Drupal 7.5, a maintenance release which fixes security vulnerabilities is now available for download. Drupal 7.6 7.7 also fixes other issues reported through the bug tracking system.

Note: Drupal 7.7 is just Drupal 7.6 with a fixed VERSION string (7.6 was reporting itself as 7.5). No other changes.

Upgrading your existing Drupal 7 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 includes the built-in Update status module, which informs you about important updates to your modules and themes.

Bug reports

Drupal 7.x is being maintained, so given enough bug fixes (not just bug reports), a new maintenance release will be made available the last Wednesday of next month (August 31).


Drupal 7.5 only includes fixes for security issues. Drupal 7.6 also includes bugfixes. The full list of changes between the 7.4 and 7.7 releases can be found by reading the 7.6 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.5 was released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade Drupal.

What is included with each release?

Shows a graph and that 7.5 should be used to upgrade quickly, 7.6 contains bug fixes and might need testing.

We make two versions of Drupal core available, so you can choose to only include security fixes (Drupal 7.5) or security fixes and bugfixes (Drupal 7.7). You can choose your preferred version. We are trying to make it easier and quicker to roll out security updates by making security-only releases available as well as ones with bugfixes included. We hope this helps you roll out the fixes as soon as possible. Read more details in the handbook.

Update notes

  • (#634616) AJAX now responds to 'click' instead of 'mousedown'. Testing was performed to make sure this doesn't affect major contributed modules, but could cause issues.
  • (#1164852) The 'translatable' flag on fields added via the UI now defaults to FALSE, same as fields added via the API do. Contrib modules such as Entity Translation can allow toggling this back for sites that need it. An upgrade path will be included in a future release to bring all legacy fields into compliance.
  • (#1083982) Remote streamwrappers are now supported, because of fixes to where drupal_realpath() is called.

Known issues

Drupal 7.6 and 7.7 introduced an issue in node data migration in the Drupal 6 upgrade path for foreign language sites that migrates node bodies as untranslatable but assigns language to the data which makes nodes appear in an unsupported state. If you are looking to upgrade a foreign language Drupal 6 site, use Drupal 7.5 for now, and track progress on the issue at http://drupal.org/node/1164852#comment-4807524