diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8f0ea5278551da5ba2bb6573d507fae00fff2fb5..706a0fb8555b05d999cf90cdff666181734f227a 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,10 @@
 // $Id$
 
-Drupal 6.13-dev, xxxx-xx-xx (development release)
+Drupal 6.13, 2009-07-01
 ----------------------
+- Fixed security issues (Cross site scripting, Input format access bypass and
+  Password leakage in URL), see SA-CORE-2009-007.
+- Fixed a variety of small bugs.
 
 Drupal 6.12, 2009-05-13
 ----------------------
@@ -189,6 +192,11 @@ Drupal 6.0, 2008-02-13
 - Removed old system updates. Updates from Drupal versions prior to 5.x will
   require upgrading to 5.x before upgrading to 6.x.
 
+Drupal 5.19, 2009-07-01
+-----------------------
+- Fixed security issues (Cross site scripting and Password leakage in URL), see SA-CORE-2009-007.
+- Fixed a variety of small bugs.
+
 Drupal 5.18, 2009-05-13
 ----------------------
 - Fixed security issues (Cross site scripting), see SA-CORE-2009-006.
diff --git a/includes/common.inc b/includes/common.inc
index 1165e1050f953a0a5995ca3facdbbc267a8138f7..5db1fe64f80cdf220ed170bf444ec31a8132b9f4 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -587,7 +587,7 @@ function drupal_error_handler($errno, $message, $filename, $line, $context) {
     return;
   }
 
-  if ($errno & (E_ALL)) {
+  if ($errno & (E_ALL ^ E_NOTICE)) {
     $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error');
 
     // For database errors, we want the line number/file name of the place that
diff --git a/includes/pager.inc b/includes/pager.inc
index 68e453ac78610e09bb4220de18e9b4c4030fcd18..340fd8f76500298fab388a06c75ffdb4b7918c1e 100644
--- a/includes/pager.inc
+++ b/includes/pager.inc
@@ -85,7 +85,7 @@ function pager_query($query, $limit = 10, $element = 0, $count_query = NULL) {
 function pager_get_querystring() {
   static $string = NULL;
   if (!isset($string)) {
-    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE)));
+    $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE)));
   }
   return $string;
 }
diff --git a/includes/tablesort.inc b/includes/tablesort.inc
index 9c39c5ce8457824910fc98bd997e8b28006ddc3b..9249be7004fbdad373ed76a3405f142ed39d18f6 100644
--- a/includes/tablesort.inc
+++ b/includes/tablesort.inc
@@ -136,7 +136,7 @@ function tablesort_cell($cell, $header, $ts, $i) {
  *   except for those pertaining to table sorting.
  */
 function tablesort_get_querystring() {
-  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE)));
+  return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE)));
 }
 
 /**
diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 7bc02ddd4bb4f11b4fc77dc17e1be1002d178547..ee09bef563867f549b008e4957c995603bbd9728 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -936,7 +936,7 @@ function comment_render($node, $cid = 0) {
 
     if ($cid && is_numeric($cid)) {
       // Single comment view.
-      $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
+      $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d';
       $query_args = array($cid);
       if (!user_access('administer comments')) {
         $query .= ' AND c.status = %d';
@@ -957,7 +957,7 @@ function comment_render($node, $cid = 0) {
     else {
       // Multiple comment view
       $query_count = 'SELECT COUNT(*) FROM {comments} c WHERE c.nid = %d';
-      $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
+      $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d';
 
       $query_args = array($nid);
       if (!user_access('administer comments')) {
@@ -1468,7 +1468,7 @@ function comment_form_add_preview($form, &$form_state) {
   $output = '';
 
   if ($edit['pid']) {
-    $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
+    $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED));
     $comment = drupal_unpack($comment);
     $comment->name = $comment->uid ? $comment->registered_name : $comment->name;
     $output .= theme('comment_view', $comment, $node);
@@ -1778,14 +1778,14 @@ function theme_comment_thread_expanded($comment, $node) {
 function theme_comment_post_forbidden($node) {
   global $user;
   static $authenticated_post_comments;
-  
+
   if (!$user->uid) {
     if (!isset($authenticated_post_comments)) {
       // We only output any link if we are certain, that users get permission
       // to post comments by logging in. We also locally cache this information.
       $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval'));
     }
-    
+
     if ($authenticated_post_comments) {
       // We cannot use drupal_get_destination() because these links
       // sometimes appear on /node and taxonomy listing pages.
diff --git a/modules/comment/comment.pages.inc b/modules/comment/comment.pages.inc
index 0bf1689497af31624ff82261dd43d33ff5ca7464..e318fa10749b7a63da0338092aa0fd333febab2b 100644
--- a/modules/comment/comment.pages.inc
+++ b/modules/comment/comment.pages.inc
@@ -70,7 +70,7 @@ function comment_reply($node, $pid = NULL) {
       // $pid indicates that this is a reply to a comment.
       if ($pid) {
         // load the comment whose cid = $pid
-        if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
+        if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) {
           // If that comment exists, make sure that the current comment and the parent comment both
           // belong to the same parent node.
           if ($comment->nid != $node->nid) {
diff --git a/modules/forum/forum.pages.inc b/modules/forum/forum.pages.inc
index d1fa160c8a5ef12be002b26d7c1a0154b2250a19..49314114939c1ed9d242a80bc3134424b256b780 100644
--- a/modules/forum/forum.pages.inc
+++ b/modules/forum/forum.pages.inc
@@ -10,6 +10,11 @@
  * Menu callback; prints a forum listing.
  */
 function forum_page($tid = 0) {
+  if (!is_numeric($tid)) {
+    return MENU_NOT_FOUND;
+  }
+  $tid = (int)$tid;
+
   $topics = '';
   $forum_per_page = variable_get('forum_per_page', 25);
   $sortby = variable_get('forum_order', 1);
diff --git a/modules/system/system.install b/modules/system/system.install
index 7ef4f1d538b3401e96fcebeb88f5e6f9f1c28f1a..0f4b28709cb12e5bda49d25a3e2e1f46f990f468 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -2564,6 +2564,39 @@ function system_update_6050() {
   return $ret;
 }
 
