Drupal 6.3 and 5.9 released, fixing security issues
Download Drupal 6.3Download Drupal 5.9
Update: Drupal 5.9 has been released to correct a vulnerability that was inadvertantly left in Drupal 5.8.
Drupal 6.3 and Drupal 5.8, maintenance releases fixing problems reported using the bug tracking system, as well as security vulnerabilities, are now available for download. Drupal 6.3 also includes some changes to the installer to prevent file ownership issues on shared hosts; upgrades jQuery to version 1.2.6; improves PostreSQL compatibility; fixes performance issues in search, menu and form API and contains a variety of other small improvements. It should also be noted that the Views for Drupal 6 release candidate requires Drupal 6.3 to run properly.
Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases, but we fixed some notable performance issues too. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement, more information on the 5.x releases can be found in Drupal 5.0 release announcement.
Security information
We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.
Drupal 6 also includes the Update status module built-in, which informs you about important updates to your modules and themes.
Bug reports
Both Drupal 5.x and 6.x branches are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available.
Changelog
The full list of changes between the 6.2 and 6.3 releases can be found by reading the 6.3 release notes. A complete list of all bug fixes in the stable DRUPAL-6 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-6.
The full list of changes between the 5.7 and 5.8 releases can be found by reading the 5.8 release notes. A complete list of all bug fixes in the stable DRUPAL-5 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-5.
Update: The full list of changes between the 5.8 and 5.9 releases can be found by reading the 5.9 release notes. A complete list of all bug fixes in the stable DRUPAL-5 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-5.
Security vulnerabilities
Drupal 6.3, 5.8 and 5.9 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:
- SA-2008-044
- Update: SA-2008-046 is an addendum to SA-2008-044
To fix the security problems, you can either (1) upgrade Drupal or (2) patch Drupal.
We recommend you do the full upgrade (which is also detailed in the security announcement) as the patches do not contain the additional bugfixes that went into the release. Applying the patches will leave your site in an unversioned state and confuse update status module, which will keep reminding you to upgrade to 6.3 or 5.8. Please read the announcement for details on the patches.
If you still prefer to patch Drupal, apply the http://drupal.org/files/sa-2008-044/SA-2008-044-6.2.patch file to your Drupal 6.2 code base or http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch to your Drupal 5.7 codebase.
Update: To patch Drupal 5.8 apply the file http://drupal.org/files/sa-2008-046/SA-2008-046-5.8.patch. Important note: If you are patching Drupal 5.7, first apply http://drupal.org/files/sa-2008-044/SA-2008-044-5.7.patch to correct the vulnerabilities listed in SA-2008-044, then http://drupal.org/files/sa-2008-046/SA-2008-046-5.8.patch to correct the remaining vulnerability detailed in SA-2008-046.
Important update notes
Although these releases contain no database changes, it is important to run update.php to refresh the menu cache and other caches on the website.
Drupal version: Drupal 6.x