diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 8b1d074ff34..caa00daabcd 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,11 @@
+Drupal 6.46 LTS, 2018-10-17
+---------------------------------------
+- Fixed security issues (open redirect), backport. See SA-CORE-2018-006.
+
+Drupal 6.45 LTS, 2018-10-04
+---------------------------------------
+- Initial support for PHP 7.2.
+
 Drupal 6.44 LTS, 2018-04-25
 ---------------------------------------
 - Fixed security issues (remote code execution), backport. See SA-CORE-2018-004.
diff --git a/includes/common.inc b/includes/common.inc
index 29e0df0a656..de895897edd 100644
--- a/includes/common.inc
+++ b/includes/common.inc
@@ -1540,6 +1540,10 @@ function url($path = NULL, $options = array()) {
   }
   elseif (!empty($path) && !$options['alias']) {
     $path = drupal_get_path_alias($path, isset($options['language']) ? $options['language']->language : '');
+    // Strip leading slashes from internal paths to prevent them becoming external
+    // URLs without protocol. /example.com should not be turned into
+    // //example.com.
+    $path = ltrim($path, '/');
   }
 
   if (function_exists('custom_url_rewrite_outbound')) {
diff --git a/modules/system/system.module b/modules/system/system.module
index 825ed4132f9..51771c9e4a7 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '6.45');
+define('VERSION', '6.46');
 
 /**
  * Core API compatibility.