Drupal 6.10 and 5.16, maintenance releases fixing problems reported using the bug tracking system, as well as a critical security vulnerability, are now available for download.

Upgrading your existing Drupal 5 and 6 sites is strongly recommended. There are no new features in these releases. For more information about the Drupal 6.x release series, consult the Drupal 6.0 release announcement, more information on the 5.x releases can be found in Drupal 5.0 release announcement.

Security information

We have a security announcement mailing list, a history of all security advisories, and an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 6 also includes the Update status module built-in, which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 5.x and 6.x branches are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available.

Changelog

The full list of changes between the 6.9 and 6.10 releases can be found by reading the 6.10 release notes. A complete list of all bug fixes in the stable DRUPAL-6 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-6.

The full list of changes between the 5.15 and 5.16 releases can be found by reading the 5.16 release notes. A complete list of all bug fixes in the stable DRUPAL-5 branch can be found at http://drupal.org/project/cvs/3060/?branch=DRUPAL-5.

Security vulnerabilities

Drupal 5.16 and 6.10 were released in response to the discovery of a security vulnerability. Details can be found in the official security advisories:

To fix the security problem, you can either (1) upgrade Drupal or (2) patch Drupal.

We recommend you do the full upgrade (which is also detailed in the security announcement) as the patches do not contain the additional bugfixes that went into the releases. Applying the patches will leave your site in an unversioned state and confuse the update status module, which will keep reminding you to upgrade to 6.10 or 5.16. Please read the announcement for details on the patch.

If you still prefer to patch Drupal, apply the http://drupal.org/files/sa-core-2009-003/SA-CORE-2009-003-6.9.patch file to your Drupal 6.9 codebase or http://drupal.org/files/sa-core-2009-004/SA-CORE-2009-004-5.15.patch to your Drupal 5.15 codebase.

Important update notes

It is important to run update.php. These releases did not change the .htaccess, robots.txt and (default.)settings.php files, so you can keep your existing files intact, if you have modifications in them.

Regarding Drupal 6.10: In this release, we've fixed a bug, so that custom CCK fields are now actually displayed in RSS feeds. You might want to revisit your content type settings pages and configure which field should be included in feeds.

Developer and translator notes

The following strings have changed in Drupal 6.10:

  • "Read @username's latest blog entries." is now "Read !username's latest blog entries."
  • "@name's blog" is now "!name's blog"
  • "@username's blog" is now "!username's blog"

See Do not check_plain() usernames more than once for details.