Drupal 6.16 and 5.22, maintenance releases which fix issues reported through the bug tracking system, as well as security vulnerabilities, are now available for download. Drupal 6.16 also fixes other smaller issues.
Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement, more information on the 5.x releases can be found in the Drupal 5.0 release announcement. Drupal 5 will no longer be maintained when Drupal 7 is released. Upgrading to Drupal 6 is recommended.
We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.
Drupal 6 also includes the built-in Update status module, which informs you about important updates to your modules and themes.
The full list of changes between the 6.15 and 6.16 releases can be found by reading the 6.16 release notes. A complete list of all bug fixes in the stable DRUPAL-6 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-6.
The full list of changes between the 5.21 and 5.22 releases can be found by reading the 5.22 release notes. A complete list of all bug fixes in the stable DRUPAL-5 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-5.
Drupal 5.22 and 6.16 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:
To fix the security problem, you can either (1) upgrade Drupal or (2) patch Drupal.
We strongly recommend you do a full upgrade (which is also detailed in the security announcement) as the patches do not contain the additional bug fixes that went into the releases. Applying the patches will leave your site in an unversioned state and confuse the update status module, which will keep reminding you to upgrade to 6.16 or 5.22. Please read the announcement for details on the patch.
If you still prefer to patch Drupal, apply the http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-6.15.patch file to your Drupal 6.15 codebase or http://drupal.org/files/sa-core-2010-001/SA-CORE-2010-001-5.21.patch to your Drupal 5.21 codebase.
Important update notes
Drupal 6.16 unfortunately introduced a change which makes it incompatible with PHP 4 in itself. Apply the one-line change explained in http://drupal.org/node/732096#comment-2679226 until a new Drupal release comes out which will include a fix for this issue.
A new includes/lock.inc file is included with this release to support the locking subsystem. This also involved some database changes. To make sure your site continues to function right, running update.php is extremely important. Update.php will display warnings of the non-existent semaphore table, until after the updates are run. If you deploy using a version control system, make sure to commit lock.inc to your production codebase. Finally, if you run a bytecode cache such as APC, reset the cache to let it reread the changed files.
These releases did not change the (default.)settings.php and robots.txt files, so you can keep your existing files intact, if you have modifications in them.
The .htaccess file was changed in Drupal 6.16, adding make files to the list of files not served by Apache. See http://drupal.org/node/638030 for more information.