Drupal 7.11 and 6.23, maintenance releases which fix security vulnerabilities are now available for download.

Drupal 7.12 and 6.24 also fix other issues reported through the bug tracking system.

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement, more information on the 6.x releases can be found in the Drupal 6.0 release announcement. Drupal 5 is no longer maintained, upgrading to Drupal 6 is recommended.

Security information

We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update status module, which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x branches are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.11 only includes fixes for security issues. (Note: Be sure to review the known issues for 7.11 below.) Drupal 7.12 also includes bugfixes. The full list of changes between the 7.10 and 7.12 releases can be found by reading the 7.12 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.23 only includes fixes for security issues. Drupal 6.24 also includes bugfixes. The full list of changes between the 6.22 and 6.24 releases can be found by reading the 6.24 release notes. A complete list of all bug fixes in the stable 6.x branch can be found at git commit log.

Security vulnerabilities

Drupal 7.11 and 6.23 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade Drupal.

What is included with each release?

Release explanation

We made two versions of both Drupal 7 and 6 available, so you can choose to only include security fixes (Drupal 7.11 and 6.23 respectively) or security fixes and bugfixes (Drupal 7.12 and 6.24). You can choose your preferred version. We are trying to make it easier and quicker to roll out security updates by making security-only releases available as well as ones with bugfixes included. We hope this helps you roll out the fixes as soon as possible. Read more details in the handbook.

Update notes

The default.settings.php file was changed in Drupal 7.12, to add documentation about PDO attribute override capabilities that were added as a result of #1309278: Make PDO connection options configurable.

The robots.txt file was changed in Drupal 6.24 to block filter tips from search engines. The .htaccess and (default.)settings.php files were not changed in Drupal 6. Additionally, indexes were added to the node_comment_statistics and comment tables, for performance.

Known issues #

Drupal 7

The Drupal 7.11 release is only an incremental release off of Drupal 7.9, instead of 7.10, so it is missing bug fixes introduced in 7.10. Administrators are encouraged to update to 7.12 as soon as possible. See #1430404: Drupal 7.11 is missing all the bug fixes from Drupal 7.10 for details.

Drupal 7.12 is also only compatible with Menu Block 7.x-2.3 and higher, and Internationalization (i18n) 7.x-1.4 and higher.

Drupal 6

In Drupal 6.24, if you have the contributed user_delete module enabled on your site, the update will fail with a Cannot redeclare user_delete_access() error. An update of user_delete module is being worked on.

In Drupal 6.24 if you had locale module enabled earlier, but it is not currently turned on, the update will fail with Call to undefined function locale_inc_callback(). A fix is being worked on for Drupal core.

In Drupal 6.24 if you run your updates with Drush, you might experience duplicate entry errors in your system table. See the ongoing discussion at http://drupal.org/node/1425868

Also in Drupal 6.24 there are email validation changes which make multi-component host names which have dashes in components after the first one invalid (like example@host.e-xample.example.com). The bogus email validation change can be rolled back on sites where this is a problem.

Drupal 6.25 is currently planned to be released with fixes for issues 2, 3 and 4 above on February 29th. The first issue needs a user_delete module fix/update.