diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index d05187d228ec480d0bd674e2928d410ee8784b6d..350b395baa45d83866abe2f2c6713689df4ac2d9 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,7 +1,10 @@
 // $Id$
 
-Drupal 4.7.11, xxxx-xx-xx
+Drupal 4.7.11, 2008-01-10
 -------------------------
+- fixed a security issue (Cross site request forgery), see SA-2008-005
+- fixed a security issue (Cross site scripting, UTF8), see SA-2008-006
+- fixed a security issue (Cross site scripting, register_globals), see SA-2008-007
 
 Drupal 4.7.10, 2007-12-06
 -------------------------
diff --git a/INSTALL.txt b/INSTALL.txt
index 7415505e7223697e6724aa55ebe3c2bf5ba87c1a..9210283bcb43e4eada76f8cb005164acf0a110d3 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -13,7 +13,7 @@ CONTENTS OF THIS FILE
 REQUIREMENTS
 ------------
 
-Drupal requires a web server, PHP4 (4.3.3 or greater) or PHP5
+Drupal requires a web server, PHP4 (4.3.5 or greater) or PHP5
 (http://www.php.net/) and either MySQL (http://www.mysql.com/)
 or PostgreSQL (http://www.postgresql.org/). Your database user
 will also need sufficient privileges to run Drupal. Please
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index c322f54f2ef368fbc32d090189f6ff608dfb1cc1..26d4e17873d616b772f5094b2e65304118ba7d77 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -610,9 +610,49 @@ function referer_uri() {
 
 /**
  * Encode special characters in a plain-text string for display as HTML.
+ *
+ * Uses drupal_validate_utf8 to prevent cross site scripting attacks on
+ * Internet Explorer 6.
+ *
  */
 function check_plain($text) {
-  return htmlspecialchars($text, ENT_QUOTES);
+  return drupal_validate_utf8($text) ? htmlspecialchars($text, ENT_QUOTES) : '';
+}
+
+/**
+ * Checks whether a string is valid UTF-8.
+ *
+ * All functions designed to filter input should use drupal_validate_utf8
+ * to ensure they operate on valid UTF-8 strings to prevent bypass of the
+ * filter.
+ *
+ * When text containing an invalid UTF-8 lead byte (0xC0 - 0xFF) is presented
+ * as UTF-8 to Internet Explorer 6, the program may misinterpret subsequent
+ * bytes. When these subsequent bytes are HTML control characters such as
+ * quotes or angle brackets, parts of the text that were deemed safe by filters
+ * end up in locations that are potentially unsafe; An onerror attribute that
+ * is outside of a tag, and thus deemed safe by a filter, can be interpreted
+ * by the browser as if it were inside the tag.
+ *
+ * This function exploits preg_match behaviour (since PHP 4.3.5) when used with
+ * the u modifier as a fast way to find invalid UTF-8. When the matched string
+ * contains invalid byte sequences, it will fail silently.
+ *
+ * preg_match may not fail on 4 and 5 octet sequences, even though they
+ * are not supported by the specification.
+ *
+ * The specific preg_match behaviour is present
+ *
+ * @param $text
+ *   The text to check.
+ * @return
+ *   TRUE if the text is valid UTF-8, FALSE if not.
+ */
+function drupal_validate_utf8($text) {
+  if (strlen($text) == 0) {
+    return TRUE;
+  }
+  return (preg_match('/^./us', $text) == 1);
 }
 
 /**
diff --git a/modules/aggregator.module b/modules/aggregator.module
index 7c08967affdcca8525acc914ce481539f52bf010..dc9e822714825d7f960aba1f2acfd48351c570d6 100644
--- a/modules/aggregator.module
+++ b/modules/aggregator.module
@@ -995,12 +995,30 @@ function aggregator_view() {
   return $output;
 }
 
+function aggregator_admin_remove_feed($fid) {
+  $feed = aggregator_get_feed($fid);
+  return confirm_form(
+    'aggregator_admin_remove_feed',
+    array(
+      'feed' => array(
+        '#type' => 'value',
+        '#value' => $feed,
+      ),
+    ),
+    t('Are you sure you want to remove all items from the feed %feed?', array('%feed' => theme('placeholder', $feed['title']))),
+    'admin/aggregator',
+    t('This action cannot be undone.'),
+    t('Remove items'),
+    t('Cancel')
+  );
+}
+
 /**
- * Menu callback; removes all items from a feed, then redirects to the overview page.
+ * Remove all items from a feed and redirect to the overview page.
  */
-function aggregator_admin_remove_feed($feed) {
-  aggregator_remove(aggregator_get_feed($feed));
-  drupal_goto('admin/aggregator');
+function aggregator_admin_remove_feed_submit($form_id, $form_values) {
+  aggregator_remove($form_values['feed']);
+  return 'admin/aggregator';
 }
 
 /**
diff --git a/modules/filter.module b/modules/filter.module
index 5beb731d4ad078666ddc8809bb860ec63d5554d0..4715342fe122236dfc8b0c17a041ec2967082579 100644
--- a/modules/filter.module
+++ b/modules/filter.module
@@ -1135,6 +1135,11 @@ function filter_xss_admin($string) {
  *   The format to use.
  */
 function filter_xss($string, $allowed_tags = array('a', 'em', 'strong', 'cite', 'code', 'ul', 'ol', 'li', 'dl', 'dt', 'dd')) {
+  // Only operate on valid UTF-8 strings. This is necessary to prevent cross
+  // site scripting issues on Internet Explorer 6.
+  if (!drupal_validate_utf8($string)) {
+    return '';
+  }
   // Store the input format
   _filter_xss_split($allowed_tags, TRUE);
   // Remove NUL characters (ignored by some browsers)
diff --git a/modules/system.module b/modules/system.module
index b65df1d2208efedf2777ab60e5126a0d749d2326..37e118d58527eb1a4d745bd4782f14b6f9c1d350 100644
--- a/modules/system.module
+++ b/modules/system.module
@@ -6,7 +6,7 @@
  * Configuration system that lets administrators modify the workings of the site.
  */
 
-define('VERSION', '4.7.11-dev');
+define('VERSION', '4.7.11');
 
 /**
  * Implementation of hook_help().
diff --git a/modules/watchdog.module b/modules/watchdog.module
index f4fd83bc68effc7f20d45b31ec3d5ad4807cc456..43cd0c79f43a598bb4e99d831af7a5ce47cabea7 100644
--- a/modules/watchdog.module
+++ b/modules/watchdog.module
@@ -74,6 +74,9 @@ function watchdog_user($op, &$edit, &$user) {
  * Menu callback; displays a listing of log messages.
  */
 function watchdog_overview() {
+  if (ini_get('register_globals')) {
+    drupal_set_message(t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="http://php.net/configuration.changes">how to change configuration settings</a>.'), 'error');
+  }
   $icons = array(WATCHDOG_NOTICE  => '',
                  WATCHDOG_WARNING => theme('image', 'misc/watchdog-warning.png', t('warning'), t('warning')),
                  WATCHDOG_ERROR   => theme('image', 'misc/watchdog-error.png', t('error'), t('error')));