drupal 7.96 | Drupal.org

This is a non-production site

- Drupal Core Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal CMS Drupal CMS puts the power of Drupal into the hands of marketers, designers and content creators
- Drupal AI Open limitless possibilities with Drupal AI
- Case Studies Powerful stories that show Drupal solutions in the real world
- Drupal for Government Drupal is the open-source CMS that enables digital transformation of government and increases citizen engagement
- Drupal for Higher Education See why 70% of the world's leading universities chose Drupal
- Drupal for Nonprofit See why Drupal is the open-source CMS choice for some of the world’s most influential nonprofits
- Drupal for eCommerce Natively integrate content and commerce
- Drupal for FinTech Secure and trustworthy FinTech infrastructure
- Drupal for Healthcare Drupal powers systems that are secure, patient-centric and engaging
- Drupal for Media & Publishing Create engaging multi-channel experiences to connect with your audiences - everywhere
- Download Drupal Download Drupal and the extensions you need
- Documentation Full knowledgebase including Drupal 7 resources
- Getting Started Guide to installing Drupal on a server
- Local Development Guide Guide to installing Drupal locally with Docker and DDEV
- Developer Resources Step-by-step guide for learning Drupal
- Drupal User Guide Learn to build with Drupal
- API Complete documentation of Drupal Core APIs
- Modules Extend your project's functionality
- Themes Change your project's look and feel
- Distributions Jumpstart your project with a pre-configured install
- Issues Queue Report issues and contribute improvements
- Security Advisories Stay on top of the latest security alerts and updates
- Find a Drupal Certified Partner Connect with the best Drupal agencies around the world
- Become an Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Find a Hosting Provider Find a hosting provider for your Drupal project
- Find a Migration Partner Get help with your migration to the latest version of Drupal
- Find Training Upskill your Drupal team
- Drupal Steward Ensure your website is protected with Drupal Steward
- About the Community Come for the code, stay for the community
- How to Contribute Get involved in growing and evolving Drupal
- DrupalCon DrupalCon unites experts from around the globe who create ambitious digital experiences. Network, learn, and be inspired
- Events Discover local events, meet-ups, and training
- Jobs / Careers Find opportunities to work in Drupal
- News & Blogs News and stories about Drupal
- Forum Got a question about Drupal? Find answers on the Drupal forums
- Slack Get support and communicate with the global Drupal community
- Newsletters Sign up for Drupal news and manage your subscriptions
- Drupal Swag Shop Get your Drupal branded merch!
- The Drupal Association Learn how we support Drupal's growth and innovation - and how you can help
- Become a Member Become a Ripplemaker and support the Drupal Association
- Become a Drupal Certified Partner Join an elite network of agencies committed to Drupal excellence and innovation
- Donate Make a donation to the nonprofit that supports Drupal
- Log in
- Create account
- Try Drupal CMS
- Try hosting

Posted by xjm on April 19, 2023 at 4:22pm

This is a security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to update immediately after reading the notes below and the security announcements:

Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005

No other fixes are included.

Note that Drupal 7.97 was released as a hotfix shortly after this release.

Important update information

Changes to site-owner-managed files

Following this release, Drupal will block access to private files at certain specially crafted paths. Previous versions of Drupal allowed access to these paths, and in most cases blocking access is the correct behavior.

There may be some sites that rely on allowing access to these paths, or the changes in this release may cause other problems with file access. These sites can add the following line to settings.php:

$conf['file_sa_core_2023_005_schemes'] = array('private');

This will preserve the old behavior for files saved in the private files directory, using the private stream wrapper from Drupal core. Sites that need to preserve the old behavior for files using other stream wrappers, from contributed or custom modules, should list those stream wrappers instead of 'private'.

The comments in default.settings.php have additional information.

Using this setting will bypass the access checks added in this release, which may allow public access to files that are meant to be private. This setting is a temporary backward-compatibility layer for misconfigured sites. It will be removed in a future release since it is insecure.

VCS Label

7.96

Core compatibility

Release type

Security update

Short description

Supported until (at least) November 2023. Use this version for sites already running Drupal 7.

Packaged Git sha1

d5d2a01bb6de80b202e141278312ab2d376f3c63

Release files

4aa685e8eca141505867f8cbab48b72b

Release file SHA-1 hash

3c0d3343ecd55aa39609e3a0cfdb101ddaf6615d

Release file SHA-256 hash

dae4bab5dc0a15bad96abd7364bab349d3a94127dd54c1a0630c049e4f9de9b8

6237584d77b8b664bfb8dc56a8b412f8

Release file SHA-1 hash

66956d147c037d5f016e1d33d52f1b1ca18252cc

Release file SHA-256 hash

03a53c4f1e9a92cf7dfe8a5fc4db3221c8462f85ad3f7995abc42e19acee8ccd