Drupal: Security update

drupal 8.8.12

3 hours 4 minutes ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released. You should plan to update to 8.9.x or higher as soon as possible.
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 8.9.10

3 hours 13 minutes ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Which release do I choose? Security coverage information

No other fixes are included.

  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.12 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 9.0.9

3 hours 16 minutes ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.0.x will receive security coverage until June 2, 2021 when Drupal 9.2.0 is released.
  • Sites on 8.9.x should update immediately to Drupal 8.9.10 instead.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.12 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security update
xjm

drupal 7.75

3 hours 47 minutes ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.
Release type: Security update
mcdruid

drupal 9.1.0-rc3

3 hours 56 minutes ago

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.1.x contains new features, and should be the target for new site development. Drupal 9.0.x will continue to have security support until June 2021. Drupal 8.9.x will continue to have security support until November 2021.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 this year so that you can easily update to Drupal 9.2 and later.

Important update information

If you are updating from 9.0.x or earlier, also read:

Security update required!

This release fixes security vulnerabilities. Sites that installed 9.1.0-alpha1 or 9.1.0-beta1 are urged to upgrade immediately after reading the notes below and the security announcement:

Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 as all Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. We recommend updating to 8.9.x, as well as updating all contributed modules, before updating to any Drupal 9 release.

Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Note for users of the Experimental Workspaces module

Existing Drupal 8 sites using the experimental Workspaces module must update to at least Drupal 8.8.2 before updating to Drupal 9. (This is due to a required data integrity fix.) Remember that Workspaces is currently in beta status and is not intended for production.

Upgrading from Drupal 7

Drupal 7 users can continue to migrate to Drupal 8.9, or migrate to 9.0 or 9.1 directly. The upgrade path for multilingual sites is stable in Drupal 8.9, 9.0 and 9.1!

Release type: Security update
xjm

drupal 7.74

1 week ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.8.11

1 week ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released. You should plan to update to 8.9.x or higher as soon as possible.
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.9.9

1 week ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

Which release do I choose? Security coverage information

No other fixes are included.

  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.11 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 9.0.8

1 week ago

Maintenance and security release of the Drupal 9 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 9.0.x will receive security coverage until June 2, 2021 when Drupal 9.2.0 is released.
  • Sites on 8.9.x should update immediately to Drupal 8.9.9 instead.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.11 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 9.1.0-rc1

1 week ago

This is a release candidate for the next minor version (feature release) of Drupal 9. Release candidates are not supported for production sites, but they are intended for widespread testing in preparation for the upcoming stable release. More information on release candidates.

This minor release provides new improvements and functionality without breaking backward compatibility (BC) for public APIs. Note that there may be changes in internal APIs and experimental modules that require updates to contributed and custom modules and themes per Drupal core's backwards compatibility and experimental module policies.

Drupal 9.1.x contains new features, and should be the target for new site development. Drupal 9.0.x will continue to have security support until June 2021. Drupal 8.9.x will continue to have security support until November 2021.

Regardless of which version you choose now, features will only be added to Drupal 9 minor releases, so plan to adopt Drupal 9 this year so that you can easily update to Drupal 9.2 and later.

Important update information

If you are updating from 9.0.x or earlier, also read:

Security update required!

This release fixes security vulnerabilities. Sites that installed 9.1.0-alpha1 or 9.1.0-beta1 are urged to upgrade immediately after reading the notes below and the security announcement:

Updating from Drupal 8

For information on updating from Drupal 8 to Drupal 9, see Upgrading a Drupal 8 site to Drupal 9.

Sites on 8.7 or earlier must update to either 8.8 or 8.9 before updating to Drupal 9 as all Drupal 8 update functions from before Drupal 8.8.0-rc1 were removed from Drupal 9. We recommend updating to 8.9.x, as well as updating all contributed modules, before updating to any Drupal 9 release.

Note: The migration paths from Drupal 6 and Drupal 7 to Drupal 9 will remain supported throughout Drupal 9's release cycle.

Note for users of the Experimental Workspaces module

Existing Drupal 8 sites using the experimental Workspaces module must update to at least Drupal 8.8.2 before updating to Drupal 9. (This is due to a required data integrity fix.) Remember that Workspaces is currently in beta status and is not intended for production.

Upgrading from Drupal 7

Drupal 7 users can continue to migrate to Drupal 8.9, or migrate to 9.0 or 9.1 directly. The upgrade path for multilingual sites is stable in Drupal 8.9, 9.0 and 9.1!

