Downloads
Release notes
This is a hotfix release for a regression affecting some Drush installations that was introduced by the fix for SA-CORE-2019-002. No other fixes are included.
If you continue to experience issues with Drush following this update, try the following:
- Run
update.php
to ensure database updates are completed and to clear the site cache safely without Drush. - Check the site status report to confirm that 7.63 was successfully installed.
- Test Drush again. If issues persist, try updating to Drush 8.1.18 or installing Drush with Composer. Additional troubleshooting steps can be found in #3026560: After upgrade to 7.63, 8.5.10, 8.6.7, 9.4.0 get TYPO3 phar error for drush.
Important update information
-
The
.phar
file extension has been added to Drupal's dangerous extensions list, which means that any such file uploaded to a Drupal file field will automatically be converted to a text file (with the.txt
extension) to prevent it from being executed. This is similar to how Drupal handles file uploads with a.php
extension. -
No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
-
The replacement stream wrapper needed to resolve Drupal Core - Remote code execution - SA-CORE-2018-002 is not compatible with PHP versions lower than 5.3.3. For sites using lower PHP versions, the built-in phar stream wrapper has been disabled rather than replaced. Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.
It is very uncommon to both be running a PHP version lower than 5.3.3 and to need phar support. If you're in that situation, consider upgrading your PHP version instead of restoring insecure phar support.
Known issues
- #3026560: After upgrade to 7.63, 8.5.10, 8.6.7, 9.4.0 get TYPO3 phar error for drush
- #3026470: ArchiveTar is throwing fatal error
- #3026443: \Drupal\Core\Security\PharExtensionInterceptor is incompatible with GeoIP and other libraries that use phar aliases or Phar::mapPhar()
- #3026445: [D7] PHP 5.3.0-5.3.5 gives notice for debug_backtrace() call in PharWrapper