The Beginner’s Guide to Drupal Security Releases
There was a Drupal security release this week.
This release managed to confuse several of our users, because it wasn’t clear if they should update their sites.
Security release information is rarely, if ever, written in plain English. And these week’s updates were additionally confusing because they only impacted some Drupal sites.
So here, upon request, is our plain English guide to Drupal security releases.
When do Drupal core releases happen?
They happen once per month, usually on the third Wednesday. Find out more here.
Do I need to update my site every time?
No, you don’t. There are two major kinds of Drupal update:
- Security release
- Maintenance releases that only fix bug, not security issues
Particularly with maintenance releases, you can pick and choose which updates to apply.
How often do security releases happen?
Let’s take a look back over the last year. If you launched your Drupal site in June 2014, here are the core updates since then:
- Drupal 7.29 was a maintenance and security release
- Drupal 7.30 was a maintenance release
- Drupal 7.31 was a maintenance and security release
- Drupal 7.32 was a maintenance and security release
- Drupal 7.33 was a maintenance release
- Drupal 7.34 was a maintenance and security release
- Drupal 7.35 was a maintenance and security release
- Drupal 7.36 was a maintenance release
- Drupal 7.37 was a maintenance release
- Drupal 7.38 was a maintenance and security release
So, there have been 6 security releases in the last 12 months.
Does every security issue update impact every site?
No, not always.
Drupal 7.32 was known as Drupalgeddon because it impacted every single Drupal site.
However, some other security issues only apply in narrow situations. For example, with Drupal 7.38, the most serious of the issues only impacted sites that were actively using the OpenID module, and then only if you were connecting to a certain group of sites, including Verisign, LiveJournal and StackExchange.
Drupal.org will give you information on whether your site is impacted. Here’s a description of the OpenID issue:
How do I tell if an update is important?
Drupal has a rating system to show how urgent an update is. You can see the full scale here and this is a great explanation.
Drupal 7.38 was marked as 15/25, and labeled “Critical”:
Drupal 7.32 was given the maximum 25/25 and marked as “Highly Critical”.
Yes. You probably should have updated to Drupal 7.32.
In fact, you probably should lean on the side of updating your site whenever you can. The further your site falls behind, the harder it will be to catch up if there’s a truly critical security issue.
very useful information which every Drupal Administrators, builders or Developers should take serious. I wonder why so many feel reluctantto keep such information close to their hearts?
The only thing that concerns me with every update I apply is that it will cause a subtle issue on my site that I will never notice. I always check the log files and homepage after an update, but it can be weeks later before I notice any strange side effects. Is there a way to test for this?
No easy way, I’m afraid, Steve
If it’s a subtle issues, only comprehensive testing might be able to catch it.
Thanks for the reply. Yeah, I figured there was no easy way to test for subtle errors. That’s why there’s version control and staging sites I guess!
Nice article.
Thanks for the article. Enough to give knowledge to me.
thank you for the article! Drupal CMS is one of the most popular tools in the web development world. The great, responsible community, dedicated team of contributors and professional security team make Drupal users feel confident and safe while using their solution.