Drupal 4.7.7 and 5.2 are now available for download. These are maintenance releases that fix problems reported using the bug tracking system, as well as some security vulnerabilities.

Upgrading your existing Drupal sites is strongly recommended.


There are no new features in these installments. For more information about the Drupal 4.7.x release series, please consult the Drupal 4.7.0 release announcement. For more information about the Drupal 5.x release series, consult the Drupal 5.0 release announcement.


The full list of changes in between the 4.7.6 and 4.7.7 releases can be found by reading the 4.7.7 release notes. A complete list of all bug fixes in the stable DRUPAL-4-7 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-4-7.

The full list of changes in between the 5.2 and 5.1 releases can be found by reading the 5.2 release notes. A complete list of all bug fixes in the stable DRUPAL-5 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-5.

Security vulnerabilities

Drupal 4.7.7 and Drupal 5.2 fix several security vulnerabilities. Details can be found in the official security advisory:

  1. DRUPAL-SA-2007-017 (plain text)
  2. DRUPAL-SA-2007-018 (plain text)

To fix this security problem, you can either (1) upgrade Drupal or (2) patch Drupal.

We recommend you do the full upgrade as the patches do not contain the many additional bugfixes that went into the releases. Applying the patches will leave your site in a somewhat unversioned state, but at least secure.

  1. To upgrade Drupal, consult the information below.
  2. To fix the security issue in Drupal 4.7.6, use the patches below:
  3. To fix the security issues in Drupal 5.1, use the patches below:


To upgrade Drupal, follow the upgrade instructions.

For the most trouble-free transition from an existing installation, it is recommended that you first upgrade to Drupal 4.7.6 or Drupal 5.1. If you are upgrading from Drupal 4.6.x or below, please consult the relevant release announcements. As with any upgrade, it is a good idea to back up your site and database first.

Important note

The file settings.php is one of the files containing vulnerable code. It is therefore critical to replace all of your sites' settings.php files in subdirectories of sites with the new one from the archive. After you have replaced the files, make sure to edit the value of the $db_url variable to be identical to the value in your old settings.php. This is the information that determines how Drupal connects to a database.

Security infrastructure

We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Bug reports

Both Drupal 4.7 and 5 branches are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available.