- Patch #395340 by c960657: critical bug: enforce e-mail verification with OpenID auto-registration.

- Patch #656782 by effulgentsia: critical bug: ajax_process_form() results in settings being returned for elements that aren't re-rendered as part of the AJAX request.

- Patch #669794 by andypost, Josh Waihi, aspilicious: critical task: use savepoints for nested transactions.

- Patch #458704 by markus_petrux, tic2000: don't automatically remove 'www.' from admin-set cookie domains.

- Patch #685784 by alexj, sun: 'Create new revision' setting for content type isn't used in node edit form.

- Patch #619584 by sivaji, mr.baileys, David_Rothstein, gcopenhaver: deleting a user role throws PHP notices and prevents delete operation.

- Patch #728278 by c960657: openid_complete() should normalize ['openid.claimed_id()'] before discovery. With better tests.

#730220 follow-up by pwolanin: Fix fragile Contact module test caused by use of randomString() vs. randomName().

- Patch #735808 by fago: fix multiple field value form to work with form API persistence. Added tests.

- Patch #248598 by David_Rothstein, pwolanin, aspilicious: improved warning about dangerous permissions.

- Patch #443514 by casey, sun: stylesheet override logic prevents loading of stylesheets of third-party libraries.