PHP 8 compatibility

Drupal 9.1 core has made numerous internal changes in order to be compatible with PHP 8.0, which is due to be released before the end of November. However, full compatibility with PHP 8 is currently blocked by one set of upstream dependencies that do not have PHP 8 versions available yet: #3180207: Update laminas-diactoros, laminas-escaper and laminas-feed for PHP 8 compatibility

Official Drupal PHP 8.0 compatibility will therefore not be available until Drupal 9.2.0. However, sites wishing to use PHP 8 should be able to do so safely with either of the following site setups:

  • For Composer sites, Drupal core should run on PHP 8.0 with
    composer install --ignore-platform-requirements.
  • Drupal core sites using a supported 9.1 release tarball (for example, 9.1.0-rc1 or 9.1.0) downloaded from the release page should also run on PHP 8 without any problems.
Composer template changes

The core recommended project templates now explicitly depend on the current minor branch (for example, ^9.1 instead of ^9), in order to make Composer behavior with pre-release milestones more predictable (so that, for example, a site running 9.1.0-beta1 will not be accidentally downgraded to 9.0.x.)

Dependency updates since 9.1.0-beta1
  • typo3/phar-stream-wrapper updated from 3.1.5 to 3.1.6 for PHP 8 compatibility.
  • Popper.js has been updated from 2.0.6 to 2.5.4.
  • Underscore.js has been updated from 1.9.1 to 1.11.0.
Known issues

Search the issue queue for known issues.

All changes since 9.1.0-beta1 Release type: Security updateBug fixesNew featuresInsecure
xjm

examples 3.0.2

1 week ago

Changes in this release:

  • Removed file example due to multiple security flaws. Separate issue will be created to bring it back in a way that follows security recommendations
  • Submodules moved to the "modules" folder
  • Ported theme example
Release type: Security updateNew features
valthebald

drupal 7.73

2 months 1 week ago

Maintenance and security release of the Drupal 7 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Important update information
  • Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.

    If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

    Drupal 7 sites should also pass such URLs through the new Drupal.sanitizeAjaxUrl() function.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Release type: Security updateInsecure
xjm

drupal 8.8.10

2 months 1 week ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.8.x will receive security coverage until December 2, 2020 when Drupal 9.1.0 is released.
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • Once a site running Workspaces is upgraded for SA-CORE-2020-008, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

    If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

  • Sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs for SA-CORE-2020-009.

  • Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.

    If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Known issues Release type: Security updateInsecure
xjm

drupal 8.9.6

2 months 1 week ago

Maintenance and security release of the Drupal 8 series.

This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:

No other fixes are included.

Which release do I choose? Security coverage information
  • Drupal 8.9.x is a long-term support release that will receive security coverage until November 2021.
  • Sites on 8.8.x or earlier should update immediately to Drupal 8.8.10 instead, and plan to update to the latest 8.9.x or 9.0.x release before December 2, 2020 (when Drupal 9.1.0 is scheduled for release and 8.8.x security coverage ends).
  • Versions of Drupal 8 prior to 8.8.x are end-of-life and do not receive security coverage.
Important update information
  • Once a site running Workspaces is upgraded for SA-CORE-2020-008, authenticated users may continue to see unauthorized workspace content that they accessed previously until they are logged out.

    If it is important for the unintended access to stop immediately, you may wish to end all active user sessions on your site (for example, by truncating the sessions table). Be aware that this will immediately log all users out and can cause side effects like lost user input.

  • Sites that override \Drupal\Core\Form\FormBuilder's renderPlaceholderFormAction() and/or buildFormAction() methods in contrib and/or custom code should ensure that appropriate sanitization is applied for URLs for SA-CORE-2020-009.

  • Any site that relies on Drupal's AJAX API to perform trusted JSONP requests will need to either override the AJAX options to set "jsonp: true" or use the jQuery AJAX API directly.

    If you are using jQuery's AJAX API for user-provided URLs in a contrib or custom module, you should review your code and set "jsonp: false" where this is appropriate.

  • No changes have been made to the .htaccess, web.config, robots.txt, or default settings.php files in this release, so upgrading custom versions of those files is not necessary if your site is already on the previous release.

Known issues Release type: Security updateInsecure
xjm
Checked
7 minutes 54 seconds ago
Subscribe to Drupal: Security update feed