Drupal 6.2, a maintenance release that fixes problems reported using the bug tracking system, as well as security vulnerabilities is now available for download. The security issues identified were in code new to Drupal 6, and are therefore not applicable to sites running on Drupal 5.
Upgrading your existing Drupal 6 sites is strongly recommended. There are no new features in this release, but we fixed some notable performance issues too. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement.
We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.
Drupal 6 also includes the Update status module built-in, which informs you about important updates to your modules and themes.
The full list of changes between the 6.1 and 6.2 releases can be found by reading the 6.2 release notes. A complete list of all bug fixes in the stable DRUPAL-6 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-6.
Drupal 6.2 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:
To fix the security problems, you can either (1) upgrade Drupal or (2) patch Drupal.
We recommend you do the full upgrade (which is also detailed in the security announcement) as the patches do not contain the additional bugfixes that went into the release. Applying the patches will leave your site in an unversioned state and confuse update status module, which will keep reminding you to upgrade to 6.2. Please read the announcement for details on the patch.
If you still prefer to patch Drupal, apply the http://drupal.org/files/sa-2008-026/SA-2008-026-6.1c.patch file to your code base.
Important update notes
It is essential to follow this process when updating:
- First make sure that you are logged in as user number 1 or that your site's settings.php has $update_free_access = TRUE; so that anyone can access the update.php script while you update the site. We suggest you log in as user 1 because you might have difficulties in gaining write access to your settings file.
- Turn your site into offline mode.
- Then, and only then replace your Drupal source code files with the new ones from Drupal 6.2.
- Run update.php.
- Turn your site back to online mode.
- If you edited your site's settings.php, make sure to set $update_free_access = FALSE;
If you do not follow the above procedure, and just replace the source files, any attempt to access the site will be greeted with the message: "Fatal error: Call to undefined function user_uid_optional_to_arg() in includes/menu.inc on line 594" and you will have no way to set the site to offline mode on the web interface until you get through update.php.