| Drupal
ost blog drupal patch

There was a Drupal security release this week.

This release managed to confuse several of our users, because it wasn't clear if they should update their sites.

Security release information is rarely, if ever, written in plain English. And these week's updates were additionally confusing because they only impacted some Drupal sites.

So here, upon request, is our plain English guide to Drupal security releases.

When do Drupal core releases happen?

They happen once per month, usually on the third Wednesday. Find out more here.

Do I need to update my site every time?

No, you don't. There are two major kinds of Drupal update:

  • Security release
  • Maintenance releases that only fix bug, not security issues

Particularly with maintenance releases, you can pick and choose which updates to apply.

How often do security releases happen?

Let's take a look back over the last year. If you launched your Drupal site in June 2014, here are the core updates since then:

So, there have been 6 security releases in the last 12 months.

Does every security issue update impact every site?

No, not always.

Drupal 7.32 was known as Drupalgeddon because it impacted every single Drupal site.

However, some other security issues only apply in narrow situations. For example, with Drupal 7.38, the most serious of the issues only impacted sites that were actively using the OpenID module, and then only if you were connecting to a certain group of sites, including Verisign, LiveJournal and StackExchange.

Drupal.org will give you information on whether your site is impacted. Here's a description of the OpenID issue:

openid

How do I tell if an update is important?

Drupal has a rating system to show how urgent an update is. You can see the full scale here and this is a great explanation.

Drupal 7.38 was marked as 15/25, and labeled "Critical":

rating1

Drupal 7.32 was given the maximum 25/25 and marked as "Highly Critical".

rating2

Yes. You probably should have updated to Drupal 7.32.

In fact, you probably should lean on the side of updating your site whenever you can. The further your site falls behind, the harder it will be to catch up if there's a truly critical security issue.


About the author

Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.