Non-security fixes or new features are not included in the release
Drupal 7.20 has been released to fix a critical remotely-exploitable denial-of-service (DOS) vulnerability.According to the developers, the latest update doesn’t include any new features or non-security-related fixes, but all users of Drupal 7.x are advised to install the latest version to prevent potential cybercriminal operations.
“Drupal core's Image module allows for the on-demand generation of image derivatives. This capability can be abused by requesting a large number of new derivatives which can fill up the server disk space, and which can cause a very high CPU load,” the vulnerability advisory released by Drupal reads.
It notes, “Either of these effects may lead to the site becoming unavailable or unresponsive.”
A CVE identifier has been requested for the flaw and it will be added once it’s issued.
Drupal is available for download here