Download drupal-7.43.tar.gztar.gz 3.11 MB
MD5: c6fb49bc88a6408a985afddac76b9f8b
SHA-1: 2979eb3ce141bb11a743e39ed6428d3728a05d01
SHA-256: 468c1e5864ad6a86e760108f0cb0eac6bf004a198c49e77117b99af31e31b16a
Download drupal-7.43.zipzip 3.59 MB
MD5: 49d9161acc25163c1a931bcf8ef516cd
SHA-1: 190163a2cfdf5dfa68e8530495fd4097b339b4cc
SHA-256: 8b61ce2c320e9d47c0dafbe7ca921c1ff6faf88eca2cc369e6242f6ae976a983

Release info

Created by: David_Rothstein
Created on: 24 Feb 2016 at 19:33 UTC
Last updated: 15 Jun 2016 at 20:26 UTC
Core compatibility: 7.x
Release type: Security update

Release notes

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.

Known issues:

Major changes since 7.42:

  • The File module has changed to prevent users from reusing other users' temporary uploaded files in other content, and anonymous users can no longer reuse temporary uploaded files at all. (This was not a supported use case since temporary files are those that the original user uploaded to the server but has not yet chosen to save.) This could have a minor effect on media management modules if the module provides listings of temporary files with the intention that they can be reused.

    In addition (see the "Known issues" section above) this change has caused some problems with modules that allow anonymous users to upload files. A common theme is that modules which create or alter managed file form widgets may need to adjust their code to ensure that the #default_value property on the widget is set correctly (to reflect the current file that has been uploaded and that is being displayed in the form). This is generally good practice but was not previously strictly enforced; now, in the case of anonymous users, the File module in Drupal core sometimes relies on #default_value to know which file actually belongs there after an Ajax request.

  • The "system.multicall" method in Drupal's XML-RPC server has changed such that, by default, it only supports one call for each distinct RPC method (in other words, within a single XML-RPC request you may call four different methods but you can no longer call the same method four times). No changes have been made to Drupal's XML-RPC client code that is used for making XML-RPC requests from your site to other XML-RPC servers; this only affects calls from other servers to your Drupal site. This was not a commonly used feature, but if you have a use case that requires multiple calls to the same XML-RPC method in a single request, a new "xmlrpc_multicall_duplicate_method_limit" variable has been provided that allows you to do so. For example, in settings.php:
      // Allow the same method to be called up to 10 times in a single
      // "system.multicall" request.
      $conf['xmlrpc_multicall_duplicate_method_limit'] = 10;


      // Setting the variable to 0 or lower will remove the limit and restore the
      // prior behavior, although this also weakens protection against brute-force
      // attacks.
      $conf['xmlrpc_multicall_duplicate_method_limit'] = 0;