Show advisories for only Drupal core, only contributed projects, or all security advisories

Security-related announcements, such as information on best practices.

Drupal 9 is end of life - PSA-2023-11-01

Date: 
2023-November-01

Drupal 9 is end of life as of November 1st, 2023

Drupal 9 relies on several other software projects, including Symfony, CKEditor, and Twig. With Symfony 4's end of life, CKEditor 4's end of life, and Twig 2's end of life all coming up soon, Drupal 9 went end of life on November 1st, 2023. There will be no further releases of Drupal 9.

Last chance to adopt Drupal 7 contributed projects before they might be marked unsupported - PSA-2023-07-19

Date: 
2023-July-19

Reminder: As we get ready for the End-of-life (EOL) of Drupal 7 in January 2025, changes are coming to the Drupal 7 ecosystem.

Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12

Date: 
2023-July-11

Updated 2023-07-14 to reference PSA-2023-06-07.

End of life announcement and changes to Drupal 7 support - PSA-2023-06-07

Date: 
2023-June-07

Updated 2023-07-14 to reference PSA-2023-07-12.

Drupal 7's end of life is January 5, 2025

On February 23, 2022, we announced that we would be extending the End-of-Life for Drupal 7 until at least November 1, 2023.

Today, we are officially announcing that Drupal 7 will reach its end of life on January 5, 2025.

With this final extension, the Drupal Security Team is also adjusting the level of support provided.

This will be the final extension.

Updated security policy for Drupal core Composer dependencies - PSA-2022-06-20

Date: 
2022-June-20

In Drupal 9.4 and higher, drupal/core-recommended allows patch-level vendor updates

The drupal/core-recommended metapackage now allows patch-level updates for Composer dependencies. This means that site owners using drupal/core-recommended can now install most Composer dependency security updates themselves, without needing to wait for an upstream release of Drupal core that updates the affected package.

End of Drupal 6 vendor support - PSA-2022-03-09

Date: 
2022-March-09

Drupal 6 LTS vendor-provided support will end on October 22, 2022.

On February 24th, 2016, Drupal 6 was marked end-of-life (EOL). The Drupal 6 Long-Term-Support (LTS) program added more than 6 years of additional coverage for program participants and the community.

Drupal 7's End-of-Life extended to November 1, 2023 - PSA-2022-02-23

Date: 
2022-February-23
Drupal 7 End of Life has received a final extension to January 5th, 2025

Drupal 8 is now end-of-life - PSA-2021-11-30

Date: 
2021-November-30

As of November 17, 2021, the Drupal core version 8 series has reached end-of-life. This means that all releases of Drupal 8 core (with 8.y.x version numbers) and Drupal contributed project releases that are compatible with only Drupal 8 will be marked unsupported as they no longer have security team support.

Drupal 8.0.0 was first released on November 9, 2015. The last version was released on November 17, 2021.

Drupal 8 and 9 core release on August 12, 2021 - PSA-2021-08-09

Date: 
2021-August-09

The Drupal Security Team will be coordinating a security release for Drupal core 8.9, 9.1, and 9.2 this week on Thursday, August 12, 2021.

We are issuing this PSA in advance because August 12, 2021 is not a security window in the regular Drupal security release window schedule, so there would not normally be any security release on this date.

Drupal 8 end-of-life on November 2, 2021 - PSA-2021-06-29

Date: 
2021-June-29

Drupal 8 will reach its end-of-life on November 2, 2021, before the release of Drupal 9.3.0, due to Symfony 3's end-of-life. If you are using Drupal 8, you must upgrade to Drupal 9.2 before November to keep your site secure. (Drupal 9.1 security coverage ends shortly after the Drupal 8 end-of-life, so updating to 9.2 directly is best.)

There is no vendor extended support program for Drupal 8.

Pages

Subscribe with RSS Subscribe to Security public service announcements