The Drupal project has released version 4.6.3 of its open-source content management platform. Drupal 4.6.3 is a maintenance release that fixes problems reported using the bug tracking system. Drupal 4.6.3 also fixes a new security vulnerability in the third-party XML-RPC library that Drupal ships with. Since the same bug is also present in the Drupal 4.5 series, Drupal 4.5.5 is released as well. If you cannot upgrade at once, we strongly suggest that you remove the xmlrpc.php file from your Drupal installation's root directory. The xmlrpc.php file is used only for Drupal to receive XML-RPC calls.
Upgrading your existing Drupal sites is strongly recommended; otherwise your site may get compromised by malicious persons.
There are no new features in these installments. For more information about the Drupal 4.6.x release series, please consult the Drupal 4.6.0 release announcement.
- Drupal 4.6.3 can be downloaded from http://drupal.org/files/projects/drupal-4.6.3.tar.gz.
- Drupal 4.5.5 can be downloaded from http://drupal.org/files/projects/drupal-4.5.5.tar.gz.
To fix this problem, you can (1) upgrade Drupal, (2) patch Drupal, or (3) remove xmlrpc.php.
- To upgrade Drupal, follow the instructions in INSTALL.txt and consult the information below.
To patch Drupal 4.6.2 to Drupal 4.6.3, use the patch below:
To patch Drupal 4.5.4 to Drupal 4.5.5, use the patch below:
- The file xmlrpc.php is in the same directory as the index.php file. Removing it will disable the use of desktop blogging applications.
The official security advisory can be found at http://drupal.org/sa-2005-004/advisory.txt.
The most important bug fixes since Drupal 4.6.2 include:
- Patch #27864: Correctly distinguish 403s from 404s for nodes.
- Patch #23560: Sort watchdog date by wid to ensure unique ordering.
- Patch #24030: Category selection does not work with Movable Type blogapi.
- Patch #23750: Use the creation date rather than the update date in RSS feeds.
- Patch #27863: Fixed order of parameters passed to imagecopy(). Could result in black images.
- Patch #26822: Fix logo upload being broken.
- Fixed a security bug in the XML-RPC libraries.
A complete list of all bug fixes in the stable DRUPAL-4-6 branch can be found at http://drupal.org/cvs/drupal/?branch=DRUPAL-4-6.
For the most trouble-free transition from an existing installation, it is recommended that you first upgrade to Drupal 4.6.2. If you are upgrading from Drupal 4.5.x or below, please consult the Drupal 4.6.0 release announcement, the Drupal 4.6.1 release announcement, and the Drupal 4.6.2 release announcement for more information. To upgrade from Drupal 4.6.2, upload all of the files and directories in the Drupal 4.6.3 package to your webserver, replacing older copies of the files. As with any upgrade, it is a good idea to back up your site and database first.
No API or database changes have been made since Drupal 4.6.2 so all contributed themes and modules that work for 4.6.0, 4.6.1, and 4.6.2 will work with 4.6.3 as long as they do not use the XML-RPC libraries. If they do, they need to be updated by their respective maintainers and the new version installed by you, the user. Known examples are the FOAF and the location modules.
Important Note. There are reports that if you have previously patched from 4.6.1 to 4.6.2 then this patch won't apply. See this topic for more information. We will keep you updated.
- Fri, 12 Aug 2005 21:15: Stefan Esser of the Hardened PHP project reports the vulnerability to Drupal and other PHP projects using the XML-RPC library. He plans a coordinated release of all affected projects for next week.
- Sun, 14 Aug 2005 22:40: Stefan Esser reports that the coordinated release was spoiled because information about the security issue was leaked to the public.
- Sun, 14 Aug 2005 23:38: The Drupal Security Team starts coordinated work on a new release via the security mailing list and IRC.
- Mon, 15 Aug 2005 03:45: Drupal 4.6.3 and Drupal 4.5.5 are released.