code out to a separate function.