Drupal Release: 7.21

TL;DR

Drupal 7.21 introduces a critical security enhancement that provides partial protection from image derivative security issues for sites using the 'image_allow_insecure_derivatives' variable. This release builds upon the security fixes implemented in Drupal 7.20, offering a more flexible solution for sites that require insecure image derivatives while still maintaining some level of protection.

Highlight of the Release

• Enhanced security for sites using 'image_allow_insecure_derivatives' variable
• Partial protection from image derivative security vulnerabilities
• Builds upon security fixes from Drupal 7.20
• Maintains backward compatibility for sites requiring insecure image derivatives

Migration Guide

No specific migration steps are required for this release. However, site administrators should:

1. Review their use of the 'image_allow_insecure_derivatives' variable
2. Consider whether they can remove this variable entirely for maximum security
3. If the variable must be kept, understand that the site now has partial protection rather than no protection
4. Plan for eventually removing reliance on insecure image derivatives if possible

For optimal security, sites should work toward configurations that do not require the 'image_allow_insecure_derivatives' variable.

Upgrade Recommendations

Immediate Upgrade Recommended

All sites should upgrade to Drupal 7.21 immediately, especially those using the 'image_allow_insecure_derivatives' variable. This release provides important security enhancements that offer partial protection from vulnerabilities related to image derivatives.

While this release is particularly important for sites using the 'image_allow_insecure_derivatives' variable, all Drupal 7 sites should apply this update as part of standard security maintenance practices.

The upgrade process should be straightforward as this is a minor security enhancement release with minimal code changes.

Bug Fixes

No general bug fixes were included in this release. The changes are specifically focused on addressing security concerns related to image derivatives.

New Features

No new features were introduced in this release. This update focuses specifically on enhancing security for sites using the 'image_allow_insecure_derivatives' variable.

Security Updates

Enhanced Image Derivative Security

This release provides partial protection from the security issues fixed in Drupal 7.20 for sites that are using the 'image_allow_insecure_derivatives' variable.

The enhancement allows sites to maintain compatibility with workflows that require insecure image derivatives while still implementing some security protections. This is particularly important for sites that cannot immediately transition away from using the 'image_allow_insecure_derivatives' variable but still want to benefit from improved security measures.

This change represents a more nuanced approach to the security fixes implemented in Drupal 7.20, providing a balance between security and backward compatibility.

Performance Improvements

No specific performance improvements were included in this release. The focus was on security enhancements.

Impact Summary

Drupal 7.21 addresses a specific security concern for sites using the 'image_allow_insecure_derivatives' variable. Prior to this release, sites using this variable were completely vulnerable to the security issues fixed in Drupal 7.20. With this update, these sites now have partial protection while still maintaining compatibility with workflows that require insecure image derivatives.

This release represents an important balance between security and backward compatibility, allowing site administrators more flexibility in securing their sites while maintaining necessary functionality. The impact is primarily positive for security posture without introducing breaking changes.

Site administrators should still work toward configurations that don't require the 'image_allow_insecure_derivatives' variable for maximum security, but this release provides an improved interim solution.