diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index d727bdc27b00194e264a14ae4309143b40947cb5..3cdd1c6d3d995cb0ac3ccd0b781eaceeb135ac3e 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,10 @@
 // $Id$
 
-Drupal 5.17, xxxx-xx-xx (development version)
+Drupal 5.17, 2009-04-29
 -----------------------
+- Fixed security issues (Cross site scripting and limited information
+  disclosure) see SA-CORE-2009-005.
+- Fixed a variety of small bugs.
 
 Drupal 5.16, 2009-02-25
 -----------------------
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index 2a3fdfedca033afebf9f7e81e5b09bfa9000bc5b..9742ee931e63a7865f47db8892e314d9fde0a746 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -725,6 +725,8 @@ function request_uri() {
       $uri = $_SERVER['SCRIPT_NAME'] .'?'. $_SERVER['QUERY_STRING'];
     }
   }
+  // Prevent multiple slashes to avoid cross site requests via the FAPI.
+  $uri = '/'. ltrim($uri, '/');
 
   return $uri;
 }
diff --git a/includes/common.inc b/includes/common.inc
index 32527c7bd766f1974dda29297c267f8761f895b5..0cb2290648d8bcceaec38a04ce3a20afb60c2261 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -151,6 +151,15 @@ function drupal_get_headers() {
   return drupal_set_header();
 }
 
+/**
+ * Make any final alterations to the rendered xhtml.
+ */
+function drupal_final_markup($content) {
+  // Make sure that the charset is always specified as the first element of the
+  // head region to prevent encoding-based attacks.
+  return preg_replace('/<head[^>]*>/i', "\$0\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />", $content, 1);
+}
+
 /**
  * Add a feed URL for the current page.
  *
diff --git a/includes/theme.inc b/includes/theme.inc
index 3e8f103173bc09aba122e52616c05b5bae72de30..2047311c2c69d969502c14b6bf2213ff6d8dd8a8 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -168,7 +168,12 @@ function theme() {
     $functions[$function] = theme_get_function($function);
   }
   if ($functions[$function]) {
-    return call_user_func_array($functions[$function], $args);
+    $output = call_user_func_array($functions[$function], $args);
+    // Add final markup to the full page.
+    if ($function == 'page') {
+      $output = drupal_final_markup($output);
+    }
+    return $output;
   }
 }
 
diff --git a/modules/system/system.module b/modules/system/system.module
index f7dd43233bfb8ca2fb2c3fc5613eefa5bb1cd392..40d4269713eec03860343637fb1542e48c3eaa80 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -6,7 +6,7 @@
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '5.17-dev');
+define('VERSION', '5.17');
 
 /**
  * Implementation of hook_help().
diff --git a/themes/bluemarine/page.tpl.php b/themes/bluemarine/page.tpl.php
index 5298c1d0ff7fa082654179629c1b55fab948cb7c..69f33df7d29e87b8db82de8ddb978127bdd30775 100644
--- a/themes/bluemarine/page.tpl.php
+++ b/themes/bluemarine/page.tpl.php
@@ -2,8 +2,8 @@
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
 
 <head>
-  <title><?php print $head_title ?></title>
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
   <script type="text/javascript"><?php /* Needed to avoid Flash of Unstyle Content in IE */ ?> </script>
diff --git a/themes/chameleon/chameleon.theme b/themes/chameleon/chameleon.theme
index cf286e68454cc4382e33c7b15b4a2895a9b4582f..5daf5b7c8287bc3c790930c55b65355e9e1f0f2a 100644
--- a/themes/chameleon/chameleon.theme
+++ b/themes/chameleon/chameleon.theme
@@ -39,8 +39,8 @@ function chameleon_page($content, $show_blocks = TRUE) {
   $output  = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\n";
   $output .= "<html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"$language\" xml:lang=\"$language\">\n";
   $output .= "<head>\n";
-  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_html_head();
+  $output .= " <title>". ($title ? strip_tags($title) ." | ". variable_get("site_name", "Drupal") : variable_get("site_name", "Drupal") ." | ". variable_get("site_slogan", "")) ."</title>\n";
   $output .= drupal_get_css();
   $output .= drupal_get_js();
   $output .= "</head>";
diff --git a/themes/garland/page.tpl.php b/themes/garland/page.tpl.php
index 2562513a761fdee1fb6b2e1523f14fdaab5d36fb..a54335de74a6fbd66d54ba11788bd34b459ef7f3 100644
--- a/themes/garland/page.tpl.php
+++ b/themes/garland/page.tpl.php
@@ -2,8 +2,8 @@
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print $language ?>" lang="<?php print $language ?>">
   <head>
-    <title><?php print $head_title ?></title>
     <?php print $head ?>
+    <title><?php print $head_title ?></title>
     <?php print $styles ?>
     <?php print $scripts ?>
     <style type="text/css" media="print">@import "<?php print base_path() . path_to_theme() ?>/print.css";</style>
diff --git a/themes/pushbutton/page.tpl.php b/themes/pushbutton/page.tpl.php
index 2a1e34184348908c4e65c6331bde5c41d23ebf04..d98a2fc41c8b14b95b82a55ce0decd234cedeeb8 100644
--- a/themes/pushbutton/page.tpl.php
+++ b/themes/pushbutton/page.tpl.php
@@ -1,9 +1,9 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="<?php print $language ?>" xml:lang="<?php print $language ?>">
 <head>
-  <title><?php print $head_title ?></title>
   <meta http-equiv="Content-Style-Type" content="text/css" />
   <?php print $head ?>
+  <title><?php print $head_title ?></title>
   <?php print $styles ?>
   <?php print $scripts ?>
 </head>