SA-CORE-2016-003

[catch56]

While Drupal 6 wasn't vulnerable to SA-CORE-2016-003 because it's not using guzzle. Tag1 decided to backport this fix for hardening as part of our D6LTS program.

There are a couple of things to sort out though:

• This PR updates the core version to 6.38-p1. Otherwise there's no way to differentiate between a patch and unpatched release. We didn't want to update to 6.39 because theoretically that could still exist one day

[pwolanin]

I think we should put this patch into the d.o LTS repo also and bump the core version to 6.39

I'm not sure -p1 will work with update status?

[catch56]

Update status shows everything 6.x as insecure, so it won't make any difference there. I'm really not sure either way about bumping to 6.39

I opened an issue against the dt6lts project at the same time as opening this PR: https://www.drupal.org/node/2782785

[memtkmcc]

This mitigation may help only Apache users, while for Nginx users it will only cause confusion and false alarm (plus false solution), because they don't have .htaccess and need other mitigation methods, like https://github.com/omega8cc/provision/commit/5133c92dd83a70ab5fc07a8b8be1a60a1cb11eb3

Therefore I don't think it deserves D6 core version bump, because the mitigation in this PR has nothing to do with Drupal core, only with web server specific configuration.

[pwolanin]

Looks like we could still apply the .htaccess fix if desired. It's clearly an edge case.