This release fixes security vulnerabilities. Customers using Drupal 7 are urged to upgrade immediately after reading the notes below and the security announcement:
- Drupal Core – Third-party libraries – SA-CORE-2019-001
- Drupal Core – Remote code execution – SA-CORE-2019-002
No other fixes are included.
Important update information
<span class="token punctuation">.</span>phar
file extension has been added to Drupal’s dangerous extensions list, which means that any such file uploaded to a Drupal file field will automatically be converted to a text file (with the<span class="token punctuation">.</span>txt
extension) to prevent it from being executed. This is similar to how Drupal handles file uploads with a<span class="token punctuation">.</span>php
- No changes have been made to the .htaccess, web.config, robots.txt or default settings.php files in this release, so upgrading custom versions of those files is not necessary.
- The replacement stream wrapper needed to resolve Drupal Core – Remote code execution – SA-CORE-2018-002 is not compatible with PHP versions lower than 5.3.3. For sites using lower PHP versions, the built-in phar stream wrapper has been disabled rather than replaced. Drupal 7 sites using PHP 5.2 (or PHP 5.3.0-5.3.2) that require phar support will need to re-enable the stream wrapper for it; however, note that re-enabling the stream wrapper will re-enable the insecure PHP behavior on those PHP versions.