Subscribe to Drupal feed
Come for the software, stay for the community Drupal is an open source content management platform powering millions of websites and applications. It’s built, used, and supported by an active and diverse community of people around the world.
Updated: 44 min 48 sec ago

Drupal 7.38 and 6.36 released

17 June, 2015 - 17:06

Drupal 7.38 and Drupal 6.36, maintenance releases which contain fixes for security vulnerabilities, are now available for download. See the Drupal 7.38 and Drupal 6.36 release notes for further information.

Download Drupal 7.38
Download Drupal 6.36

Upgrading your existing Drupal 7 and 6 sites is strongly recommended. There are no new features or non-security-related bug fixes in these releases. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement. More information on the Drupal 6.x release series can be found in the Drupal 6.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.


Drupal 7.38 is a security release only. For more details, see the 7.38 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Drupal 6.36 is a security release only. For more details, see the 6.36 release notes. A complete list of all bug fixes in the stable 6.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.38 and 6.36 were released in response to the discovery of security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to either Drupal 7.38 or Drupal 6.36.

Known issues


Front page news: Planet DrupalDrupal version: Drupal 6.xDrupal 7.x
Categories: Content Management

Community Spotlight: Solomon Kitumba and Benjamin Lutaaya Kiyita

2 June, 2015 - 21:01

For our June community spotlight, we’d like to highlight the efforts of two men in Uganda who are working hard to grow their local community and bring more university students into the Drupal fold. In 2014, the two were awarded a Community Cultivation Grant for their Uganda University Drupal Tour program, which will be discussed in today’s spotlight.

For close to three years, Solomon Kitumba(solomonkitumba) and Benjamin Lutaaya Kiyita(benjaminkyta) of Kampala, Uganda, have been working with Drupal. Solomon, a Drupal front end developer, owns Kyta Labs, a mobile and web app development company. Benjamin, a Drupal Dev Ops and UI/UX Developer, is active both in the local Drupal community and in the local Linux community as well. Both men share a fascination with open source, and encountered the same obstacles when learning Drupal — which led them to team up and forge a better path for other Ugandans.

Initially, both Solomon and Benjamin learned Drupal software through online tutorials found on Lynda.com and YouTube, and through free eBooks as well. One struggle that the two bumped up against — and still struggle with — is the lack of a physical space where their local community can come together to teach new Drupalers, learn from each other, and give each other support.

"One of the biggest challenges we have faced is a lack of collaborative space where drupalers can meet daily,” said Solomon.” In our city, there’s nowhere where we can work on solutions together and learn from each other. There are a couple of these places for mobile developers, but we lack one for web people in Kampala.

“We’ve used our Drupal careers to create a presence in the local tech industry,” said Solomon by email. “People know who to talk to if they want to discuss Drupal and getting paid to develop using Drupal. Initially, our local community was pretty inactive. There were a few people who knew how to use Drupal, but lacked the force and momentum to get good attendance at events and meetups. We’ve been working to attract more people, like site builders and module developers, and we’ve seen a lot of growth in our local community because of it."

And how have the two grown the Drupal community in Uganda?

“We started doing some outreach to use local universities as meeting spaces, but they’re so far from the main city that it became very costly. Getting together outside of the city means dealing with expenses like hotel fees, transportation costs, and a few other things, and those costs would put our projects at a standstill in times when we can’t afford it."

However, the outreach to nearby universities — though expensive — has its benefits. “We’re doing a lot of work to get university students interested in Drupal while they are still at school. Students have a lot of time available to learn new things, so we put together a Drupal University tour that we are still conducting, and so far it has been very well received."

For Solomon and Benjamin, the university tour seemed like a natural extension of the work they’d been doing at local meetups.

"We got the idea from the tech meetups we attended in Kampala that were also attended by university students in the same field. They were all curious about the platforms we use to build our online technologies, and we told them about Drupal. After the meetups they knew it was a CMS and a few of them could even install it — but that was it. We asked ourselves how we could help these students learn Drupal more easily, which led us to the idea of holding training through the major universities in Uganda. And for us, it just made sense to call the campaign the Drupal University Tour."

