Release info

Created by: David_Rothstein
Created on: August 6, 2014 - 17:31
Last updated: January 11, 2016 - 21:45
Core compatibility: 7.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:


Major changes since 7.30:

  1. As of this release, the XML-RPC system in Drupal core will ignore information in <?xml> declarations contained within XML-RPC messages (for example, XML version or character encoding information). This is not expected to matter for the vast majority of use cases.
  2. The XML-RPC system and OpenID XRDS parser will also reject messages that contain over 30,000 XML tags within them. This limit is not expected to matter for the vast majority of use cases. If you need to process an XML-RPC message that is larger than that, you can change the limit by setting the "xmlrpc_message_maximum_tag_count" variable to a higher value. For example, in settings.php:

      // Allow XML-RPC messages with up to 50,000 XML tags to be processed.
      $conf['xmlrpc_message_maximum_tag_count'] = 50000;

    Do not set the value higher than you need, since allowing too many XML tags per XML-RPC message increases your site's vulnerability to denial of service attacks.

    The OpenID XRDS parser has a similar variable ("openid_xrds_maximum_tag_count") which can be used in a similar way.