Maintenance and security release of the Drupal 6 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
No other fixes are included.
No changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
Major changes since 6.32:
As of this release, the XML-RPC system in Drupal core will ignore information in
<?xml>declarations contained within XML-RPC messages (for example, XML version or character encoding information). This is not expected to matter for the vast majority of use cases.
The XML-RPC system and OpenID XRDS parser will also reject messages that contain over ~30,000 XML tags within them. This limit is not expected to matter for the vast majority of use cases. It is also only an approximate limit, since Drupal 6 is not capable of efficiently counting the exact number of XML tags. If you need to process an XML-RPC message that is larger than that, you can change the limit by setting the "xmlrpc_message_maximum_tag_count" variable to a higher value. For example, in settings.php:
// Allow XML-RPC messages with up to ~50,000 XML tags to be processed. $conf['xmlrpc_message_maximum_tag_count'] = 50000;
Do not set the value higher than you need, since allowing too many XML tags per XML-RPC message increases your site's vulnerability to denial of service attacks.
The OpenID XRDS parser has a similar variable ("openid_xrds_maximum_tag_count") which can be used in a similar way.
- As a consequence of the security fixes in this release, sites using the OpenID module will reject login attempts from OpenID servers which return an XRDS file with a declared DOCTYPE (due to the possibility of malicious DOCTYPE declarations). A DOCTYPE declaration is not part of the OpenID specification, so this is not expected to cause any problems for valid OpenID servers (this is also the same restriction that was earlier added to Drupal 7 to fix a different security issue; see SA-CORE-2012-003 and the Drupal 7.16 release notes). However, sites using unusual or custom OpenID servers may wish to test OpenID logins before deploying this release.