+/**
+ * Create a signature_format column.
+ */
+function system_update_6051() {
+  $ret = array();
+
+  if (!db_column_exists('users', 'signature_format')) {
+
+    // Set future input formats to FILTER_FORMAT_DEFAULT to ensure a safe default
+    // when incompatible modules insert into the users table. An actual format
+    // will be assigned when users save their signature.
+
+    $schema = array(
+      'type' => 'int',
+      'size' => 'small',
+      'not null' => TRUE,
+      'default' => FILTER_FORMAT_DEFAULT,
+      'description' => 'The {filter_formats}.format of the signature.',
+    );
+
+    db_add_field($ret, 'users', 'signature_format', $schema);
+
+    // Set the format of existing signatures to the current default input format.
+    if ($current_default_filter = variable_get('filter_default_format', 0)) {
+      $ret[] = update_sql("UPDATE {users} SET signature_format = ". $current_default_filter);
+    }
+
+    drupal_set_message("User signatures no longer inherit comment input formats. Each user's signature now has its own associated format that can be selected on the user's account page. Existing signatures have been set to your site's default input format.");
+  }
+
+  return $ret;
+}
+
 /**
  * @} End of "defgroup updates-6.x-extra"
  * The next series of updates should start at 7000.
diff --git a/modules/system/system.module b/modules/system/system.module
index e39952593ab3126b78a8ba064a356f5435f5e797..57d80b88966bdcd1a313c85abbc4365b25de4762 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -9,7 +9,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '6.13-dev');
+define('VERSION', '6.13');
 
 /**
  * Core API compatibility.
diff --git a/modules/user/user.install b/modules/user/user.install
index d04a39789077da701088c8d1ba3f278e8229bfff..44d55f3ca3cd0a028e7c045172227790e4c3a74b 100644
--- a/modules/user/user.install
+++ b/modules/user/user.install
@@ -191,6 +191,13 @@ function user_schema() {
         'default' => '',
         'description' => "User's signature.",
       ),
+      'signature_format' => array(
+        'type' => 'int',
+        'size' => 'small',
+        'not null' => TRUE,
+        'default' => 0,
+        'description' => 'The {filter_formats}.format of the signature.',
+      ),
       'created' => array(
         'type' => 'int',
         'not null' => TRUE,
diff --git a/modules/user/user.module b/modules/user/user.module
index 72e1e7baa4e777ffb273c91139ecd97a4263af15..79ddb7a7a47579dad603a13159d5c7f585cc3d85 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -532,7 +532,7 @@ function user_fields() {
     }
     else {
       // Make sure we return the default fields at least.
-      $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
+      $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'signature_format', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data');
     }
   }
 
@@ -1519,6 +1519,15 @@ function user_edit_form(&$form_state, $uid, $edit, $register = FALSE) {
       '#default_value' => $edit['signature'],
       '#description' => t('Your signature will be publicly displayed at the end of your comments.'),
     );
+
+    // Prevent a "validation error" message when the user attempts to save with a default value they
+    // do not have access to.
+    if (!filter_access($edit['signature_format']) && empty($_POST)) {
+      drupal_set_message(t("The signature input format has been set to a format you don't have access to. It will be changed to a format you have access to when you save this page."));
+      $edit['signature_format'] = FILTER_FORMAT_DEFAULT;
+    }
+
+    $form['signature_settings']['signature_format'] = filter_form($edit['signature_format'], NULL, array('signature_format'));
   }
 
   // Picture/avatar:
@@ -2031,7 +2040,7 @@ function user_comment(&$comment, $op) {
   // Validate signature.
   if ($op == 'view') {
     if (variable_get('user_signatures', 0) && !empty($comment->signature)) {
-      $comment->signature = check_markup($comment->signature, $comment->format);
+      $comment->signature = check_markup($comment->signature, $comment->signature_format, FALSE);
     }
     else {
       $comment->signature = '';