Planning the University Tour was no easy task: the duo encountered no small amount of hesitation from universities, and came up against financial obstacles as well. “We started off by writing down the things we would need, and figured out from there how we would hold the trainings — what we would teach specifically, and so on. Then, we started communicating with the department heads of the universities we wanted to train at. Some of them were hesitant at first, but eventually they accepted our proposal.

"When we were preparing the tour, we realized that we needed funding for the whole campaign. The universities weren't ready to financially facilitate our sessions, so we applied for the Drupal Community Cultivation Grant. Through it, we were awarded $1,488 USD, and we were able to kick off the tour."

The two knew that, for maximum efficacy, they’d have to go to a number of different schools to speak to as many students as possible. So they decided to go to the best schools in the country. “We went to all the major universities in Uganda. Makere University, Kampala International University, Kyambogo University, and Mbara University of Science and Technology were all on our list. Because of scheduling conflicts, we weren’t able to run the tour in the timeframe we had planned, but we eventually made it. And, we managed to have a little money left over — about $50 USD, which was enough for us to go to another institution called Datamine Technical Institute. So they were able to benefit from the campaign as well,” Solomon concluded.

The Drupal University tour has been a big success, the two felt.

“We spent a day teaching the students about Drupal itself as a software. We taught them about making contributions to the development, such as by submitting code to the project. We also emphasized the power of both the local and global Drupal communities, and discussed what a big benefit it is,” Solomon said. “We talked about how to share resources with people in the Drupal community, and how we can mobilize both locally and internationally to help people learn Drupal and organize training."

We couldn’t be more thrilled and grateful for the work that Solomon and Benjamin have done. We often hear conversations about the difficulties of bringing new talent into the Drupal community, and the work that Solomon and Benjamin have done is invaluable, both for their local community and for the wider Drupal world. Thank you for your work!

Categories: Content Management

Drupal 8 Security bug bounty program: Get paid to find security issues in D8

2 June, 2015 - 13:38

Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That's where you come in!

The security team is using monies from the D8 Accelerate fund to pay for valid security issues found in Drupal 8, from now until August 31, 2015 (open to extension). This program is open for participation by anyone.

How does this work?

Install a local copy of Drupal 8 from Git (https://www.drupal.org/project/drupal/git-instructions). Find security issues such as XSS, SQL Injection, CSRF, Access Bypass etc. If you find any, go to www.bugcrowd.com/drupal and submit them. You will have to sign up for an account on bugcrowd.com for this. Bugcrowd is a crowdsourced security bug finding platform suggested by security team members, and it is used by many, including LastPass, Pinterest, Heroku, Pantheon, and CARD.com.

I can get paid to do this?

We will be paying anywhere from $50-$1000 per issue. The more serious the issue, the more the security team will be paying. Issues must first be confirmed by a security team member before being approved for payment. You must provide a detailed explanation of the issue and steps to reproduce the issue. The quality of your report will be taken into account when assigning a value to it. We will also take into account the severity of the security issue.

Can I get paid for finding issues in contrib or Drupal 7?

No, however if you do find security issues in Drupal core other than version 8 or in contrib projects please submit them via our issue reporting process.

Who is running this program?

The Drupal Security Team with funds from the D8 Accelerate program.

If I find something will I get credit?

Yes, just like our regular reporting policy you will get credit as long as you don’t disclose it until a fix is released. If an issue is suitable for public discussion, we will disclose it and give you credit.

Do all security issues count?

If a task requires the attacker to have one of the following roles it would not count:
Access site reports (a.k.a. "View site reports"), Administer filters, Administer users, Administer permissions, Administer content types, Administer site configuration, Administer views, Translate interface.

Issues excluded from the bounty program:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Username enumeration
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Strict-Transport-Security
- X-Frame-Options
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- Content-Security-Policy-Report-Only
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- Other exceptions not listed.

However, we would still like to know about it, and you will still get credit for it. but we will not be issuing payments for it.

I have a question not listed here

Email security@drupal.org

Drupal version: Drupal 8.x
Categories: Content Management