Download drupal-6.33.tar.gztar.gz 1.05 MB
MD5: 33d738678f81a86d9e31ae8af23b45e5
SHA-1: c608ef05de35ddbef12565d0f7ad6bea23986b02
SHA-256: 952f9bd6b22058fe8f9c90c0ac96bd695a673306331269a79c7e19e38fd047eb
Download drupal-6.33.zipzip 1.22 MB
MD5: 5d0a2e3803a183b5c7c5c0e624aa89d7
SHA-1: 0a98db126dbb3b77dd34376196abf3767e5ef2bd
SHA-256: 9e29b8adadfe5fb4aa5eca2395be9892eabd447a74085d7c942f4efce15697b4

Release info

Created by: David_Rothstein
Created on: 6 Aug 2014 at 17:30 UTC
Last updated: 4 Mar 2016 at 17:27 UTC
Core compatibility: 6.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 6 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

No changes have been made to the .htaccess, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:


Major changes since 6.32:

  1. As of this release, the XML-RPC system in Drupal core will ignore information in <?xml> declarations contained within XML-RPC messages (for example, XML version or character encoding information). This is not expected to matter for the vast majority of use cases.
  2. The XML-RPC system and OpenID XRDS parser will also reject messages that contain over ~30,000 XML tags within them. This limit is not expected to matter for the vast majority of use cases. It is also only an approximate limit, since Drupal 6 is not capable of efficiently counting the exact number of XML tags. If you need to process an XML-RPC message that is larger than that, you can change the limit by setting the "xmlrpc_message_maximum_tag_count" variable to a higher value. For example, in settings.php:
      // Allow XML-RPC messages with up to ~50,000 XML tags to be processed.
      $conf['xmlrpc_message_maximum_tag_count'] = 50000;

    Do not set the value higher than you need, since allowing too many XML tags per XML-RPC message increases your site's vulnerability to denial of service attacks.

    The OpenID XRDS parser has a similar variable ("openid_xrds_maximum_tag_count") which can be used in a similar way.

  3. As a consequence of the security fixes in this release, sites using the OpenID module will reject login attempts from OpenID servers which return an XRDS file with a declared DOCTYPE (due to the possibility of malicious DOCTYPE declarations). A DOCTYPE declaration is not part of the OpenID specification, so this is not expected to cause any problems for valid OpenID servers (this is also the same restriction that was earlier added to Drupal 7 to fix a different security issue; see SA-CORE-2012-003 and the Drupal 7.16 release notes). However, sites using unusual or custom OpenID servers may wish to test OpenID logins before deploying this release.