The Drupal development team have released a maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Customers using Drupal 7 are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information

  • The .phar file extension has been added to Drupal’s dangerous extensions list, which means that any such file uploaded to a Drupal file field will automatically be converted to a text file (with the .txt extension) to prevent it from being executed. This is similar to how Drupal handles file uploads with a .php extension.
  • No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
  • The replacement stream wrapper needed to resolve Drupal Core – Remote code execution – SA-CORE-2018-002 is not compatible with PHP versions lower than 5.3.3. For sites using lower PHP versions, the built-in phar stream wrapper has been disabled rather than replaced. Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.
Share on facebook
Share on google
Share on twitter
Share on linkedin