Dear Drupal developers, We have just released Drupal 4.7.8 and 5.3. These are maintenance releases that fix problems reported using the bug tracking system and a number of security vulnerabilities. The release announcement can be found on http://drupal.org/drupal-5.3 The following security announcements were issued: http://drupal.org/node/184315 HTTP response splitting (4.7.x, 5.x) http://drupal.org/node/184316 Arbitrary code execution (5.x) http://drupal.org/node/184320 XSS via uploads (4.7.x, 5.x) http://drupal.org/node/184348 User deletion CSRF (5.x) http://drupal.org/node/184354 Comment status handling (4.7.x, 5.x) I want to thank the members of the security team and the branch maintainers for their hard work on these issues. Special thanks go to Jeff Eaton for a last minute review of the installer patch, Robert Douglass for release coordination, and die Zeit Online for sharing the results of a code audit with us. Gábor Hojtsy no doubt has something to say about 6 beta 2 later, but he also acted as the 4.7.8 branch maintainer substitute. Thanks. Regards, Heine Deelstra on behalf of the Drupal security team.