Drupal 6.33
6 August 2014
Drupal version 6.33 is now available (security release).
Upgrading to Drupal 6.33
Drupal 6.33 can be upgraded to (or installed) using any of Installatron's products. Use Installatron's optional Automatic Update feature to automatically apply Drupal updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Drupal install to test the 6.33 upgrade prior to applying it live. Get started managing your Drupal installations with Installatron
What's New in Drupal 6.33
This release fixes security vulnerabilities.
Security:
- As of this release, the XML-RPC system in Drupal core will ignore information in declarations contained within XML-RPC messages (for example, XML version or character encoding information). This is not expected to matter for the vast majority of use cases.
- The XML-RPC system and OpenID XRDS parser will also reject messages that contain over ~30,000 XML tags within them. This limit is not expected to matter for the vast majority of use cases. It is also only an approximate limit, since Drupal 6 is not capable of efficiently counting the exact number of XML tags. If you need to process an XML-RPC message that is larger than that, you can change the limit by setting the "xmlrpc_message_maximum_tag_count" variable to a higher value. Do not set the value higher than you need, since allowing too many XML tags per XML-RPC message increases your site's vulnerability to denial of service attacks. The OpenID XRDS parser has a similar variable ("openid_xrds_maximum_tag_count") which can be used in a similar way.
- As a consequence of the security fixes in this release, sites using the OpenID module will reject login attempts from OpenID servers which return an XRDS file with a declared DOCTYPE (due to the possibility of malicious DOCTYPE declarations). A DOCTYPE declaration is not part of the OpenID specification, so this is not expected to cause any problems for valid OpenID servers (this is also the same restriction that was earlier added to Drupal 7 to fix a different security issue; see SA-CORE-2012-003 and the Drupal 7.16 release notes). However, sites using unusual or custom OpenID servers may wish to test OpenID logins before deploying this release.