This was overlooked while committing SOLR-3895.
For several reasons, disabling the resolving of external entities within the Solr UpdateRequestHandler for XML would be good.
Backport some security fixes from 4.x to 3.6.x branch
Commit 1547011 from Uwe Schindler in branch 'dev/branches/lucene_solr_3_6'
[ https://svn.apache.org/r1547011 ]
SOLR-5520: Backports of:
Bulk close after 4.3.1 release
Committed to 4.3.1, 4.4 and trunk.
Thanks Hoss for pointing out the inconsistency!