There was a Drupal security release this week.
This release managed to confuse several of our users, because it wasn’t clear if they should update their sites.
Security release information is rarely, if ever, written in plain English. And these week’s updates were additionally confusing because they only impacted some Drupal sites.
So here, upon request, is our plain English guide to Drupal security releases.
When do Drupal core releases happen?
They happen once per month, usually on the third Wednesday. Find out more here.
Do I need to update my site every time?
No, you don’t. There are two major kinds of Drupal update:
- Security release
- Maintenance releases that only fix bug, not security issues
Particularly with maintenance releases, you can pick and choose which updates to apply.
How often do security releases happen?
Let’s take a look back over the last year. If you launched your Drupal site in June 2014, here are the core updates since then:
- Drupal 7.29 was a maintenance and security release
- Drupal 7.30 was a maintenance release
- Drupal 7.31 was a maintenance and security release
- Drupal 7.32 was a maintenance and security release
- Drupal 7.33 was a maintenance release
- Drupal 7.34 was a maintenance and security release
- Drupal 7.35 was a maintenance and security release
- Drupal 7.36 was a maintenance release
- Drupal 7.37 was a maintenance release
- Drupal 7.38 was a maintenance and security release
So, there have been 6 security releases in the last 12 months.
Does every security issue update impact every site?
No, not always.
Drupal 7.32 was known as Drupalgeddon because it impacted every single Drupal site.
However, some other security issues only apply in narrow situations. For example, with Drupal 7.38, the most serious of the issues only impacted sites that were actively using the OpenID module, and then only if you were connecting to a certain group of sites, including Verisign, LiveJournal and StackExchange.
Drupal.org will give you information on whether your site is impacted. Here’s a description of the OpenID issue:
How do I tell if an update is important?
Drupal 7.38 was marked as 15/25, and labeled “Critical”:
Drupal 7.32 was given the maximum 25/25 and marked as “Highly Critical”.
Yes. You probably should have updated to Drupal 7.32.
In fact, you probably should lean on the side of updating your site whenever you can. The further your site falls behind, the harder it will be to catch up if there’s a truly critical security issue.